I got a rtsp server inside my ip camera (i think the software is live555, but doesnt really matters since rtsp is a standard), and i don't have an option to add basic auth (nor a reliable android client that supports it) so i made the endpoint to be something different than unicast or multicast, like
rtsp://www.example.com/secretcode
I know this is unsecure, but its the furthest i can go with this system, and i feel more or less comfortable with it. Comfortable unless a thought that a attacker may obtain a list of the published stream endpoints come to my mind.
Can it be?
There is no standard way to get the list of RTSP session registered in an RTSP server.
The rfc says :
The path components of the RTSP URL are opaque to the client and do not imply any particular file system structure for the server.
However it is possible to implement a feature returning the list of valid RTSP URLs for instance returning in the body of DESCRIBE when URL doesnot exist.
Then it depends on the implementation of your RTSP server. Live555 doesnot implement (by now) a way to provide this list, however it is possible to implement it.
Obviously brute force is possible, I guess it is what you means by "I know this is unsecure".