Search engines do not know the difference between a public blog and a private camera feed. If a camera is accessible on port 80 (HTTP) without requiring authentication, Google’s bot will find it, index the URL, and make it searchable. This query exploits that indexing.
UPnP is convenient but notoriously insecure. Log into your router’s admin panel and turn off UPnP. Then manually delete any automatic port forwarding rules it created.
You can append parameters to the URL, e.g.:
Example:
http://192.168.1.100/axis-cgi/mjpg/motion.cgi?resolution=320x240&fps=10
To understand the risk, we must first break the keyword into its constituent parts. This is not magic; it is a structured search command using Google’s search operators.
While Google indexes web content, Shodan (often called the "IoT search engine") indexes device banners. A search for axis-cgi/mjpg on Shodan is far more effective than Google, exposing millions of devices. However, the inurl Google trick remains popular because it is free and requires no specialized tools.
If you absolutely must expose the camera (not recommended), at least disable plain HTTP and require HTTPS with a valid certificate. This prevents password sniffing.
The exposure of live camera feeds is not a theoretical vulnerability. There are concrete consequences.
Note: Axis Communications has historically been proactive about security. Modern Axis cameras (running AXIS OS 10 and above) have significantly stronger default security postures, including mandatory password changes and automatic HTTPS. However, legacy devices—and human error—remain widespread.
Do not use root/root, admin/admin, or root/(blank). Use a strong, unique password (12+ characters, mixed case, numbers, symbols).
Search engines do not know the difference between a public blog and a private camera feed. If a camera is accessible on port 80 (HTTP) without requiring authentication, Google’s bot will find it, index the URL, and make it searchable. This query exploits that indexing.
UPnP is convenient but notoriously insecure. Log into your router’s admin panel and turn off UPnP. Then manually delete any automatic port forwarding rules it created.
You can append parameters to the URL, e.g.:
Example:
http://192.168.1.100/axis-cgi/mjpg/motion.cgi?resolution=320x240&fps=10
To understand the risk, we must first break the keyword into its constituent parts. This is not magic; it is a structured search command using Google’s search operators.
While Google indexes web content, Shodan (often called the "IoT search engine") indexes device banners. A search for axis-cgi/mjpg on Shodan is far more effective than Google, exposing millions of devices. However, the inurl Google trick remains popular because it is free and requires no specialized tools.
If you absolutely must expose the camera (not recommended), at least disable plain HTTP and require HTTPS with a valid certificate. This prevents password sniffing.
The exposure of live camera feeds is not a theoretical vulnerability. There are concrete consequences.
Note: Axis Communications has historically been proactive about security. Modern Axis cameras (running AXIS OS 10 and above) have significantly stronger default security postures, including mandatory password changes and automatic HTTPS. However, legacy devices—and human error—remain widespread.
Do not use root/root, admin/admin, or root/(blank). Use a strong, unique password (12+ characters, mixed case, numbers, symbols).