Surveillance cameras are pretty much a standard when living in many cities. And many of those cameras are connected to the internet, and may be deliberately or inadvertently open for others to tune into. Exposed devices can be everywhere, from businesses, to schools, to inside homes. A new tool allows you to see where insecure cameras are physically located.

Whereas some researchers would ordinarily have to crawl through lists of open devices on the computer search engine Shodan, this new tool lets users enter an address to find nearby ones on a map.

The tool highlights in a tangible way the prevalence of insecure cameras around us that anyone can tap into and potentially use for surveillance, or, at least some mundane people watching.

“You can search [the] whole world and check if there is any open camera in [a] sensitive place,” the security researcher behind the tool, who goes by the handle Woj-ciech, writes in a blog post.

As Woj-ciech explains, the ‘Kamerka’ tool marries several different chunks of Python code together. It ultimately relies on Shodan to find the exposed cameras in the first place (those running the tool need to have a Shodan account with an API key). It then uses Geopy, a Python module that makes it easier to geolocate addresses, landmarks, and cities. The final magic ingredient is Folium, a Python library which handles creating the map.

Caption: A screenshot of Kamerka finding devices in London. The tool displays each camera or panel in a spiral when the concentration of devices is high. Image: Motherboard.

After a user enters their desired location, the script returns a list of found devices, and creates the HTML based map. Open that up in a browser, and users can then scroll and zoom around the inspected area, clicking on markers to reveal the IP address of the discovered cameras.

You could use Kamerka to look up cameras in Washington DC, or perhaps your own neighbourhood, Woj-ciech continues. Woj-ciech also says they found cameras near one of the “secret” Amazon warehouses recently documented by Wikileaks.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Motherboard verified that the tool works and found a slew of devices around London, New York, and Paris. Not all of the results were fully exposed; some did still require authentication, or were login administrator panels rather than a raw camera feed itself. In our tests, we did not immediately come across any live streams, but did find control panels of particular cameras with known and predictable default passwords, as well as other open control panels but which weren’t streaming video at the time. (Woj-ciech cautions users not to test any webcams if they are not the owner of the device).