One of the problems with IP-based cameras is that unknown people can access them to see what the cameras are pointing to. It would seem to be a no-brainer to try to prevent this, but many people who install IP cameras don't take any such measures, and some vendors make it easy for unprotected cameras to be found.

After some major news coverage of surreptitiously taken videos of nannies beating up children in their care, lots of parents began installing concealed cameras in their homes. Many of these cameras were IP-based and wound up being connected to home networks that were, in turn, connected to the Internet through DSL or cable modems. This was ideal for the people who installed them because they could peek in from the office. There was a bit of a potential privacy problem: Because the nannies tended to work in places where the homeowners also frequented, unless the homeowners took care to remember the camera was there, potentially embarrassing images could be on the 'Net for the taking.

Shortly thereafter, corporate network security people and others who were putting up security cameras figured out that they could save a lot on installation cost if they also used IP-based camera systems.

Many of these home or business IP-based cameras ran mini Web servers so the user could employ a standard browser to look, but most of the systems had no or minimal security. Many people did not even take advantage of whatever security the cameras did have. I guess they didn't think about the issue or assumed that because they would not be telling the world the IP address of the camera no one would find it.

In another example of security through obscurity not actually being security, it turns out that some of the manufacturers have made it easy for the IP addresses to be found. The manufacturers used consistent character strings in the URLs that the users employed to access the cameras. And it turns out that Google (the universal research tool these days) has a feature in its search command to look for URLs that include a particular string.

For example, the command "inurl:view/index.shtml" will look for the string "view/index.shtml" in all URLs. This happens to be a string that one of the camera manufacturers uses in its systems. Google finds almost a thousand URLs with this string - almost all of them are Axis IP-based cameras. Other strings to look for include "ViewerFrame?Mode=" and "MultiCameraFrame?Mode=." Together they produce more than 2,000 additional hits.