Hotels are particularly vulnerable to this type of exposure for several reasons:
Why do hotels dominate this search result?
When you search this string, you aren't looking at a database; you are asking Google to return every unsecured camera that happens to be on a domain associated with lodging. inurl viewerframe mode motion hotel link
If you run a hotel, motel, or any short-term rental with security cameras, this should be a wake-up call.
To understand the severity, we must look at the history of embedded devices. Between 2005 and 2015, a massive boom in IP surveillance cameras occurred. Manufacturers like ACTi,松下 (Panasonic), and a dozen white-label Chinese factories needed a lightweight way to stream MJPEG video to legacy browsers. Hotels are particularly vulnerable to this type of
They built a web server into the firmware. The primary page for viewing the stream was often named viewerframe.html. The parameter mode=motion instructed the camera to display live video (as opposed to still images or setup menus).
The problem? These cameras were designed with zero authentication by default. An installer plugs the camera into the hotel’s switch, gives it an IP, and moves on. The camera assumes that if you can reach the IP, you are allowed to see the stream. When you search this string, you aren't looking
Google’s crawler does not care about intent. When it finds http://[IP]/viewerframe.html?mode=motion, it indexes the title, the header tags, and the URL. The "link" portion of the query is what ties the camera to a specific place.