Over 1 Million Baby Monitors, Security Cameras Exposed Through Meari Flaws
More than 1 million internet-connected baby monitors and security cameras may have exposed private household activity, including images from inside homes and nurseries.
The reported flaws were tied to Meari Technology, whose hardware, apps, and cloud infrastructure support more than 300 white-label camera brands sold through marketplaces, including Amazon. Researcher Sammy Azdoufal said the vulnerabilities exposed backend systems, motion-alert images, device data, and real-time camera activity.
“What makes this story especially frustrating is that it highlights one of the hardest problems in IoT security: whiteboxed products and fragmented accountability,” said Larry Pesce, VP of Services at Finite State, in an email to eSecurityPlanet.
He added, “In these business models, margins are razor thin, which often means security investment gets treated as a cost center instead of a product requirement.”
Key takeaways from the exposure
- More than 1 million baby monitors and security cameras were reportedly exposed through vulnerabilities tied to Meari Technology.
- Researcher Sammy Azdoufal identified exposed backend systems, publicly accessible images, weak encryption protections, and hardcoded credentials.
- The vulnerabilities affected white-label IoT ecosystems used by more than 300 camera brands sold through marketplaces like Amazon.
- Some flaws allegedly allowed attackers to monitor camera activity, access stored images, and retrieve device information without authorization.
- Security professionals caution that the incident highlights broader IoT supply chain and third-party infrastructure risks tied to connected devices.
Baby monitor flaws raise IoT security concerns
The incident is raising new concerns about the security of internet-connected cameras, baby monitors, and white-label IoT platforms.
Security professionals warn that many consumers may not realize their cameras rely on the same underlying platform because they are sold under hundreds of different brand names on marketplaces like Amazon. Meari Technology provides the hardware, software, and cloud infrastructure used by more than 300 camera brands, meaning a single security flaw could potentially expose millions of connected devices.
In his technical write-up, researcher Sammy Azdoufal uncovered exposed backend systems, publicly accessible images, weak encryption protections, and hardcoded credentials in Meari applications and SDKs.
Azdoufal said the platform’s architecture allowed broad visibility into device activity and stored data across multiple regions.
Advertisement
CVE-2026-33356
One of the more serious issues, CVE-2026-33356, involved missing per-device access controls on the platform’s MQTT broker.
According to Azdoufal, any free CloudEdge account could allegedly subscribe to device notifications across the platform and monitor camera activity in real time.
He said he observed thousands of device messages from more than 2,000 cameras within minutes from a single regional broker.
CVE-2026-33359
Another vulnerability, CVE-2026-33359, exposed motion-alert images stored on Alibaba Object Storage Service (OSS) servers without authentication, signed URLs, or expiration controls.
Azdoufal said image links embedded inside MQTT messages remained publicly accessible indefinitely, potentially allowing unauthorized users to retrieve sensitive photos from inside homes and nurseries.
CVE-2026-33362
Azdoufal also identified CVE-2026-33362, which involved hardcoded cryptographic keys shared across Meari-powered applications and devices.
According to his findings, the ecosystem relied on static OpenAPI keys, HMAC secrets, DES keys, and peer-to-peer credentials that could not easily be rotated without reflashing deployed hardware, creating long-term security and maintenance concerns. Additional findings described weak XOR-based obfuscation protecting baby-monitor image files using the “.jpgx3” format.
Azdoufal said attackers could reconstruct sensitive images because the serial-number information needed to decode the files appeared in the same MQTT messages that contained the image URLs.
The exposure created privacy and surveillance concerns because many affected devices were installed inside homes, bedrooms, nurseries, and other sensitive environments.
Azdoufal reportedly accessed thousands of images generated by Meari-powered cameras, including images involving children and private household activity. He also identified an exposed API endpoint that allegedly allowed attackers to retrieve device WAN IP addresses using only device serial numbers.
Advertisement
Must-read security coverage
How to reduce IoT security risks
Because many smart home and surveillance products rely on cloud connectivity and shared backend infrastructure, a single vulnerability can potentially expose large numbers of devices simultaneously.
- Apply firmware, software, and mobile app updates as soon as security patches become available.
- Use strong, unique passwords and enable multi-factor authentication for device and cloud accounts whenever possible.
- Segment IoT devices from sensitive home or enterprise networks and limit unnecessary internet exposure or remote access features.
- Monitor device activity, outbound traffic, and connected accounts for signs of unauthorized access or unusual behavior.
- Evaluate vendors for secure credential management, encryption practices, vulnerability disclosure programs, and long-term patch support.
- Replace unsupported or end-of-life devices that no longer receive security updates or security maintenance.
- Test incident response and recovery plans with IoT compromise scenarios.
Collectively, these measures can help organizations and consumers strengthen resilience, improve visibility, and reduce exposure to IoT-related security and privacy risks.
Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.
About Author
