A baby’s eyes peer directly into the camera lens. A kid with a striped shirt looks up, then away. A boy in a policeman’s costume, a gold star on his chest. A messy bedroom that reminds me of my own daughters, with an unmade bunk bed, a little girl’s hat and headband, and Hello Kitty plastered on the wall.
One thought repeats in my mind: I shouldn’t be seeing this. No stranger should.
But bad actors could’ve easily spied on all these locations — and a million more — because many of Meari Technology’s Wi-Fi baby monitors and security cameras were absurdly insecure. If you had access to one of those cameras, you theoretically had access to them all.
Meari is a Chinese white-label brand whose cameras ship under hundreds of different names. Many are generic-sounding Amazon sellers like Arenti, Anran, Boifun, and ieGeek. But financial records show one of the company’s biggest customers is Wyze; its biggest customer is Zhiyun; and many hackable cameras were from Intelbras. At least one of Petcube’s pet-monitoring cameras appears to be a Meari product as well.
Sammy Azdoufal — the man from France who created a remote-controlled army of DJI Romo robot vacuum cleaners without really trying — tells noti.group he found 1.1 million remotely accessible Meari cameras almost the same way. Just by inspecting the Android app, Azdoufal says he was able to extract a single key that gave him access to devices across 118 countries.
Every one of those million devices was broadcasting its information to anyone who knew how to listen. Or anyone who knew how to guess the company’s passwords, many of which were still set to default. One of those passwords was the word “admin.” Another was the word “public.”
When Azdoufal hooked up the MQTT datastream to a vibe-coded map of the world, he says he could see “everything.” He could see into people’s homes. He could see their email addresses and rough locations.
He could also see tens of thousands of photos from these cameras, stored on Chinese Alibaba servers at public web addresses without any protection, including the photos I describe at the beginning of this story.
“I can retrieve the picture without any passwords, no cracking, no hacking,” says Azdoufal. “I just click on the URL and this image is showing.”
Azdoufal says he even found an unprotected internal server with Meari’s passwords and credentials exposed in plain sight, as well as a list of all 678 employees with their emails and phone numbers. “I talk to the boss, I have his number, I send a WeChat,” Azdoufal laughs.
He says that’s when Meari finally began answering his emails. Even though reports of vulnerabilities in Meari’s CloudEdge platform date back years, and a late 2025 vulnerability report predicted the damage Meari’s MQTT design could cause, he says the company didn’t take him seriously until its own employees were proven vulnerable.
On March 10th, Meari cut off Azdoufal’s access — and closed the primary hole. By the time I’d purchased three Meari vendors’ cameras in the hopes of getting a live demo of the hack, I was (thankfully!) too late to see it working myself. But even though there’s no GIF of me getting run over by a robot lawn mower, I didn’t have to take Azdoufal’s word that the potential damage was real.
“Under specific technical conditions, attackers may intercept all messages transmitted via the EMQX IoT platform without user authorization,” an unnamed spokesperson from the “Meari Technology Security Team” admitted to noti.group, when we reached out by email. (The company failed to provide a named spokesperson per our background policy, but we’re running the statement because it’s a clear admission of the core vulnerability.)
The company also says it discovered “Risk of potential Remote Code Execution (RCE) due to weak password issues on the scheduled task platform.” (In both statements, the bolding is theirs.)
To fix the problems, Meari’s unnamed spokesperson says it shut down its EMQX platform entirely, changed usernames and passwords, and told its customers to upgrade devices to the latest firmware (it claims only versions below 3.0.0 are affected).
But Meari would not tell us:
- How many cameras or brands were actually vulnerable;
- Whether those brands have adequately warned their customers;
- Whether these vulnerabilities have already been abused;
- What — if anything — prevents an employee of Meari or any of its vendors from spying on people from the other side of the world.
Azdoufal says that the way Meari originally designed its system, any brand could access any other brand’s cameras, since they all shared the same servers and passwords.
While shutting down the EMQX platform did block remote access, Azdoufal confirms, it’s not clear what happens to those million cameras now. Meari has not told us how many of those devices can actually get a new firmware update, or whether Meari’s partners have actually passed along so much as a warning to people who have these cameras in their homes.
We attempted to reach out to some Meari camera partners to see if they were even aware of the issue. Wyze and Petcam did not reply. Neither did EMQX.
Intelbras spokesperson Kennya Gava tells noti.group that the company only ever worked with Meari on three Wi-Fi video doorbells and that “fewer than 50” units had “a potential vulnerability.” That small number doesn’t line up with Azdoufal’s story. Intelbras appeared to be one of the more popular brands in his dataset, with a high concentration of cameras in Brazil. Gava would not say whether Meari had been in touch about the vulnerabilities, or whether Intelbras would pass a warning along to its own customers.
When we reached out to Congress’s Select Committee on the Chinese Communist Party about Meari, Congressman Ro Khanna (D-CA)’s office replied that the reports were concerning: “I will be looking into this as ranking member of the Select Committee on China,” Khanna pledged.
The good news is that Azdoufal says most of what he discovered seems to be fixed, and on May 7th, he received a €24,000 bug bounty for his help. But the experience seems to have left a bad taste in his mouth.
In March, after he first shared his research with Meari, the company sent him what he interpreted as a veiled threat. The company told him that it was “fully capable of protecting our interests,” that the company knew where he lived, and that his discovery of Meari’s internal servers was “unlawful.”
He’s also not happy that Meari initially tried to backdate its security bulletins to March 2nd. That way, it would have looked like Meari discovered the vulnerabilities before he ever reached out. Even today, the bulletins are dated March 12th, almost a month before Meari published them in April. He also notes that Meari has yet to fulfill its GDPR obligations to notify EU citizens about the breach.
I wish I could say I’ve described every facepalm-worthy thing Azdoufal discovered about Meari’s practices, but you can find more in his full security writeup. He also teamed up with Tod Beardsley of runZero to file five official CVE vulnerability reports this time.
While researching this story, I found that a large number of baby monitors on Amazon now advertise “No Wi-Fi.” That does not automatically mean they’re secure — but at least their short-range FHSS or DECT transmission should be tough to spy on from the other side of the globe.
[Notigroup Newsroom in collaboration with other media outlets, with information from the following sources]
