Millions of baby monitors and security cameras were easily spotted by criminals

A child’s eyes peer into the camera lens. The kid in the striped shirt looks up, then walks away. A young man in police uniform, a gold star on his chest. A messy bedroom that reminds me of my own daughters, with an unmade bed, a little girl’s hat and belt, and Hello Kitty painted on the wall.

One thought repeats itself in my head: I don’t need to see this. No stranger should.

But bad actors could have watched all of those sites — and a million others — because many of Meari Technology’s Wi-Fi baby monitors and security cameras were vulnerable. If you had access to one of those cameras, you’d obviously have access to all of them.

Meari is a Chinese white-label brand whose cameras go by hundreds of different names. Many are popular Amazon sellers like Arenti, Anran, Boifun, and ieGeek. But financial records show one of the company’s biggest customers and Wyze; his main client is Zhiyun; and many broken cameras came from Intelbras. Only one Petcube pet monitoring camera appears to be a Meari product.

Sammy Azdoufal – a man from France who created an army of remote DJI Romo robot vacuum cleaners without actually trying – he tells us Seaside found 1.1 million Meari cameras available remotely on the same channel. By looking at the Android app, Azdoufal says he was able to remove a single key that gave him access to devices in 118 countries.

Each of those millions of devices was broadcasting its information to anyone who knew how to listen. Or anyone who knows how to guess the company’s passwords, many of which were still unfixed. One of those passwords was the word “admin.” Another was the word “open.”

When Azdoufal plotted the MQTT data on a world map, he said he could see “everything.” He could see into people’s houses. They can see their email addresses and sensitive areas.

They can also view tens of thousands of images from these cameras, stored on Alibaba’s Chinese servers at public addresses without security, including the images I describe at the beginning of this article.

“I can access the image without a password, without cracking, without hacking,” says Azdoufal. “I just click on the URL and this image appears.”

Azdoufal says he got even unprotected inside server with Meari’s passwords and publicly available credentials, as well as a list of all 678 employees with email addresses and phone numbers. “I talk to the boss, I have his number, I send WeChat,” Azdoufal laughs.

It is said that this is when Meari started answering his emails. Even reports of threats to Meari’s CloudEdge platform old ageand a risk report for the end of 2025 predicted the demise of Meari’s MQTT design, saying the company didn’t take him seriously until his employees were proven vulnerable.

On March 10, Meari cut Azdoufal’s advantage – and closed the opening hole. By the time I bought three cameras from the Meari dealer in hopes of getting a great display, I was (thankfully!) too late to see it for myself. But not even my GIF hit by a lawnmowerI shouldn’t have taken Azdoufal’s word that the potential damages were real.

“Under special technical conditions, attackers can compromise all communications are transmitted through the EMQX IoT platform without user consent,” an unnamed spokesperson from the “Meari Technology Security Team” admitted Seasidewhen we got to the email. (The company failed to provide a spokesperson’s name our background processbut we’re running the word because it’s a serious admission of danger.)

The company also said that it had found “Potential risk Remote Code Usage (RCE) due to the weakness of the password on the platform it was designed for.” (In all quotations, bold is theirs.)

To resolve these issues, an unnamed Meari spokesperson says it has shut down its EMQX platform completely, changed usernames and passwords, and told its customers to upgrade devices to the latest firmware (it says versions below 3.0.0 are affected).

But Meari did not tell us that:

Azdoufal says that the way Meari designed his system, any brand could access any other brand’s cameras, since they all shared the same servers and passwords.

By closing the EMQX platform he said blocking remote access, Azdoufal confirms, it is not clear what happens with those millions of cameras now. Meari didn’t tell us how many of these devices will get the new firmware update, or if Meari’s friends will actually pass the warning on to people who have cameras in their homes.

We tried to contact our camera partners Meari to see if they know about this story. Wyze and Petcam did not respond. Neither does EMQX.

Intelbras spokesperson Kennya Gava says Seaside that the company had only worked with Meari on three Wi-Fi video doors and that “less than 50” units had a “potential risk.” That low number does not match Azdoufal’s story. Intelbras seems to be one of them More information Popular brands in its dataset, with the most cameras in Brazil. Gava would not say whether Meari was connected to the vulnerabilities, or when Intelbras issued a warning to its customers.

When we reached out to the Congressional Select Committee on the Chinese Communist Party about Meari, the office of Congressman Ro Khanna (D-CA) responded that the reports were concerning: “I am looking for a member of the China Select Committee,” promised Khanna.

The good news is that Azdoufal says most of his earnings seem to have settled, and on May 7, he received €24,000 in cash to help him. But the experience seems to have left a bad taste in his mouth.

In March, after he first shared his research with Meari, the company sent him what he interpreted as a veiled threat. The company told him that it “can protect our interests,” that the company knows where he lives, and that his access to Meari’s internal servers was “illegal.”

He is also not happy that Meari tried to come back his security story until March 2. In this way, it would appear that Meari discovered the weaknesses before they arrived. Even today, the document was written on March 12, almost a month before Meari published it in April. They also claim that Meari did not meet its GDPR obligations to notify EU citizens of the breach.

I would like to say that I have explained everything Azdoufal found about Meari’s activities, but you can find more all his protection. They agreed again and Tod Beardsley of runZero to make five Valid CVE insecurity reports this time.

While researching this article, I found that many baby monitors on Amazon now advertise “No Wi-Fi.” That doesn’t mean they’re safe – but their short-range FHSS or DECT transmission should be harder to spy on from the other side of the world.