Turn off Universal Plug and Play on both your router and your camera. This stops the device from automatically opening ports to the outside world.
This article's purpose is to educate about the existence of this vulnerability and the importance of securing network devices, not to provide a manual for unauthorized access. The exploration of these cameras for any purpose other than security research with explicit permission is strongly discouraged and is likely illegal.
The feeds uncovered by these search terms vary wildly. Some are completely benign public spaces, such as weather cameras, traffic intersections, or ski resorts. However, a significant portion consists of private spaces: backyards, office lobbies, retail storefronts, server rooms, and sometimes even the interiors of residential homes. inurl viewerframe mode motion work
There are also websites dedicated to aggregating and listing unsecured cameras. One of the most well-known examples is insecam.org , which compiles a live directory of publicly accessible IP cameras from around the world. These websites take the concept of Google dorking a step further by automatically indexing and categorizing the feeds, making them trivially easy to browse.
: This is a query parameter. It tells the camera's software to load the live video feed using a specific viewing profile—in this case, optimized for motion or live streaming video, often utilizing server-push MJPEG (Motion JPEG) technology. Turn off Universal Plug and Play on both
Googlebot, along with automated vulnerability scanners like Shodan and Censys, continuously indexes every accessible IP address on the web. If a device answers a web request publicly, its internal file paths—including /ViewerFrame?Mode=Motion —are logged directly into public databases. Privacy and Operational Risks
The most severe outcome is a complete compromise of the device. Many older cameras had known vulnerabilities, such as hardcoded backdoor accounts, default passwords (like "admin/admin"), or authentication bypass flaws. Attackers could exploit these to upload custom firmware or malware, ensnaring the camera into a botnet used for launching DDoS attacks (Distributed Denial-of-Service) against other targets. In 2016, a massive DDoS attack on DNS provider Dyn, which disrupted major websites like Twitter and Netflix, was powered by a botnet of hundreds of thousands of insecure IoT devices, including network cameras. The exploration of these cameras for any purpose
inurl:"ViewerFrame? Mode= intitle:Axis 2400 video server. inurl:/view.shtml. intitle:"Live View / — AXIS" | inurl:view/view.shtml^ Configure Motion detection in Axis IP camera web interface