Internet-Exposed RTSP: A Global Analysis.
- MODAT Team
- 3 days ago
- 7 min read
Video feeds accessible on the open internet represent a significant and largely unmeasured exposure surface. RTSP, the Real Time Streaming Protocol, is the backbone of networked video worldwide: surveillance systems, NVR (Network Video Recorder) appliances, broadcast infrastructure, and operational monitoring cameras all use it to deliver live video. When those services require no authentication, they are accessible to anyone with a connection. What that means in practice depends entirely on what is in frame, and in a significant number of cases, what is in frame is not a car park.
What RTSP Actually Exposes
RTSP, the Real Time Streaming Protocol, is the standard used to establish and control live video streams over IP networks. Cameras, NVRs, broadcast encoders, and media servers all use it to deliver video to connected clients. It is infrastructure-level, not consumer-level, and it is present across a wide range of operational environments. Authentication for RTSP is part of the specification but optional in practice, and many implementations ship with it disabled.
Most reporting on internet-exposed RTSP counts endpoints and labels them cameras. That framing is not wrong, but it is incomplete: it focuses on the device category rather than the infrastructure, and the infrastructure tells a significantly different story.
Modat Magnify identified 973,819 RTSP services responding with a 200 status (active and reachable) across the public internet in March 2026, spanning 210 countries, 10,671 distinct ports, and 12,970 distinct autonomous systems. Each were independently verified for live responsiveness and tested for unauthenticated access.
Of the 973,819 services in the dataset, 854,997 (87.8%) were reachable at the time of verification. Of those, 477,539 had a decodable video stream and were subject to a capture attempt. 8,074 yielded a frame without authentication, 0.83% of the starting set. The remainder required credentials, returned no stream, or were unreachable. The diagram below traces the full pipeline.
No credentials were tested. No authentication was bypassed. The question is not how many services responded. The question is what those services were actually exposing, and to whom.
Port distribution: 554 dominates, but the surface spans 10,671 ports
Security teams often begin RTSP review with default port 554, but the observed surface extends far beyond it. In our dataset, 427,872 endpoints, 43.9% of the total, exist on other ports entirely.
Port | Endpoints |
554 | 545,947 (56.06%) |
555 | 24,515 (2.52%) |
8554 | 12,847 (1.32%) |
556 | 12,352 (1.27%) |
5445 | 7,712 (0.79%) |
5554 | 7,072 (0.73%) |
655 | 6,705 (0.69%) |
9100 | 6,436 (0.66%) |
The port posture varies sharply by country. Taiwan's surface is almost entirely on 554; Spain and Russia operate more than two thirds of their endpoints on non-default ports. Whether this reflects regional vendor defaults, deliberate configuration choices, or something else entirely is unclear, but the variation is consistent enough to suggest it is not random.
Country | On Port 554 | Non-Default | Default % |
Taiwan | 151,389 | 7,434 | 95.3% |
China | 111,977 | 32,550 | 77.5% |
United States | 55,243 | 40,223 | 57.9% |
Russia | 28,711 | 63,158 | 31.3% |
Spain | 5,365 | 36,653 | 12.8% |
United Kingdom | 11,409 | 25,264 | 31.1% |
Brazil | 7,056 | 16,280 | 30.2% |
A detection strategy built around port 554 covers 12.8% of Spain's RTSP surface and 31.3% of Russia's. The remaining surface is present on non-default ports.
The technology surface: cameras, media servers, and an unlabelled majority
Of the 973,819 services in our dataset, only 39,542 (about 4%) carried a recognisable product string. More than a third of fingerprinted services are not cameras at all.
GStreamer, a general-purpose multimedia framework used in industrial pipelines, broadcast systems, and embedded devices, outranks Dahua. It outranks every camera vendor except Hipcam. GStreamer is not a camera. It is infrastructure.
Product | Category | Count |
RealServer / Hipcam | Camera Vendor | 17,531 |
GStreamer RTSP Server | Generic Streaming | 14,696 |
Dahua 2.0 | Camera Vendor | 5,861 |
Foscam IP Camera | Camera Vendor | 344 |
Wowza Streaming Engine | Media Platform | ~340 |
Windows Media Server 9.x | Media Platform | ~280 |
One in five viewable streams is located in a conflict-affected country
We applied a secondary analytical lens of services located in conflict-affected countries: a defined set of 23 countries where conflict, political instability, or elevated physical-security risk is ongoing.
These countries were drawn from active conflict zones and countries under ongoing military operations or significant political instability.
Scope | Responsive | Viewable | Hit Rate |
Global baseline | 973,819 | 8,074 | 0.83% |
Conflict-affected countries | 125,958 | 1,626 | 1.29% |
All other countries | 847,861 | 6,448 | 0.76% |
Conflict-affected countries account for 1,626 viewable streams, one in five of the global total, at a hit rate of 1.29% compared to 0.76% elsewhere. The distribution within that subset is uneven. Countries with small absolute counts should be interpreted with that in mind.
Country | Viewable | Share | Responsive | Hit Rate |
Russia | 1,268 | 15.7% | 91,869 | 1.38% |
Israel | 171 | 2.1% | 7,915 | 2.16% |
Ukraine | 150 | 1.9% | 14,709 | 1.02% |
Belarus | 33 | 0.4% | 10,512 | 0.31% |
Palestine | 3 | <0.1% | 417 | 0.72% |
Syria | 1 | <0.1% | 65 | 1.54% |
Not parking lots. Perimeters. Server rooms. 358 cameras on one box
The directly viewable population is not dominated by idle lobby cameras. What we found were operational systems, industrial telemetry, utility infrastructure, and industrial facility interiors, streaming live.
Case A - Industrial Thermal Monitoring
Sequential ports on one IP address. What came back was not a security camera, it was a thermal sensor array monitoring high-voltage electrical equipment. Real-time temperature overlays, colour-mapped heat signatures across transformer housings and switchgear. An active power installation streaming industrial telemetry to the open internet.
The video is incidental. The temperature data, indicating hot spots, thermal anomalies, and equipment load, is the operational intelligence. No username. No password required.
Sequential ports on one IP address. Industrial thermal monitoring facility. Each feed a distinct sensor view of an electrical installation.
Case B - Server Facility
Four cameras. Four ports. Every feed streaming live. What came back was the interior of a server facility, server racks, cable runs, equipment corridors, patch infrastructure.
The feeds show who enters, which racks are accessed, and when maintenance occurs. All feeds required zero authentication.
Four-camera view. Server facility. Active infrastructure, all feeds accessible without authentication.
Case C - Co-located ICS
One RTSP service. The host also presented a 32-channel NVR admin interface, an HMI panel for a car wash facility, and a SCADA dashboard for a water treatment system displaying live data. The camera is the least interesting thing on this host.
Single host. Co-located NVR interface, industrial HMI, and water treatment SCADA dashboard. All services accessible without authentication. (No credentials were tested on any service.)
Case D - Multiple Open Feeds
Not one camera. Not ten. 358 sequential RTSP streams from a single IP address, distributed across ports on what is almost certainly a single NVR appliance.
One device. One misconfiguration. 358 open windows into a single site. Remediation is not a 358-step problem. It is one conversation with one operator.
Three of 358 channels. Sequential port assignment. Single NVR appliance, single host IP.
A single retail location. Multiple RTSP streams across sequential ports, some channels duplicated, others distinct views of the same space. The pattern is consistent, one site, one device, many open feeds.
The stream is rarely the only thing exposed
Across 3,359,886 RTSP endpoints in Modat Magnify, what else is running on the same host? The answer, across a significant share of the surface, is a vendor management portal. A login page. A camera dashboard. The same device, on a different port, advertising exactly what it is. Using co-service fingerprinting, we identified hosts that present an RTSP service alongside a known camera or NVR vendor interface. The results are not a footnote. They define the character of the exposure surface.
Vendor | Co-Service Platform | Hosts |
Hikvision | RTSP + Hikvision login page | 797,153 |
Axis Camera | RTSP + Axis web interface | 5,047 |
Reolink | RTSP + Reolink portal | 4,902 |
Wisenet NVR | RTSP + Wisenet interface | 2,703 |
Amcrest | RTSP + Amcrest IP Camera | 987 |
UniFi Video | RTSP + UniFi Video portal | 188 |
The co-service surface extends beyond camera vendors. Across the same 3.36M endpoints, 7,972 hosts carry an OT tag alongside an active RTSP service, 2,918 carry an ICS tag, and 1,086 carry a SCADA tag. These are not camera management portals. They are industrial control systems sharing a host with an open video feed. A single host may carry more than one tag, so these figures overlap, but the pattern is consistent.
What the co-service fingerprint reveals is not just device count. It reveals device identity. A host running both an RTSP feed and a Hikvision login page is a known product, with a known firmware architecture, a known default configuration surface, and a known vendor support and patching cycle. A host running RTSP alongside a SCADA interface is something else entirely, making it more than just a camera problem.
On scope: These figures reflect co-service presence across all 3,359,886 RTSP endpoints in Modat Magnify, not limited to the 973,819 confirmed responsive or the 8,074 directly captured.
What to do about it
Securing RTSP
Authentication is part of the RTSP specification but is disabled by default on most devices. Verify that every exposed service requires credentials; do not assume. Digest authentication is supported across most implementations and should be enforced at the device level.
RTSP services should not be directly internet-facing. Remote access should route through a VPN or secure tunnel. Direct exposure is a configuration choice, not a technical requirement.
Reducing the surface
Audit beyond port 554. Devices that do not require RTSP should have it disabled entirely. Many vendors offer this option, but it is rarely exercised.
How this gets leveraged
An unauthenticated stream is intelligence: layout, staffing patterns, access points, blind spots. This has value before any technical exploitation occurs. Co-located services compound the risk. A known vendor interface on the same host narrows the attack surface to a specific firmware version and a specific CVE history.
Conclusion
The exposure documented here is not theoretical. Unauthenticated video infrastructure has demonstrated operational value, and that value has been realised.
In March 2026, CNN reported that Israel had hacked Tehran's traffic cameras years before its strikes on Iran, using them to map the city, establish patterns of movement, and build targeting intelligence that contributed directly to the killing of Iran's supreme leader. The cameras required no exploit at the time of use. The access had already been established. The feeds were simply open.
That is the model. Persistent, passive access to video infrastructure, not a dramatic breach but an unclosed door, used when the moment required it.
The data in this report reflects three distinct problems, none of which is solved by thinking about cameras. The first is the non-default surface: a detection strategy tailored to port 554 does not see 43.9% of the observed footprint. The second is the wrong label: GStreamer pipelines, Wowza servers, and legacy media infrastructure are invisible to camera-vendor fingerprinting. The third is the open window: 8,074 live feeds across 93 countries, including thermal arrays monitoring electrical infrastructure, server facility interiors, and perimeter feeds in active conflict zones, all streaming without authentication.
The "camera exposure problem" framing produces camera-shaped responses. The infrastructure problem is broader, less visible, and in some environments, considerably more consequential than a misconfigured consumer device.
About Modat
Modat is the European internet intelligence company. Modat builds AI-driven intelligence on global internet infrastructure. It reveals who is behind it, what they are preparing, and when they will act. Its flagship platform, Modat Magnify, continuously scans the entire internet, profiles every connected device using deep fingerprinting, and delivers contextual intelligence across 50+ categories.
>> Learn more by visiting modat.io and to access the platform visit magnify.modat.io
Visit:
