Layer · Exposed Devices
Vulnerable cameras & exposed devices
A live roster of internet-exposed cameras, DVRs and IoT endpoints — geolocated, fingerprinted, scored, and pivot-ready. Built for defenders, not voyeurs.
What the layer is
Cameras and recording devices reachable from the public internet — usually because the owner kept default credentials, exposed an admin port, or skipped firmware updates. Plotted on the globe with a snapshot thumbnail in the inspector.
What it is not
Not a directory for browsing into private homes. We surface what is already indexed by public scanners, do not bypass authentication, and never store snapshots beyond a short-lived proxy cache.
Pipeline
┌──────────────────────────────────────────────────────┐
│ /api/public/exposed-real (60s cache, SWR) │
└─┬────────────────────────────────────────────────────┘
│ ① Roster build
│ Insecam / vendor directories → IP:port list
│ ② Vendor fingerprint
│ Default paths (/mjpg/video.mjpg, /cgi-bin/…)
│ → Hikvision · Dahua · Axis · Foscam · GeoVision
│ ③ Geolocation
│ ip-api.com → lat/lon, city, country, ISP, AS
│ ④ Risk scoring
│ CAMERA_PORTS + RISK_PORTS + CVE count
│ ⑤ Snapshot proxy
│ /api/public/camproxy?url=… (no-store, 6s)
▼
Globe entity { id, lat, lon, name, category, meta:{…} }Risk model
Each device gets a numeric score and a categorical band so the operator can sort by severity at a glance. The score is intentionally simple — it's a triage signal, not a CVSS replacement.
| Signal | Weight | Why it matters |
|---|---|---|
| Camera port hit | +25 each | RTSP/MJPEG/ONVIF reachable from the public net. |
| Vendor fingerprint | +20 | Hikvision/Dahua/etc. detected via CPE or tag. |
| Risky service port | +12 each | Telnet, SMB, RDP, Redis, Mongo, Docker API… |
| Known CVE | +8 each | From Shodan InternetDB. |
| ≥ 80 CRITICAL · ≥ 50 HIGH · ≥ 25 MEDIUM · > 0 LOW · 0 NONE | ||
Camera ports we look for
80 HTTP UI81 Foscam88 Hikvision443 HTTPS554 RTSP1935 RTMP3702 ONVIF8000 Hikvision SDK8080 alt-HTTP8081 MJPEG8443 alt-HTTPS8554 RTSP7001 Dahua34567 Xiongmai37777 Dahua proprietary
Inspector readout
VendorHikvision DS-2CD2032
Endpoint203.0.113.42:8080
GeoBangkok · TH · 13.75, 100.50
ISP / ASNAS4761 INDOSAT
Ports80 · 554 · 8080 · 8443
CVEs3 known
RiskCRITICAL · 92
Snapshotproxied through /api/public/camproxy (no-store)
Pivots
Every exposed device opens with one click into the wider OSINT graph — same IP, deeper context, no scraping.
Shodan / InternetDB
Full host history, banners, raw service detection.
Censys
Cross-source certificate and protocol view.
GreyNoise
Background-noise scanner reputation.
AbuseIPDB
Community abuse reports tied to the IP.
Self-check tool
The IP Lookup panel runs the same pipeline against a single IP — paste your own, or one a tenant asks about, and you get the camera-port map, vendor fingerprint, CVE list and risk band in under a second.
GET /api/public/ip-check → caller's public IP
GET /api/public/ip-check?ip=1.2.3.4 → arbitrary IPv4
← { ip, geo, internetdb:{ports, cpes, vulns, tags},
camera:{likely, matched_ports, vendor_hints},
risk:{level, score, exposed_risky_ports, known_cves},
pivots:{shodan, censys, zoomeye, greynoise, abuseipdb} }Refresh & caching
Roster
60s server cache, SWR on the client.
Snapshot
6s client refresh while a preview is open; no persistence.
InternetDB
8s timeout, treated as best-effort enrichment.
Boundaries
- Only data already published by third-party scanners (Insecam, Shodan InternetDB, ip-api).
- No credentials submitted. No authentication bypassed. No private VPN/LAN devices probed.
- Snapshots stream through a no-store proxy and are never archived server-side.
- The layer is built so defenders can find their own exposure before someone else does.
ourwrld / documentation