One of the big problems with exposing a port to the Internet is of course that hackers will find it. We haven't really talked, though, about wrapping that communication with encryption.
So what if one builds an haproxy type of app with a related open port? The big difference then is that everything outbound is encrypted. Or, there is a kosher list of destination IP addresses/ranges and the output is then somewhat different for that collection. (I don't mean unencrypted, I mean different.)
- Dude not on the list uses a script to try to visit your port. Since his IP address isn't kosher, he gets a response that is "hahahahahahahaha..." times infinity.
- You—who are in the kosher list of IP addresses—get an encrypted response stream, for example. You then decrypt this inline as the webcam output, for example. Since it's your setup, you know the credentials or the API key or you have the public key which corresponds to this.
If it's merely encypted without the address-lookup, this could technically be sent as udp as a broadcast. So multiple clients could see it without adding any additional overhead.
If you knew that only a single IP address is the destination, you could combine the four parts of that IP address to convert it into a large integer and then use that to encrypt the conversation, (as long as you treated that IP address as a secret).
The biggest problem out there on the Internet with respect to hacked webcams is that manufacturers rarely add any security whatsoever. Even the slightest manipulation to the stream would likely be enough to make this seem like too much trouble to these script-kiddies.