Back when the very first chinese IP cameras started arriving in the west in the noughties, after we’d only had the first gen very expensive professional ones from the like of Axis, they nearly all shared the same firmware. This had factory set credentials of admin / admin and a common port (8080, iirc)
Back then, uPnP was commonly also enabled by default on routers, so the camera would ask for the port to be opened automatically and the router would just do it, allowing the internet into the camera. A simple scan of IPs on port 8080 would yield a lot of prompts with the distinctive login page for this firmware and around 90% of the time, the default credentials would still let you in, and you could see the camera.
Fortunately, routers have improved and uPnP was recognised as being incredibly stupid and isn’t seen much now and is disabled by default if it is. Some IP cameras have improved also, but there’s still a lot at the lower end that have almost no security, or prioritise convenience or cloud solutions first.
(I researched the above when I found one of my company’s cameras broadcasting and tried to educate people about it back in the day, but I doubt it did much good)
It doesn’t always need to be automatically set.
Back when the very first chinese IP cameras started arriving in the west in the noughties, after we’d only had the first gen very expensive professional ones from the like of Axis, they nearly all shared the same firmware. This had factory set credentials of admin / admin and a common port (8080, iirc)
Back then, uPnP was commonly also enabled by default on routers, so the camera would ask for the port to be opened automatically and the router would just do it, allowing the internet into the camera. A simple scan of IPs on port 8080 would yield a lot of prompts with the distinctive login page for this firmware and around 90% of the time, the default credentials would still let you in, and you could see the camera.
Fortunately, routers have improved and uPnP was recognised as being incredibly stupid and isn’t seen much now and is disabled by default if it is. Some IP cameras have improved also, but there’s still a lot at the lower end that have almost no security, or prioritise convenience or cloud solutions first.
(I researched the above when I found one of my company’s cameras broadcasting and tried to educate people about it back in the day, but I doubt it did much good)