HN Debrief

IP Crawl: Living atlas of open webcams discovered on the public internet

  • Security
  • Privacy
  • Hardware
  • Consumer Tech
  • Infrastructure

IP Crawl is a public website that catalogs open webcams it discovered on the internet and lets visitors browse live feeds and snapshots. The post hit a nerve because a lot of the listed cameras appear to be in homes, bedrooms, churches, pools, and small businesses rather than obviously public spaces. The useful technical point was not that scanning exists. People pointed out this has been possible for years through Shodan, Google dorks, and older projects like Internet Census 2012. What felt newly visceral was turning that latent exposure into an easy map and gallery for ordinary visitors.

Treat any internet camera as a product and installer risk, not just a device choice. If your company sells, deploys, or allows these systems, audit for UPnP and exposed RTSP now, and make remote sharing an explicit, consented workflow instead of a default side effect.

Discussion mood

Disturbed and uneasy. Most people were shocked by how many private spaces are still visible online and thought the site's gallery-like presentation was creepy, even if they also agreed the underlying exposure is common and technically easy to discover.

Key insights

  1. 01

    UPnP is the quiet exposure path

    The main technical explanation was not that owners manually opened ports one by one. Consumer routers often ship with Universal Plug and Play enabled, so a camera can request its own port forwarding and become reachable from the internet with little or no user awareness. That makes these feeds less like deliberate self-hosting and more like a dangerous default hidden inside "view your camera from anywhere" product design.

    If you are auditing homes, offices, or customer installs, check Universal Plug and Play first and look for forwarded RTSP ports. Disabling auto port mapping will close a large class of accidental exposure without asking end users to learn networking.

      Attribution:
    • 1e1a #1
    • fc417fc802 #1 #2
    • Phil_Latio #1
  2. 02

    Installers are often the real threat model

    A lot of exposure likely comes from contractors who are paid to make remote access work fast. They know cabling, mounting, and basic router setup, not network security. That is why the same failure mode keeps appearing in CCTV and industrial systems. The job rewards "it works" and moves on long before anyone asks whether the internet should reach the device directly.

    If your business relies on field installers, treat security configuration as a managed part of the service, not an assumption about local expertise. Lock down the install path with preconfigured hardware, remote audits, and defaults the installer cannot easily bypass.

      Attribution:
    • Aurornis #1
    • naturalmovement #1
  3. 03

    Safe sharing still lacks a good consumer model

    People converged on a product problem. Telling normal users to handle IP addresses, NAT, and keys is not realistic, but removing that complexity usually means a vendor-operated relay or cloud proxy. That can secure access and hide the camera's public location, yet it also hands the manufacturer control over identity, metadata, and future access terms. The gap is not just bad engineering. It is that the market still has no broadly trusted model for "easy remote viewing" that does not either expose devices directly or lock customers into a vendor service.

    When choosing camera platforms, evaluate the trust model as carefully as the feature list. Ask whether remote access can be optional, whether the relay can be disabled, and how credentials and data behave if the vendor changes pricing or shuts down.

  4. 04

    The novelty is packaging, not discovery

    Open webcams were already searchable years ago through projects like Internet Census 2012 and today through Shodan Images. One commenter even matched an identical snapshot between IP Crawl and Shodan, suggesting at least some of the catalog may be sourced from existing scans rather than a brand new crawl. What changed is usability. A security search engine requires intent and some competence. A polished atlas turns the same raw exposure into casual browsing.

    Do not assume obscurity inside a niche tool protects you. If a security issue is machine-discoverable today, someone can wrap it in a consumer-grade interface tomorrow and multiply the harm.

      Attribution:
    • bensons1 #1
    • nik282000 #1
    • spzb #1 #2

Against the grain

  1. 01

    Public ports are already public

    A harder-line view held that the site adds little beyond convenience because any exposed camera is already reachable by anyone willing to run a simple scan or use Shodan. From that perspective, the moral failure sits with shipping or deploying internet-facing cameras without proper authentication, not with indexing what is openly there.

    Even if you dislike directories like this one, build your defenses as if motivated strangers can already find exposed services. Security through low visibility is not a plan.

      Attribution:
    • imglorp #1
    • mike_hock #1
    • retardedsecguy #1
  2. 02

    Treat networked rooms as non-private

    Some people argued that once you place a cheap IP camera in a room, you should stop assuming that room is private no matter what the vendor promises. The useful version of that claim was not that voyeurs are justified. It was that the presence of low-cost networked cameras changes the baseline expectation of privacy inside homes and rentals.

    Keep cameras out of bedrooms, bathrooms, and other sensitive spaces even if the app claims end-to-end protection. Product guarantees fail, installers make mistakes, and the safest feed is the one that does not exist.

      Attribution:
    • functionmouse #1
    • jubilanti #1
    • sandcat_ #1

In plain english

Google dorks
Specialized search queries that use search engine operators to find exposed files, admin pages, or devices that were indexed unintentionally.
NAT
Network Address Translation, a common router feature that lets many devices in a home or office share one public internet address and blocks direct inbound connections by default.
Shodan
A search engine that scans the public internet for connected devices and exposed services such as cameras, routers, and industrial systems.
Shodan Images
A Shodan feature that stores and lets users search screenshots or snapshots collected from exposed devices, including some cameras.
UPnP
Universal Plug and Play, a protocol that lets devices on a local network automatically ask the router to open ports to the public internet.

Reference links

Background and prior art

Related Hacker News discussions

  • IMG_0416 Hacker News discussion
    Referenced as a similar ethics debate about content that was technically public but likely not intended for broad viewing.

Side references from identified cameras

Legal and ethics reference