Meari Technology: a lesser-known Wi-Fi camera manufacturer.
A baby’s eyes look directly into the camera lens. A child in a striped shirt glances up, then turns away. A boy dressed as a policeman, sporting a gold star on his chest. A cluttered bedroom reminiscent of my own daughters’, featuring an unmade bunk bed, a girl’s hat and headband, and Hello Kitty on the wall.
One thought echoes in my mind: I shouldn’t be seeing this. Nor should any stranger.
Yet, bad actors could have easily viewed these locations — and countless others — because many Meari Technology Wi-Fi baby monitors and security cameras were astonishingly insecure. Having access to one camera often meant accessing them all.
Meari is a Chinese white-label brand that distributes cameras under numerous names, commonly sounding like Amazon sellers such as Arenti, Anran, Boifun, and ieGeek. Financial documents reveal that one of the company’s major clients is Wyze, the largest being Zhiyun, with many vulnerable cameras originating from Intelbras. Additionally, one of Petcube’s pet-monitoring cameras appears to be a Meari product.
Sammy Azdoufal, the Frenchman who inadvertently created a remote-controlled fleet of DJI Romo robot vacuum cleaners, told The Verge that he identified 1.1 million remotely accessible Meari cameras similarly. By examining the Android app, Azdoufal extracted a single key granting access to devices across 118 countries.
Every one of these million devices transmitted information to anyone with the knowledge to listen. Or anyone who could guess the company’s passwords, many of which remained default. One password was “admin.” Another was “public.”
When Azdoufal connected the MQTT datastream to a vibe-coded world map, he claimed he saw “everything.” He could view into people’s homes, see their email addresses, and approximate locations.
He also reportedly found tens of thousands of photos from these cameras on Chinese Alibaba servers with public web addresses and no protection, including the photos mentioned initially.
“I can retrieve the picture without any passwords, no cracking, no hacking,” said Azdoufal. “I just click on the URL and the image appears.”
Azdoufal claimed he even discovered an unprotected internal server exposing Meari’s passwords and credentials, including a list of all 678 employees with their emails and phone numbers. “I contact the boss, I have his number, I send a WeChat,” Azdoufal laughed.
That’s when Meari began responding to his emails. Despite vulnerabilities in Meari’s CloudEdge platform being reported for years, and a late 2025 vulnerability report warning of potential damage from Meari’s MQTT design, Azdoufal said the company only took him seriously when its own employees became vulnerable.
On March 10th, Meari cut Azdoufal’s access and closed the primary vulnerability. By the time I acquired three Meari vendors’ cameras to attempt a live hack demonstration, I was (thankfully) too late to witness it firsthand. But despite no GIF of me getting mowed down by a robot lawnmower, I didn’t need to rely solely on Azdoufal’s word regarding the potential damage.
“Under specific technical conditions, attackers may intercept all messages transmitted via the EMQX IoT platform without user authorization,” admitted an unnamed Meari Technology Security Team spokesperson to The Verge via email. (The company did not supply a named representative per our background policy, but we’re publishing the statement due to its clear acknowledgment of the core vulnerability.)
The company also reported discovering a “Risk of potential Remote Code Execution (RCE) due to weak password issues on the scheduled task platform.” (The bolding is theirs.)
To address the issues, Meari’s unnamed spokesperson explained that the company entirely shut down its EMQX platform, changed usernames and passwords, and advised customers to update devices to the newest firmware (claiming only versions below 3.0.0 were affected).
However, Meari did not disclose:
– How many cameras or brands were vulnerable;
– Whether those brands adequately warned their customers;
– Whether these vulnerabilities were already exploited;
– What — if anything — prevents an employee of Meari or any vendor from spying on people globally.
Azdoufal said Meari’s original system design allowed any brand to access any other brand’s cameras, as they all shared the same servers and passwords.
While shutting down the EMQX platform did, according to Azdoufal, block remote access, the fate of those million cameras remains unclear. Meari hasn’t disclosed how many devices can receive firmware updates or if Meari’s partners have even alerted users with these cameras at home.
We attempted contacting some Meari camera partners to assess their awareness of the issue. Wyze and Petcam did not reply