21,786 live cameras stream with zero authentication. Cheap gear is the real risk, webcamXP open 46% of the time. Your home router is the broadcast tower.In May 2026, Mysterium VPN queried a public internet-wide device index to count every camera and recorder that answers the open internet. They found more than three million reachable devices. Of those, 21,786 were streaming live video to anyone who pointed a browser at them, with no login, no challenge, and no warning to the person on the other side of the lens. That number is a floor, not a ceiling.Two brands dominate the internet-reachable camera market: Hikvision and Dahua together account for most of the three million. But the headline figure isn’t about them. Hikvision, by contrast, was open just 0.06% of the time. Dahua was effectively never open. The big brands fixed this years ago by making password setup mandatory before first use. The cheap end of the market never bothered.“Hikvision-identified cameras were open just 0.06% of the time. Dahua was effectively never open, the direct dividend of those mandatory-activation policies. The exposure lives almost entirely at the cheap end.” reads the report published by MysteriumVPN. “Budget “HiSilicon-class” recorders were open 27.1% of the time, and a legacy webcam application called webcamXP hit 45.6%, meaning nearly half of every device of that type that answers the internet is broadcasting to anyone who asks.”The single largest slice of open video is RTSP, the standard camera streaming protocol. “A single generic protocol accounts for the largest share of all open video: 9,746 feeds were streaming over RTSP, the standard camera-streaming protocol, with no access control at all. RTSP was designed for streaming, not for security. Without any authentication layer, it is simply an open pipe.” continues the report.No credentials to guess. No login screen to bypass. Just a direct feed to whoever finds the address.Japan and the United States together account for more than a third of all open feeds, 19% and 17% respectively. That distribution doesn’t follow the global camera install base; it follows residential broadband. Japan’s count is driven by a handful of consumer ISPs whose customers appear disproportionately in the data. Moldova ranks eighth, almost entirely because of one national ISP. A block of 961 feeds attributed to Huawei Cloud MX appears to be hosted camera-gateway infrastructure rather than home devices, inflating Mexico’s totals. Strip it out and the numbers shift slightly, but the story doesn’t change.The networks feeding these open streams are Asahi Net, OCN, BIGLOBE, and NTT DOCOMO in Japan. Chunghwa Telecom in Taiwan. Deutsche Telekom in Germany. Verizon, Charter, and Comcast in the United States. These are home internet connections. These are living rooms, bedrooms, shop floors, and reception desks being broadcast to strangers.None of this required any hacking. The researchers didn’t type a single password. “We did not type a single password, default or otherwise, because doing so would be unauthorized access, the exact line this research refuses to cross.” states the report.”Every camera sitting behind a login that still answers to admin / admin is invisible in our headline figure. The true count a determined stranger could reach is larger, but we measured only what we could see without touching a key.”The real count that a determined stranger could reach, by trying the defaults that Mirai exploited in 2016 and that Mirai’s descendants are still trying today, is larger. The 21,786 figure counts only what required zero effort at all.The Mirai botnet in 2016 built one of the largest attack networks ever seen using nothing more than a short list of hardcoded default passwords: admin/12345 for Hikvision, admin/admin for Dahua and most budget recorders. Its descendants are still running the same credentials against the same devices right now. Regulators eventually caught up: California banned default passwords in January 2020, and the UK outlawed universal default passwords outright in April 2024 under its Product Security and Telecommunications Infrastructure Act. That fixes devices sold new today by companies that comply. It does nothing for the hundreds of millions of cameras already on walls, running firmware that will never be updated.An open feed is not an abstract security finding. It tells a stranger when a home is empty, who lives there, and what their daily routine looks like. Feeds get aggregated, indexed, and traded. There are directories of open camera feeds that have run for years, built entirely on devices whose owners don’t know they’re listed. “Buying cheaper gear to save money on security cameras is, in a very direct sense, paying to be surveilled. Privacy and security on your home network are worth investing in.” conlcudes the report.”A camera that phones home to a manufacturer with a functioning security team, that forces a password before first use, and that receives firmware updates is worth meaningfully more than a budget recorder that does none of those things, with the gap between them visible in our data.”The fix isn’t complicated: set a real password, disable UPnP on your router, turn off any RTSP stream you didn’t deliberately configure, update firmware, and if the device hasn’t been patched in years, take it off the internet. Prefer cameras that reach out through an encrypted relay rather than accepting inbound connections, because there’s no open port to find from the outside. If you never set a password during initial setup, assume the device still has the factory default and change it before anything else.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, cameras)