One Million Baby Monitors and Security Cameras Exposed to Hackers
▼ Summary
– A security researcher found 1.1 million Meari baby monitors and security cameras were remotely accessible using a single key extracted from the Android app, allowing access to devices across 118 countries.
– The cameras, sold under hundreds of brand names including Wyze and Intelbras, had weak default passwords like “admin” and “public,” and tens of thousands of photos were stored on unprotected public servers.
– Meari admitted to vulnerabilities in its EMQX platform and weak passwords, shut down the platform, and told customers to update firmware, but refused to disclose how many cameras were affected or if the flaws had been abused.
– The researcher received a €24,000 bug bounty, but Meari initially backdated security bulletins and sent what he interpreted as a veiled threat, telling him it knew where he lived.
– Many of the affected brands, including Wyze and Petcube, did not respond to inquiries about whether they warned customers, and Intelbras claimed only “fewer than 50” units were vulnerable, contradicting the researcher’s data.
A baby’s face fills the frame, staring directly into the lens. A child in a striped shirt glances up, then away. A boy dressed as a policeman, a gold star pinned to his chest. A cluttered bedroom with an unmade bunk bed, a little girl’s hat and headband, and Hello Kitty plastered across the wall.
One thought keeps circling back: I shouldn’t be seeing this. No stranger should.
Yet bad actors could have easily spied on all these locations , and a million more , because many of Meari Technology’s Wi-Fi baby monitors and security cameras were alarmingly insecure. If you had access to one of those cameras, you theoretically had access to them all.
Meari is a Chinese white-label brand whose cameras ship under hundreds of different names. Many are generic-sounding Amazon sellers like Arenti, Anran, Boifun, and ieGeek. But financial records show one of the company’s biggest customers is Wyze; its largest customer is Zhiyun; and many hackable cameras came from Intelbras. At least one of Petcube’s pet-monitoring cameras also appears to be a Meari product.
Sammy Azdoufal , the French researcher who previously created a remote-controlled army of DJI Romo robot vacuums without even trying , tells The Verge he found 1.1 million remotely accessible Meari cameras using a similar method. By simply inspecting the Android app, Azdoufal says he extracted a single key that unlocked devices across 118 countries.
Every one of those million devices was broadcasting its information to anyone who knew how to listen , or anyone who could guess the company’s passwords, many of which were still set to default. One password was the word “admin.” Another was “public.”
When Azdoufal connected the MQTT datastream to a vibe-coded world map, he says he could see “everything.” He could peer into people’s homes. He could see their email addresses and rough locations.
He could also see tens of thousands of photos from these cameras, stored on Chinese Alibaba servers at public web addresses with zero protection , including the images I described at the start of this story.
“I can retrieve the picture without any passwords, no cracking, no hacking,” says Azdoufal. “I just click on the URL and this image is showing.”
Azdoufal says he even found an unprotected internal server with Meari’s passwords and credentials exposed in plain sight, along with a list of all 678 employees, their emails, and phone numbers. “I talk to the boss, I have his number, I send a WeChat,” Azdoufal laughs.
He says that’s when Meari finally started responding to his emails. Although reports of vulnerabilities in Meari’s CloudEdge platform date back years, and a late 2025 vulnerability report predicted the damage Meari’s MQTT design could cause, the company didn’t take him seriously until its own employees were proven vulnerable.
On March 10th, Meari cut off Azdoufal’s access , and closed the primary security hole. By the time I purchased three Meari vendors’ cameras hoping for a live demo of the hack, I was (thankfully!) too late to see it working myself. But even without a GIF of me being run over by a robot lawnmower, I didn’t need to take Azdoufal’s word that the potential damage was real.
“Under specific technical conditions, attackers may intercept all messages transmitted via the EMQX IoT platform without user authorization,” an unnamed spokesperson from the “Meari Technology Security Team” admitted to The Verge by email. (The company failed to provide a named spokesperson per our background policy, but we’re including the statement because it clearly admits the core vulnerability.)
The company also says it discovered a “Risk of potential Remote Code Execution (RCE) due to weak password issues on the scheduled task platform.” (In both statements, the bolding is theirs.)
Meari’s public claim of “advanced encryption technology” and “strict access controls” now seems laughable.
To fix the problems, Meari’s unnamed spokesperson says it shut down its EMQX platform entirely, changed usernames and passwords, and told customers to upgrade devices to the latest firmware (it claims only versions below 3.0.0 are affected).
But Meari would not tell us:
- How many cameras or brands were actually vulnerable;Azdoufal says that as Meari originally designed its system, any brand could access any other brand’s cameras, since they all shared the same servers and passwords.While shutting down the EMQX platform did block remote access, Azdoufal confirms, it’s unclear what happens to those million cameras now. Meari has not told us how many of those devices can actually receive a new firmware update, or whether Meari’s partners have even issued a warning to people who have these cameras in their homes.We attempted to reach out to some Meari camera partners to see if they were aware of the issue. Wyze and Petcam did not reply. Neither did EMQX.Intelbras spokesperson Kennya Gava tells The Verge that the company only ever worked with Meari on three Wi-Fi video doorbells and that “fewer than 50” units had “a potential vulnerability.” That small number doesn’t align with Azdoufal’s findings. Intelbras appeared to be one of the more popular brands in his dataset, with a high concentration of cameras in Brazil. Gava would not say whether Meari had contacted them about the vulnerabilities, or whether Intelbras would warn its own customers.When we reached out to Congress’s Select Committee on the Chinese Communist Party about Meari, Congressman Ro Khanna (D-CA)’s office replied that the reports were concerning: “I will be looking into this as ranking member of the Select Committee on China,” Khanna pledged.Azdoufal shows me that yes, Meari did pay the bug bounty.The good news is that Azdoufal says most of what he discovered seems to be fixed, and on May 7th, he received a €24,000 bug bounty for his help. But the experience appears to have left a bitter aftertaste.In March, after he first shared his research with Meari, the company sent him what he interpreted as a veiled threat. The company told him it was “fully capable of protecting our interests,” that it knew where he lived, and that his discovery of Meari’s internal servers was “unlawful.”He’s also upset that Meari initially tried to backdate its security bulletins to March 2nd , making it look like the company discovered the vulnerabilities before he ever reached out. Even today, the bulletins are dated March 12th, almost a month before Meari published them in April. He also notes that Meari has yet to fulfill its GDPR obligations to notify EU citizens about the breach.While researching this story, I noticed that a large number of baby monitors on Amazon now advertise “No Wi-Fi.” That doesn’t automatically mean they’re secure , but at least their short-range FHSS or DECT transmission should be tough to spy on from the other side of the globe.
