Open cameras are frequently infected with malware and added to botnets used for DDoS attacks. The infamous Mirai botnet exploited default credentials on IoT devices, including Axis cameras.

Simply performing the search is not illegal—it’s just using Google’s built-in functionality. However, what you do with the results determines legality and ethics.

Axis cameras allow you to add a robots.txt file or meta tags to prevent indexing. However, this only works if the camera is accessible but you want to politely ask search engines to stay away. It is not a security measure because malicious actors ignore it.

Add this to the camera’s web root (via custom HTTP settings):

User-agent: *
Disallow: /

Or add meta tag to the Live View page:

<meta name="robots" content="noindex, nofollow">

As awareness of these dorks grew, the landscape changed. In the mid-2000s, using this dork was like walking through a ghost town where all the doors were open. Today, the experience is different.

Many of the results you find now are deceptive. Some are "honeypots"—traps set by security researchers to log the IP addresses of snooping hackers. Others are cameras that appear to be open but require a login prompt once you click deeper. Some are simply dead links, ghosts of cameras that have since been secured or unplugged.

Furthermore, Google has cracked down. The company actively removes sensitive camera feeds from search results and warns users with CAPTCHAs if they attempt to search for certain dork strings too aggressively. The "wild west" era of open webcams is largely over, pushed into the darker corners of Shodan (a search engine for internet-connected devices) and the dark web.

If you were to run this search right now (and you should think twice before doing so), you would find a list of publicly accessible Axis camera web servers. Some will ask for a username and password. But many will not.

Here is what is typically visible without any login: