An audit has uncovered lax security controls and practices at Victorian councils for their CCTV networks, including the use of shared passwords and unpatched equipment.

Five councils - City of Melbourne, Whitehorse City Council, Hume City Council, East Gippsland Shire Council and Horsham Rural City Council - were audited, covering “more than 1100 CCTV cameras”.

Victoria’s Auditor-General found them in various states but mostly in need of a crash-course in security.

While none of the councils had “found any instances of inappropriate use of surveillance systems or footage”, the auditor noted all five could “improve the security of the personal information they gather through their CCTV systems to better protect the privacy of individuals.”

The audit looked both at “corporate CCTV” systems - put on council assets - and public safety CCTV systems, which provided feeds to Victoria Police.

“Key areas to address include improving physical security and access controls for corporate CCTV systems and regularly assessing whether those controls are working,” it said.

“All of the audited councils use generic user logins for corporate CCTV systems, and some do not use system activity logs to track usage.

“These practices increase the risk of inappropriate use occurring and going undetected. There are similar issues with public safety CCTV systems.”

The audit also found that none of the councils regularly patched either the cameras or the recorders running in the backend.

Some had gone years without applying patches to equipment, which significantly raised the risk of exploitation by attackers.

Vulnerable camera networks have been exploited this year in places like Japan, using publicly-accessible search tools to locate them.