He Scanned All 4.2 Billion IPv4 Addresses. Tens of Thousands of Webcams Had No Password at All.

He Scanned All 4.2 Billion IPv4 Addresses. Tens of Thousands of Webcams Had No Password at All.

PrivacyIoT SecurityWebcamsSecurity VulnerabilitySmart Home

Sources:HN + web research · HN

You buy a home security camera. You plug it in, connect it to Wi-Fi, download the app, scan a QR code. Three minutes, done. Now you can check on the cat from anywhere.

Everything is perfect.

Until one day, a friend sends you a link that says “check this out.” You open it. You see your own living room. Yesterday’s jacket draped over the couch. A half-finished mug sitting on the coffee table. In the corner: an IP address and a city label.

You never shared this feed. You never gave anyone a password. You didn’t even know the camera could be viewed in a web browser.

But right now, anyone — anyone who opens that page — is watching your living room.

This isn’t the opening of a horror novel. It’s the reality that a project called IP Crawl has just laid bare for the world.

One programmer, 4.2 billion IP addresses

In June 2026, a programmer going by the pseudonym Alec pushed a website to the top of Hacker News, where it racked up 192 points and over a hundred heated comments in a single day. The site is called IP Crawl (ipcrawl.com), and its function is simple enough that anyone can grasp it immediately: it’s a live map of exposed webcams. Open the page, and you see real-time screenshots from cameras all over the world — schools, hospitals, factories, government buildings, hotels, residential living rooms, even bedrooms.

All of these cameras share one property: they require no password whatsoever to access. No cracking, no hacking skills, no “social engineering.” You type an address into a browser and the feed appears.

What Alec did is not technically complicated, but from an engineering standpoint, it’s enough to make any security professional break into a cold sweat. He wrote a program that walked the entire public IPv4 address space — roughly 4.2 billion IPs. At each address, the program probed dozens of known snapshot paths for network cameras. Hikvision. Dahua. Axis. D-Link. TP-Link. SONY. Nearly every major brand on the market has default snapshot endpoint URLs that are public, fixed-format, and guessable without ever reading the documentation.

The program knocked on every door. If a door opened, it took a screenshot. If it didn’t, it moved on. No password brute-forcing. No exploit usage. No backdoor installation. It did exactly one thing: catalog what was already unlocked — and put it on a map.

In Alec’s own words: “To be absolutely clear: the engine never attempts authentication, brute-forces credentials or exploits software vulnerabilities. It only catalogues what is already completely open to the public internet.”

That sounds restrained. But when you see what’s actually inside this catalog, “restrained” becomes a disturbing word.

You will never guess what’s in there

The range of scenes visible on IP Crawl goes far beyond what most people would imagine. Some documented cases from public materials:

  • SONY’s Japan headquarters office — security camera feed exposed directly to the public internet, no access control, no gate;
  • Critical infrastructure sites in Israel — feeds viewable in a web browser;
  • A residence in Droitwich, UK — camera pointed directly at indoor cultivation equipment, suspected cannabis grow;
  • A hidden camera in Salt Lake City, US — mounted at a strange angle, not looking like a standard installation, more like something placed covertly;
  • School hallways and classrooms;
  • Hospital corridors and ward exteriors;
  • Daycare interiors;
  • Factory floors and industrial control rooms.

And this is just the tip of the iceberg Alec described. He writes: “Schools, colleges, hospitals, government facilities, corporate offices, residential living rooms, daycares, indoor cultivation setups, industrial complexes and manufacturing plants. Every day you will see something new.”

One HN commenter put it bluntly: “I looked into someone’s bedroom. Fortunately it was empty, but I promptly shat myself and turned off my computer.”

This isn’t a horror movie scene. It happened in 2026, in an era when cybersecurity awareness is supposedly widespread.

Why are so many cameras naked on the public internet?

A typical reader’s first reaction is: “Who would expose their camera to the internet?”

The answer: the vast majority of people whose cameras are exposed have no idea they’re exposed. Three forces are conspiring to produce this situation.

Force one: manufacturers doing nothing.

Hikvision, Dahua, Axis, D-Link, Wyze, SONY — Alec lists a long string of brands in his technical blog, then writes: “Shipping hardware this vulnerable directly violates customer privacy and creates a massive security liability.”

These cameras ship with default passwords — typically admin/admin or admin/12345. Many models don’t even require a password to access the live feed through specific URL paths — which is exactly the mechanism IP Crawl exploits. Manufacturers know this. But under the calculus of cost and convenience, virtually none have made substantive changes to default configurations.

Alec goes further: “Risking the label of a conspiracy theorist, it’s starting to look less like negligence and more like a legally sanctioned backdoor for mass surveillance.”

Force two: automatic port forwarding on routers.

Many home routers ship with a feature called UPnP (Universal Plug and Play) enabled by default. It was designed for convenience — plug in a device and it auto-configures the network, no manual port mapping needed. But it also means that when a camera tells the router “open this port for me,” the router complies. The user never knows.

As one HN user pointed out: “UPnP is not disabled by default on all routers, especially older ones. So devices may just try to port-forward certain control or media ports.”

The chain of events: you buy a camera, plug it in, connect it to Wi-Fi. The camera tells the router “I need a door to the outside.” The router opens one. Then every internet-wide scanner — not just IP Crawl, but also Shodan and similar IoT search engines — discovers your door.

All you did was scan a QR code.

Force three: installers who just want the job done.

In many cases, the camera wasn’t installed by the user. HN user Aurornis described a deeply realistic scenario: an installer who’s been crawling through ceilings all day, drenched in sweat, just wants to wrap up and go home. “Some installer with a git-er-done attitude knows their customer wants a solution to something (remote access) and they use the first technique they can find to accomplish that without any concern about what it means.”

Another commenter captured the industry dynamic with a perfect line: “Most CCTV contractors are not network security experts. Most network security experts would quit before ever entering a hot attic.”

So the final installation plan is: open the port, make sure you can see the feed. Who else can see it? That wasn’t in the work order.

Convenience and privacy were never a binary choice

There’s a fundamental tension here. Consumers want convenience — check the home camera from your phone while you’re out. But “convenience,” as implemented by the industry, translates to “expose the camera’s port directly to the public internet.”

This problem has better solutions. Technically informed HN users laid out the secure architecture: the manufacturer runs a relay proxy server. The camera maintains an encrypted connection to the proxy. Users authenticate to the proxy to view their feed. The camera’s real IP address is never exposed on the public internet. Signal, WhatsApp, and other video calling apps have proven this path works.

The problem is that such a solution requires manufacturers to invest in server infrastructure, design a proper authorization mechanism, and provide clear user guidance. And the current reality: no manufacturer is willing to pay for “security the user can’t see.”

Alec wrote in his blog: “The goal is straightforward: turn public exposure into pressure, forcing both manufacturers and users to take privacy seriously.”

It’s a strategy of transparency as a lever for change. But it also ignited a fierce moral debate on HN.

Fix the vulnerability, or take down the searchlight?

A significant number of HN users expressed unease about IP Crawl. User “naturalmovement” posted a highly upvoted comment: “There’s a difference between your neighbor not closing her blinds and you using a telescope to look inside her apartment, which is what sites like this are.”

Another user was even more direct: “Definitely an invasion of privacy. I can’t visit this website in good faith. It should be taken down.”

But others pushed back: Shodan has existed for over a decade and can search for these same exposed cameras — should Shodan be shut down too? Google can find admin panels with no passwords — shut that down as well?

A deeper perspective came from user “portaouflip”: “I’d also ask us tech savvy people to practice some humility. Yes, the people setting up these cameras are not following security best practices. But are you sure that you will not make the same mistakes?”

This is a debate with no settled answer. But whichever side you stand on, one fact is indisputable: the exposures IP Crawl documents are real. Even if the website were taken down tomorrow, those cameras would still be sitting naked on the public internet. Anyone who can write a single for-loop can find them.

What you should do right now

IP Crawl’s website includes a “Check Your Area” feature: enter your approximate location, and it shows whether any exposed cameras near you are in its database. The point is to let you confirm whether your own home is on that list.

If you have internet-connected cameras at home, these steps will immediately reduce your exposure risk:

First, change the default password now. No admin/admin. No 12345. No birthdays or phone numbers. Set a password at least 12 characters long with letters, numbers, and symbols. If your camera’s firmware doesn’t support strong passwords — that camera was never trustworthy to begin with.

Second, check your router’s UPnP settings. The overwhelming majority of home routers let you disable UPnP. Turn it off. Yes, connecting new devices afterward might require some manual configuration. That minor inconvenience is nothing compared to the risk of a privacy breach.

Third, if you need remote access to your camera, don’t use port forwarding. Ask the manufacturer whether they offer a secure cloud relay service. Or set up a VPN tunnel yourself. The latter requires some technical know-how, but if your data is genuinely important — this is the price.

Fourth, consider replacing any brand that doesn’t provide security updates. If a manufacturer doesn’t ship firmware updates, doesn’t patch known vulnerabilities, doesn’t support encrypted connections — throw its hardware in the trash. That’s basic respect for yourself and your family.

Coda

Alec’s IP Crawl is, at its core, a magnifying glass. What it magnifies isn’t a technical vulnerability — those vulnerabilities have been discussed since the early 2010s. What it magnifies is the systematic indifference of an entire industry ecosystem toward ordinary people: manufacturers know the hardware is insecure but keep selling it, installers know they’re unqualified but keep installing, platforms know there’s risk but keep connecting.

And the cost lands on the person least equipped to bear it — the ordinary consumer who just wanted to check on their cat.

Alec ended his blog post with a sentence that deserves to close this one too, because it captures a truth that is both simple and important:

“Step. The. F*ck. Up.”


Reference links