Over 1 Million Baby Monitors Hacked Through a Single Security Flaw

A security researcher named Sammy Azdoufal found one hidden digital key in Meari Technology's phone app that gave him the ability to access more than 1.1 million baby monitors and security cameras in 118 countries. The problem affected cameras made by a Chinese company called Meari, which sells its products to other companies that put their own brand names on them. Some of those brand names you might recognize: Wyze and Zhiyun are big customers.

Think of it like a lock manufacturer that makes the same lock for dozens of different door brands. If someone finds a master key that opens that lock, it opens all the doors, no matter whose name is on them.

How One Company's Problem Became Everyone's Problem

Meari Technology doesn't sell cameras under its own name. Instead, the company makes cameras that other businesses rebrand and sell as their own — names like Arenti, Boifun, and ieGeek. Zhiyun is Meari's largest customer, and Wyze is one of its biggest partners. Even some Petcube pet cameras appear to be Meari products in disguise.

The security flaw came from weak password protections on Meari's system for managing scheduled tasks. This weakness allowed someone with the right key to run code on the cameras — meaning total remote control. Azdoufal had this access until March 10, when Meari shut down the vulnerability.

This breach highlights a real risk in how the electronics industry works today. When hundreds of brands all use the same underlying platform from one supplier, a single security failure affects all of them at once. One weak link breaks the whole chain.

This Has Happened Before

Similar breaches have hit the smart home world repeatedly. In 2020, researchers found a major flaw in a platform called ThroughTek that powered smart cameras from Xiaomi and others. That flaw let hackers watch video feeds from millions of devices. In 2015, security firm Rapid7 tested nine different baby monitor brands and found that all of them had serious problems — hidden passwords, unencrypted video streams, and weak protections on their online connections.

Each time, the pattern is the same: cameras designed and built cheaply, shipped fast, with security treated as an afterthought.

What Regulators Have Done

The government has stepped in before. The FTC fined TRENDnet for sending customer passwords in plain, readable text instead of scrambled code. The agency also sued D-Link for security flaws in its baby monitors and other connected devices.

These legal actions set expectations: companies that sell devices that stream video from inside people's homes need to protect that video properly.

Why This Matters

Meari makes a wide range of connected devices — baby monitors with moving cameras that follow your infant, pet feeders, regular security cameras. When the platform that runs all of these devices has a hole in it, the damage spreads across everything.

The broader lesson here is about risk and economics. When companies can make more money by building and shipping devices quickly rather than securing them properly, that is what tends to happen. As more cameras end up in nurseries, living rooms, and backyards, the stakes for getting this right only get higher.