Strangers were watching your children sleep. For months, anyone with basic technical knowledge could access 1.1 million baby monitors and security cameras worldwide—no hacking required, just clicking a link. French cybersecurity researcher Sammy Azdoufal discovered the vulnerability affecting devices you likely trusted to protect your family, cameras sold under familiar Amazon brands like Arenti, Boifun, and ieGeek. This breach follows other concerning surveillance issues, including recent reports of apps tracking users without consent.
When “Secure” Cameras Become Peep Shows
A single extracted key unlocked feeds across 118 countries, revealing the dark side of cheap cloud-connected devices.
“I can retrieve the picture without any passwords, no cracking, no hacking. I just click on the URL and this image is showing,” Azdoufal explained to The Verge. The researcher accessed intimate scenes—children’s bedrooms with Hello Kitty decorations, toddlers looking directly into cameras, family moments that should never have been public. All because Meari Technology, the Chinese manufacturer behind these white-label cameras, built their system like a house with every door unlocked.
Your “Secure” Camera Was Broadcasting Everything
The vulnerability exposed live feeds, stored photos, email addresses, and location data across major retailers.
This wasn’t a sophisticated cyberattack—it was digital negligence. Meari used laughably weak default passwords like “admin” and “public” while routing all video through their servers instead of your home network. The company’s cameras shipped under 118 different brand names globally, including devices from major players like Wyze.
Attackers could access not just live feeds but thousands of stored photos on unprotected Chinese servers, plus users’ email addresses and locations.
When Companies Finally Face the Music
Meari’s response revealed more about corporate responsibility than cybersecurity.
The company initially ignored vulnerability reports for months, only responding after Azdoufal accessed their employee database. Even then, Meari’s response included what the researcher interpreted as veiled threats, claiming they knew where he lived.
An unnamed Meari spokesperson eventually admitted “attackers may intercept all messages transmitted via the EMQX IoT platform without user authorization.” The company paid Azdoufal a €24,000 bug bounty, but critical questions remain about whether the millions of affected devices can actually receive firmware updates.
The Bigger Picture Gets Darker
Industry-wide testing reveals systematic security failures across budget smart home devices.
Boston-based Rapid7 tested nine popular baby monitors and found eight earned “F” security grades. Higher prices didn’t guarantee better security—pricier models often meant more features and more vulnerabilities. “The problem of hacking into our smart devices is pervasive,” warns cybersecurity expert Tanya Davis. “Pick devices that put security systems first.”
The breach has caught Congressional attention. “I will be looking into this as ranking member of the Select Committee on China,” Rep. Ro Khanna told The Verge, signaling potential regulatory scrutiny of Chinese IoT manufacturing that prioritizes features over family privacy. These vulnerabilities represent broader computer problems that consumers face with connected devices.
