London has more than 2.5 million exposed electronic devices including routers, webcams, medical equipment, personal baby monitors and company databases, new research suggests.

Using Shodan, a search engine for internet-of-things (IoT) devices, security firm Trend Micro said in a report released today (28 November) that the UK capital had one of the highest numbers of exposed devices at risk of hacking and cybercrime. It was matched by Berlin.

An analysis entitled Cities Exposed has warned that tech-savvy criminals use Shodan to scan for so-called "cyber assets" left visible to the public and then use any available tricks to target them.

Connected devices which are not adequately protected can leak personal data or even be held to ransom.

"Despite their prevalence as tech and business hubs, it is concerning that people in these capitals are not extending this knowledge into their security practices," said Trend Micro researcher Rik Ferguson.

"The number of exposed devices is likely just the tip of the iceberg, as anyone breaching these could potentially gain access to entire networks."

After London, Manchester has a high risk ratio with around 320,000 exposed devices. Glasgow has 160,000 devices at risk.

Experts found that the UK had more than 5,000 exposed webcams which "attackers could use for surveillance or stealing and publishing live video feeds from compromised devices".

The Trend Micro report reads: "Connected devices are an integral part of our daily lives. Device security should ideally not affect availability and be transparent to a user.

"There is no one-size-fits-all cybersecurity solution for connected devices.

"In addition to [general guidelines] users must be able to rely on device manufacturers to enable strong security out of the box. Ultimately, we may need to rely on security by obscurity — hiding our devices among billions of other connected devices online to avoid getting compromised."

Hackers have used webcams to spy on children and exposed devices have been exploited to build vast computer botnets to launch distributed-denial-of-service (DDoS) attacks.

To avoid being compromised, web users are advised to use strong, unique passwords on all devices.