Manufacturers like Loftek (now largely defunct) and others may have patched known vulnerabilities. If your camera is from an obscure brand with no firmware updates since 2015, replace it immediately.
This is where the phrase "bedroom exclusive" becomes deeply disturbing.
Google, Bing, and other search engines have a contentious relationship with these types of queries. On one hand, they simply index what is publicly accessible on the web. On the other hand, they facilitate access to deeply private content. inurl viewerframe mode motion bedroom exclusive
Google has a process for removing specific URLs that contain explicit personal content. However, with camera feeds, the content is dynamic. By the time Google removes the URL, the camera may have a new feed. Furthermore, the search operator inurl:viewerframe mode motion bedroom exclusive returns links to interfaces, not the actual video content in the search results. This puts the onus on the website operator (the camera owner) to restrict access.
Millions of IoT (Internet of Things) devices ship with default settings. A user buys a $40 wireless camera, plugs it in, and uses the mobile app to set it up. The camera, however, also hosts a web server on port 80 or 8080. If the user doesn't disable Universal Plug and Play (UPnP) on their router, the camera automatically opens a port to the public internet. Manufacturers like Loftek (now largely defunct) and others
Why does this search even work? It works because of human laziness and manufacturing shortcuts.
When a camera detects motion, the backend software often appends parameters to the URL or creates a temporary session page. For example: If the camera lacks authentication, anyone with that
If the camera lacks authentication, anyone with that link sees the stream. If it has authentication, sometimes the "motion" preview uses basic HTTP auth (no encryption), which can be bypassed with default credentials like admin:admin.
The shift in technology has been mirrored by a shift in the law. During the "viewerframe" era, the legality of viewing unsecured feeds was a gray area. Some argued that if a user put a camera on the public internet without a password, they had no expectation of privacy.
Today, the legal system has strictly closed that loophole.
Use the very tool that threatens you. Open an incognito window and search:
inurl:viewerframe "YourCameraBrand"
If you see your own external IP address or DDNS hostname in the results, you are already compromised.