One Million Baby Monitors. Zero Security. Every Bedroom Live.

A baby stares into the camera lens. A boy in a policeman’s costume looks up, a gold star pinned to his chest. An unmade bunk bed, a girl’s headband, Hello Kitty on the wall.

These are children in their own bedrooms, filmed by cameras their parents bought to keep them safe. For over a thousand days, anyone with a web browser could have been watching.

French security researcher Sammy Azdoufal discovered that 1.1 million Wi-Fi baby monitors and security cameras across 118 countries were accessible to strangers. Not through sophisticated exploitation. Through a single cryptographic key hardcoded into every Android app the manufacturer shipped, and message brokers that required no authentication to subscribe to.

“I can retrieve the picture without any passwords, no cracking, no hacking,” Azdoufal told The Verge. “I just click on the URL and this image is showing.”

The Invisible Giant

Meari Technology is a Hangzhou-based original design manufacturer. It builds cameras, firmware, cloud infrastructure, and mobile apps, then sells the entire stack to partners who put their own logos on the box. The company listed on Shenzhen’s ChiNext board in March 2025. Its share price doubled in two trading sessions.

Consumers rarely encounter the name. They see Arenti, Anran, Boifun, ieGeek. According to The Verge, financial records list Wyze among Meari’s largest customers. In France, affected products moved through Fnac, Cdiscount, and Amazon under brands including Beaba and Protectline. At least one Petcube camera appears to be a Meari product. The common thread is the CloudEdge app — Meari’s consumer platform and the gateway to every affected device.

Five Vulnerabilities, One Design Philosophy

Azdoufal, coordinating with Tod Beardsley of runZero, filed five CVEs on May 11. The most severe — CVE-2026-33362, rated 8.6 on the CVSS scale — reveals that every Meari-based app ships identical hardcoded cryptographic keys: an HMAC secret, a DES key for password transport, an OpenAPI key, and a P2P password. None can be rotated without re-flashing every device in the field.

The MQTT broker streaming motion alerts enforced no per-device access controls (CVE-2026-33356). Any free CloudEdge account could subscribe to the platform-wide message feed and watch every device in real time. Azdoufal measured 14,204 messages from 2,117 distinct devices in five minutes on a single regional broker.

Alert images were uploaded to public Alibaba Cloud Storage with no authentication, no signed URLs, and no expiry (CVE-2026-33359). A 72-second capture yielded 51 accessible image URLs from 29 cameras. Baby-monitor images used trivially reversible XOR obfuscation — the decryption key was the device serial number, which arrived in the same message as the image URL.

Azdoufal also found an unauthenticated Apollo Configuration Server exposing 614 production keys, database credentials, an RSA private key, and Facebook OAuth secrets. EMQX management dashboards were running default logins: the word “admin,” paired with “public.”

Built to Harvest

In his technical writeup, Azdoufal concluded that the architecture does not look like a platform that took a wrong turn. “It looks like a platform built to harvest customer data at scale, secured by defaults that nobody on the inside ever planned to rotate.”

A Meari patent filing describes a machine-learning model for detecting and translating infant crying that fuses millimetre-wave radar with audio from children’s bedrooms. Training such a model requires data traces from hundreds of thousands of deployed cameras. A 2024 Zhejiang regulatory notice had already found the company “continues to collect user data beyond necessary scope.”

Threats, Not Apologies

When Azdoufal first contacted Meari in March, the company ignored him for two weeks — its vulnerability reporting page was offline. After he demonstrated access to internal systems, including the personal contact details of 678 employees, the company responded with what Azdoufal describes as a veiled threat. Meari told him it was “fully capable of protecting our interests” and that it knew where he lived, according to The Verge. The company also attempted to backdate its security bulletins to precede Azdoufal’s initial disclosure.

An unnamed Meari spokesperson admitted that “under specific technical conditions, attackers may intercept all messages transmitted via the EMQX IoT platform without user authorization.” The company says it shut down the platform and asked customers to update firmware to version 3.0.0 or later. It would not say how many devices were affected, whether partners warned their customers, whether the flaws had already been exploited, or what prevents employees from accessing any camera on the network.

The Accountability Gap

Congressman Ro Khanna (D-CA), ranking member of the House Select Committee on China, pledged to investigate. French authorities including ANSSI and DGCCRF were notified. CISA opened tracking case VU#579666 on April 3.

But the episode exposes a structural void. White-label IoT manufacturers operate in a regulatory blind spot: the company that builds the insecure product is not the company whose name appears on the box, and neither is accountable to the consumer. When The Verge contacted Wyze, Petcube, and EMQX, none responded. Intelbras claimed fewer than 50 units were affected — contradicted by Azdoufal’s data, which showed the brand among the most popular in his dataset.

European devices were exposed for 1,041 days. Nearly three years during which a child’s bedroom was one URL from public access.

Azdoufal received a €24,000 bug bounty on May 7. Meari has still not said how many of its million devices can actually receive a firmware update — or whether the brands selling them ever told customers there was a problem.

Sources

A million baby monitors and security cameras were easily viewable by hackers — The Verge
Nobody Puts Baby In A Corner: Five CVEs against Meari Technology — GitHub (Sammy Azdoufal)
Babyphones vidéo : plus d’un million de caméras exposées, vos enfants filmés à leur insu ? — Les Numériques
Meari SDK hardcoded cryptographic keys — CVE-2026-33362 — runZero

Discussion (9)

sarah_m

every bedroom. ONE URL. i literally have a cloudedge camera in my daughters room. i feel sick.

24 ↑

vkrishnan

The CVSS 8.6 rating on CVE-2026-33362 undersells it honestly. Shipping identical HMAC secrets and DES keys across every install means you don't need to compromise one device — you compromise the platform. And the MQTT broker with zero per-device ACLs is just inexcusable for any IoT architecture post-2016. We had the Mirai reckoning. There is no excuse. What concerns me more is the ML model described in the patent filing. Millimeter-wave radar fused with audio capture on a platform with no access controls? That is not a baby monitor. That is a distributed surveillance network that parents paid to install in their own homes. The accountability gap the article describes is the real structural problem. White-label ODMs like Meari have no consumer-facing reputation to protect. The rebrander has no engineering visibility. Neither party is incentivized to disclose or fix. This will happen again.

47 ↑

0xNULL

admin:public in 2026. on a million devices. in childrens bedrooms. genuinely what is the qa process here. is there one. is the qa process just 'does it compile'

53 ↑

Okay but I do think there's a reasonable question about why parents are putting internet-connected cameras in children's bedrooms in the first place. Like yes the security is catastrophically bad, clearly, but even if Meari had competent engineers — you're still uploading images of your sleeping child to Alibaba Cloud. By choice. The threat model was always going to include the platform operator. That said, the 'we know where you live' thing to the researcher is absolutely unhinged behavior from a publicly traded company.

19 ↑

kevin.rwl

'why are parents buying cameras' is a wild take on an article about a company that lied about security and threatened a researcher. consumers are not security engineers my guy. the box doesn't say WARNING: YOUR CHILDS BEDROOM IS ACCESSIBLE VIA URL. come on.

22 ↑

davelucas83

everyone wants to talk about the 'security flaws' like its an accident. this company literally filed a patent for machine learning on crying data. they BUILT it to harvest. 1.1 million cameras training their AI on your kids and nobody blinked for THREE YEARS. and of course its a chinese company — you think this is incompetence?? this is the business model. data is the product. your children are the product. and €24k bounty?? they made millions selling these cameras and the guy who found it gets what amounts to a consulting fee. shameful.

14 ↑

Mike_T

so can i view my own camera from work or not? bought an arenit camera last month and the app barely works half the time. if a 'researcher' can see my camera easier than i can thats pretty telling about their priorities lol

8 ↑

brother you are literally the vulnerability

71 ↑

TessaB

The part about 1,041 days is what gets me. That's not an oopsie. That's nearly three years where some stranger could have been watching my kid get dressed in the morning, and the company responded by threatening the guy who told them about it. I will never buy another smart device for my home. Not one.

31 ↑