A million baby monitors and security cameras were easily viewable by hackers
A baby’s eyes look directly into the camera lens. A child in a striped shirt looks up, then walks away. A boy in a police costume, a golden star on his chest. A messy room that reminds me of my own daughters, with an unmade bunk bed, a little girl’s hat and headband, and Hello Kitty plastered on the wall.
A thought comes back to my mind: I shouldn’t see this. No outsider should do this.
But bad actors could have easily spied on all of these places — and a million others — because many of Meari Technology’s baby monitors and Wi-Fi security cameras were absurdly insecure. If you had access to one of these cameras, you theoretically had access to all of them.
Meari is a Chinese white label brand whose cameras are sold under hundreds of different names. Many are generic-sounding Amazon sellers like Arenti, Anran, Boifun, and ieGeek. But financial records show that one of the company’s biggest customers is Wyze; its biggest client is Zhiyun; and many hackable cameras came from Intelbras. At least one of Petcube’s pet surveillance cameras also appears to be a Meari product.
Sammy Azdoufal — the Frenchman who created a remote-controlled army of DJI Romo robot vacuum cleaners without really trying — says The edge it found 1.1 million Meari cameras accessible remotely in almost the same way. By simply inspecting the Android app, Azdoufal claims he was able to extract a unique key that gave him access to devices in 118 countries.
Each of these millions of devices broadcast its information to anyone who knew how to listen. Or anyone who could guess company passwords, many of which were still set by default. One of these passwords was the word “admin”. Another was the word “public.”
When Azdoufal connected the MQTT data stream to an ambient-encoded world map, he said he could “see everything.” He could see into the houses. He could see their email addresses and approximate locations.
He was also able to see tens of thousands of photos from these cameras, stored on Alibaba’s Chinese servers at public web addresses without any protection, including the photos I describe at the beginning of this article.
“I can recover the image without any password, without hacking, without hacking,” says Azdoufal. “I just click on the URL and this image comes up.”
Azdoufal says he even found a internal server with Meari’s passwords and credentials displayed prominently, as well as a list of all 678 employees with their emails and phone numbers. “I speak to the boss, I have his number, I send a WeChat,” laughs Azdoufal.
He says that’s when Meari finally started responding to his emails. Even though reports of vulnerabilities in Meari’s CloudEdge platform date back several years, and a vulnerability report from late 2025 predicted the damage Meari’s MQTT design could cause, he says the company didn’t take it seriously until its own employees were found to be vulnerable.
On March 10, Meari cut off access to Azdoufal and plugged the main hole. By the time I had purchased cameras from three Meari vendors in hopes of getting a live demo of the hack, it was (thankfully!) too late to see it working myself. But even though there’s no GIF of me being run over by a robot lawn mower, I didn’t have to take Azdoufal’s word that the potential damage was real.
“Under specific technical conditions, attackers can intercept all messages transmitted via the EMQX IoT platform without user authorization,” admitted an anonymous spokesperson from the “Meari Technology Security Team.” The edgewhen we contacted him by email. (The company failed to provide a named spokesperson in accordance with our background policy, but we are releasing the statement because it is a clear admission of the primary vulnerability.)
The company also claims to have discovered “a risk of Remote Code Execution (RCE) due to weak password issues on the Scheduled Tasks platform. (In both statements, the bold type is theirs.)
To resolve the issues, Meari’s anonymous spokesperson said it has completely shut down its EMQX platform, changed usernames and passwords, and asked its customers to upgrade their devices to the latest firmware (he claims only versions below 3.0.0 are affected).
But Meari didn’t tell us:
- How many cameras or brands were actually vulnerable;
- If these brands have correctly warned their customers;
- If these vulnerabilities have already been exploited;
- What, if anything, stops a Meari employee or one of its suppliers from spying on people halfway around the world.
Azdoufal says that the way Meari originally designed its system, any brand could access any other brand’s cameras, since they all shared the same servers and passwords.
When shutting down the EMQX platform did block remote access, Azdoufal confirms, it’s unclear what exactly happens to these millions of cameras now. Meari hasn’t told us how many of these devices may actually benefit from a new firmware update, or whether Meari’s partners have actually issued a warning to people who have these cameras in their homes.
We attempted to contact some Meari camera partners to see if they were aware of the issue. Wyze and Petcam did not respond. Neither does EMQX.
Intelbras spokesperson Kennya Gava said The edge that the company only worked with Meari on three Wi-Fi video doorbells and that “fewer than 50” units presented “a potential vulnerability.” This small number does not correspond to the story of Azdoufal. Intelbras appeared to be one of more popular brands in its dataset, with a high concentration of cameras in Brazil. Gava would not say whether Meari had been in contact about the vulnerabilities or whether Intelbras would issue a warning to its own customers.
When we contacted the Congressional Select Committee on the Communist Party of China about Meari, Rep. Ro Khanna’s (D-CA) office responded that the reports were concerning: “I will look into this matter as a ranking member of the Select Committee on China,” Khanna promised.
The good news is that Azdoufal claims that most of what he discovered appears to be fixed and that on May 7 he received a €24,000 bug bounty for his help. But the experience seems to have left a bad taste in his mouth.
In March, after he first shared his research with Meari, the company sent him what he interpreted as a veiled threat. The company told him it was “fully capable of protecting our interests,” that it knew where he lived and that its discovery of Meari’s internal servers was “illegal.”
He’s also not happy that Meari initially tried to backdate his security bulletins to March 2. This way, it would have appeared that Meari had discovered the vulnerabilities before even contacting us. Even today, the bulletins are dated March 12, almost a month before Meari published them in April. It also notes that Meari has not yet fulfilled its GDPR obligations to notify EU citizens of the breach.
I wish I could say I’ve described everything Azdoufal discovered about Meari’s practices, but you can find more in his full security article. He also teamed up with Tod Beardsley of runZero to file five official CVE vulnerability reports this time.
While researching this story, I discovered that a lot of baby monitors on Amazon now advertise “No Wi-Fi.” This doesn’t automatically mean they’re secure, but at least their short-range FHSS or DECT transmission should be difficult to spy on from halfway around the world.
