Security Guide

Is Your RTSP Camera Exposed to the Internet?

Shodan, the internet search engine for devices, indexes more than a million exposed cameras and camera interfaces worldwide. If you ever forwarded port 554 on your router, your camera could be one of them.

Check now: if you have port 554 forwarded on your router, your camera may be reachable by anyone on the internet.

What is Shodan and Why It Matters for Camera Security

Shodan is a search engine that scans the internet for open ports and fingerprints the services running behind them. Unlike Google, which indexes web pages, Shodan indexes devices: cameras, routers, NAS boxes, industrial controllers, and more.

For IP cameras, the most important targets are port 554 for RTSP and ports 80/443 for the camera web interface. A Shodan search for RTSP and IP camera services reveals hundreds of thousands of cameras, and camera-related internet exposure easily exceeds the million-device mark when you include web interfaces and OEM variants.

That is why port-forwarding RTSP is so risky. The moment you expose the camera to the public internet, it becomes searchable, scannable, and often brute-forced within hours.

Why IP Cameras Are Exposed Online

Most exposed cameras are not the result of a sophisticated breach. They are exposed because a router was configured to port-forward the camera, UPnP opened the port automatically, default credentials were never changed, or a cloud setup wizard encouraged direct inbound access.

That combination is exactly what internet-wide scanners look for. Public search engines such as Shodan can index 500,000+ camera endpoints and camera web interfaces depending on the query and time window, and the total number of internet-reachable camera-related devices is much higher.

Once a camera is online, attackers do not need to guess where to start. They already know the likely ports, the vendor banners, and the default usernames that ship with many low-cost cameras and DVRs.

Shodan: What It Reveals About Your Camera

A simple search like rtsp port:554 can surface live RTSP endpoints and camera banners. Other common searches include title:"DVR" port:80, vendor names like hikvision, or phrases such as dahua web.

The most common finding is depressingly simple: devices still using weak credentials such as admin:admin or admin:12345. Some are not even protected by RTSP authentication at all.

When attackers find exposed cameras, they typically use them for voyeuristic access, credential stuffing against the web UI, ransomware-style intimidation, resale of private footage, or botnet enrollment. Mirai-class botnets made it clear years ago that insecure IoT devices are valuable targets.

How to Check if Your Camera is Exposed

Method 1 — Search Shodan

Visit shodan.io and search your public IP address. You can find that IP by visiting whatismyip.com from home. If your camera or camera web UI appears, it is exposed.

Method 2 — Check router port forwarding

Open your router admin page and review the port forwarding or virtual server rules. If port 554 is forwarded to your camera IP, remove it immediately.

Method 3 — Test from outside with nmap

From a network outside your home, run:

nmap -p 554 [your public IP]

If nmap reports the port as open, your RTSP service is exposed to the internet.

Using Nmap to Audit Your Local Camera Network

nmap is a free network scanner that quickly shows which devices on your LAN are listening for RTSP connections. It is useful for finding cameras you forgot about, checking whether RTSP is enabled, and spotting unexpected devices.

Find RTSP devices on the LAN
nmap -p 554 192.168.1.0/24
Identify common camera services
nmap -sV -p 554,80,8000 192.168.1.0/24

The scan does not hack anything — it just shows which ports are open and, with service detection enabled, what software appears to be behind them. That makes it perfect for a home security audit.

How to Secure Your RTSP Cameras

  1. 1
    Change default passwords. Never leave cameras on admin/admin or other factory credentials. Use unique passwords with at least 12 characters.
  2. 2
    Remove port forwarding. Delete any router rules that expose port 554 or your camera web UI. RTSP should never be directly internet-facing.
  3. 3
    Use RTSPS where supported. Encrypted RTSP over TLS protects stream data in transit. SmartRTSP supports RTSPS — see the RTSPS guide.
  4. 4
    Use a VPN for remote access. Tailscale or WireGuard let you reach the camera privately without exposing it. See the Tailscale RTSP guide.
  5. 5
    Enable RTSP authentication. Verify your camera requires a username and password for RTSP sessions. Nearly all modern cameras support this, but it must be enabled correctly.
  6. 6
    Keep firmware updated. Camera vendors regularly patch security bugs. Old firmware is a common reason exposed cameras get compromised.
  7. 7
    Segment cameras on a separate VLAN. If your router supports VLANs or guest-style network isolation, keep cameras away from laptops and personal devices.
  8. 8
    Disable unused services. Turn off Telnet, FTP, UPnP, and any vendor cloud feature you do not need.

Camera Security Checklist

☐ Change default username and password
☐ Update firmware to latest version
☐ Disable UPnP on router
☐ Disable RTSP ALG on router
☐ Use VPN instead of direct port forwarding
☐ Enable RTSPS (TLS) if camera supports it
☐ Put cameras on separate IoT VLAN
☐ Disable unused services (Telnet, FTP, HTTP if not needed)
☐ Check Shodan for your public IP

How to Secure Remote Access (Without Port Forwarding)

Tailscale VPN

Install Tailscale on your phone and on a home router, NAS, or Raspberry Pi. You get remote access with zero open ports, which makes it the easiest recommendation for most home users.

Read the Tailscale RTSP guide

WireGuard

WireGuard takes more manual setup, but it gives you full control over keys, peers, and routing. It is ideal if you prefer a traditional self-hosted VPN architecture.

Read the remote access VPN guide

ZeroTier

ZeroTier is another mesh VPN option. It can be a good alternative if Tailscale or WireGuard does not fit your network, but the core idea is the same: private overlay, not public port forwarding.

VLAN Segmentation for Cameras

One of the best long-term security upgrades is to place cameras on a separate IoT or camera VLAN. That way, even if a camera is compromised, it does not get easy access to your laptops, phones, NAS, or home-office devices.

On UniFi, ASUS, and other capable routers, the basic idea is the same: create a dedicated network for cameras, assign the switch ports or Wi-Fi SSID to that network, and allow only the minimum traffic needed to your NVR or viewer devices.

Segmentation does not replace strong passwords or firmware updates, but it dramatically limits blast radius when something goes wrong.

RTSPS: Encrypted Camera Streams

Standard RTSP is typically unencrypted. Anyone with access to the same network path may be able to inspect metadata or traffic patterns, and in some cases capture media.

RTSPS adds TLS encryption to the RTSP session. If your camera supports it, enabling RTSPS is a meaningful upgrade, especially when the stream crosses untrusted networks or VPN tunnels shared with other devices.

Read the RTSPS encrypted RTSP guide for setup details and compatibility notes.

Common Camera Attack Vectors

Attack Description Prevention
Default credentialsadmin:admin never changedChange password immediately
Exposed RTSP portPort 554 open on internetUse VPN instead
Firmware vulnerabilitiesUnpatched CVEsUpdate firmware regularly
Mirai botnetIoT device hijackingStrong password + firewall
Man-in-the-middleUnencrypted RTSP streamUse RTSPS or VPN
UPnP auto port forwardingRouter automatically opens portsDisable UPnP

Secure Remote Viewing with SmartRTSP

SmartRTSP supports RTSPS for encrypted camera streams and works perfectly over Tailscale or any other VPN. There are no cloud relay accounts and no camera video sent to third parties.

Video is decoded on-device, giving you a direct viewer for RTSP and RTSPS streams on iPhone and Mac. For security-conscious camera owners, that means fewer moving parts and fewer external services handling private footage.

What to Do If Your Camera Was Already Exposed

1. Close the public port first

Do not start by changing apps or resetting the viewer. Remove port forwarding, disable UPnP, and verify from outside your network that port 554 is closed.

2. Change all related passwords

Update the camera password, the NVR password, and the router admin password if the router was using UPnP or direct forwarding rules tied to that device.

3. Update firmware and review logs

Install vendor firmware updates and check the camera's login history, event log, or system audit page if available. Reboot after patching.

4. Move to VPN-only access

After cleanup, switch to Tailscale, WireGuard, or another VPN workflow so remote viewing never depends on publicly exposing the camera again.

Router Settings to Review

Port forwarding / virtual server rules

Delete any inbound rule for RTSP, HTTP, HTTPS, ONVIF, DVR web ports, or vendor-specific camera ports that point to the camera or NVR.

UPnP

Disable UPnP unless you have a very specific reason to keep it. It is one of the easiest ways for IoT devices to become reachable from the internet without you noticing.

RTSP ALG / SIP helpers

Some routers include protocol helpers that interfere with streaming. If you see broken RTSP sessions or weird rewrites, disable those helpers and keep the path simple.

Guest and IoT isolation

If your router supports guest or IoT networks, use that capability to isolate cameras even before you move to a full VLAN design.

A Safer Remote Viewing Pattern

Keep cameras local, connect to home through a VPN, and only then open the RTSP stream from SmartRTSP or another trusted viewer. That one change removes the biggest risk: a public-facing camera service.

For most people the safest sequence is simple: camera on a private VLAN, no port forwarding, VPN on phone, then view the stream inside the encrypted tunnel.

Frequently Asked Questions

Is it safe to port forward RTSP?
No. Port forwarding RTSP exposes the camera to the public internet, where it can be indexed by Shodan and attacked by credential scanners and bots.
What is the RTSP default port?
The default RTSP port is 554. This is exactly what Shodan and attackers scan for when hunting exposed cameras.
How do hackers access cameras?
Usually through exposed ports, weak passwords, or unpatched firmware. They are not “guessing” randomly — they use scanners, vendor fingerprints, and default credential lists.
How do I remove my camera from Shodan?
Remove the port forwarding rule from your router and verify that the RTSP port is closed from outside your network. Once the camera is no longer exposed, Shodan will stop indexing it on later scans.
Is my camera safe if I only use it at home?
It is safer, but not automatically safe. You still need strong passwords, firmware updates, and ideally a separate camera VLAN so a compromised device cannot roam across your network.
Do I need to port forward for SmartRTSP?
No. The recommended setup is local viewing on the same network or remote viewing through Tailscale, WireGuard, or another VPN.
Can SmartRTSP connect through a VPN?
Yes. SmartRTSP works seamlessly over Tailscale and any other VPN that routes you back to your home network.
Should I use RTSPS if my camera supports it?
Yes. RTSPS adds TLS encryption to the stream and is a worthwhile upgrade whenever your camera and viewer both support it.