The following information was made public in great detail in early January on the blog of a couple of researchers called Console Cowboys, a few hours ago it was published by H-Online Security and while it is no longer a novelty, it is worth commenting on.
One of them detected a vulnerability in TRENDnet brand IP cameras which allows access to live images no need to enter username and password. After analyzing the firmware of his own camera, I discovered that you simply had to write the path anony / mjpg.cgi.
The following is a real example of a camera found somewhere in the world:
It is true that on the network you can find many open IP cameras (without a password), recently I made reference to it in the post Google hacking, looking for prohibited and secret things on the network and also commented on the case of a hotel camera 5 stars that could be remotely controlled with an x22 optical zoom.
But in this case it is not about bad settings or free access to streaming, but rather a vulnerability allowing access even when authentication is enabled.
In the last days TRENDnet public new versions of their firmwaresunder the Critical Updates category that solve the problem, so if you have an IP camera of this or another brand it would be good to check the version you have installed, just in case 🙂
Finally, if you feel like playing a bit, on the ESET Spain blog they published a link to Pastebin where there is a list of the cameras that can be accessed online with the anony / mjpg.cgi.
See also: Home security camera with Skype.Yawcam, detect movement and monitor with your webcam.