It was easy for hackers to see a million baby monitors and security cameras

The child’s eyes look directly into the camera lens. A child in a striped shirt looks up, then away. A boy dressed as a policeman with a gold star on his chest. A messy bedroom that reminds me of my daughters, with a messy bunk bed, a little girl’s hat and headband, and a Hello Kitty poster on the wall.

One thought keeps repeating in my mind: I shouldn’t see this. No stranger should.

But bad actors could have easily spied on all of these sites — and a million others — because many of Meari Technology’s Wi-Fi baby monitors and security cameras were so insecure. If you had access to one of those cameras, in theory, you had access to all of them.

Meari is a white-label Chinese brand whose cameras ship under hundreds of different names. Many of them are generally reputable Amazon sellers such as Arenti, Anran, Boifun, and ieGeek. But financial records show one of the company’s largest clients He Wise; Its biggest client is Zhiyun. Many of the hackable cameras were from Intelbras. At least one of Petcube’s pet security cameras appears to be a Meari product as well.

Sami Azdoval — the French man who invented An army of remote-controlled DJI Romo robotic vacuum cleaners Without really trying – he says Edge He found 1.1 million Meari cameras could be accessed remotely in much the same way. Azduval says that once he scanned the Android app, he was able to extract a single key that gave him access to devices in 118 countries.

Each of those million devices was broadcasting its information to anyone who knew how to listen. Or anyone who knows how to guess company passwords, many of which are still set to default. One of those passwords was “admin”. The last word was “general.”

When Azduval linked an MQTT data stream to an encoded world map, he said he could see “everything.” He could see inside people’s homes. He could see their email addresses and approximate locations.

He can also see tens of thousands of photos taken from these cameras, stored on Alibaba’s Chinese servers at public web addresses without any protection, including the photos I describe at the beginning of this story.

“I can retrieve the image without any passwords, hacking, or hacking,” Azdoval says. “I just click on the URL and this image appears.”

Azduval says he was even found unprotected internal A server containing Meari’s passwords and credentials exposed in plain sight, as well as a list of all 678 employees with their email addresses and phone numbers. “I talk to my manager, I have his number, and I send a message via WeChat,” laughs Azdoval.

He says that’s when Merry finally started responding to his emails. Although there have been reports of security vulnerabilities in Meari’s CloudEdge platform It dates back yearsand A Vulnerability report late 2025 He predicted the damage the Meari MQTT design would cause, and says the company didn’t take it seriously until it was proven its employees were at risk.

On March 10, Merry cut off access to Azduval and closed the main crater. By the time I bought three cameras from Meari vendors in hopes of getting a live demo of the hack, I was (thankfully!) too late to see it in action for myself. But even though there is no gif for me Being run over by a robotic lawnmowerI didn’t have to accept Azduval’s word that the potential harm was real.

“Under certain technical circumstances, attackers may intercept All messages sent via the EMQX IoT platform Without the user’s permission,” a Meari Technology Security Team spokesperson admitted. Edgewhen we communicated via email. (The company failed to provide a spokesperson per Our background policyHowever, we run the statement because it is a clear acknowledgment of the underlying vulnerability.)

The company also says it has discovered “potential risks Remote Code Execution (RCE) Due to weak password issues on the Scheduled Tasks platform. (In both statements, bold is theirs.)

To fix the issues, an unnamed Meari spokesperson says it has shut down its entire EMQX platform, changed usernames and passwords, and required its customers to upgrade devices to the latest firmware (it claims only versions below 3.0.0 are affected).

But Merry did not tell us:

The way Meari originally designed its system, any brand can access any other brand’s cameras, since they all share the same servers and passwords, Azduval says.

While the EMQX platform is shut down an act Azdoval confirms that it is not clear what happens to those millions of cameras now. Meari didn’t tell us how many of these devices could actually get a new firmware update, or whether Meari’s partners have already passed along a warning to people who have these cameras in their homes.

We’ve tried reaching out to some of Meari’s camera partners to see if they are aware of the issue. Wyze and Petcam did not respond. Neither does EMQX.

Intelbras Kenya Java spokesperson says Edge That the company had only worked with Meari on three Wi-Fi video doorbells and that “less than 50” units had a “potential vulnerability.” This small number is not consistent with Azduval’s story. Intelbras seems to be one of the more Popular brands in its dataset, with a high concentration of cameras in Brazil. Java did not say whether Meari had been in touch about the vulnerabilities, or whether Intelbras would pass on a warning to its customers.

When we reached out to the Congressional Select Committee on China about Merry, the office of Congressman Ro Khanna (D-CA) responded that the reports were troubling: “I will look into this matter as the ranking member of the Select Committee on China,” Khanna pledged.

The good news is that Azduval says most of what he discovered appears to have been fixed, and on May 7, he received a €24,000 reward for his help. But the experience seems to have left a bad taste in his mouth.

In March, after he first shared his research with Merry, the company sent him what he interpreted as a veiled threat. The company told him that it was “fully capable of protecting our interests,” that the company knew where he lived, and that his discovery of Merry’s internal servers was “illegal.”

He’s also not happy that Merry initially tried to backdate him that it protection Bulletins Until March 2. This way, it would appear as if Merry discovered the weaknesses before he reached out to her. Even today, the bulletins are still dated March 12, roughly a month before Mayari published them in April. It also notes that Meari has not yet met its obligations under the GDPR to notify EU citizens about the breach.

I wish I could say I’ve described everything worthwhile that Azduval discovered about Merry’s practices, but you can find more at Complete security writing. He also collaborated With Todd Beardsley of runZero To offer five Official countering violent extremism They are weak Reports this time.

While researching this story, I found that a large number of baby monitors on Amazon now advertise “No Wi-Fi.” This does not automatically mean that they are safe, but at least their short-range FHSS or DECT transmissions will be difficult to spy on from the other side of the globe.