How One Security Flaw Exposed 1.1 Million Baby Monitors and Cameras Worldwide

A security researcher named Sammy Azdoufal found a single password stored in Meari Technology's smartphone app that gave him remote access to 1.1 million baby monitors and security cameras in 118 countries. The vulnerability affected devices made by the Chinese manufacturer Meari and then rebranded and sold by hundreds of other companies under different names — including popular brands like Wyze and Zhiyun.

Meari Technology operates as a white-label manufacturer, which means they design and build products that other companies rebrand and sell as their own. Their cameras ship under brand names like Arenti, Anran, Boifun, and ieGeek. According to The Verge, Zhiyun is Meari's largest customer, while Wyze is one of its biggest partners. At least one Petcube pet camera also turned out to be a Meari product in disguise.

The security flaw came from weak password practices on Meari's internal platform for scheduling tasks. This weakness created what the company acknowledged as a risk of "Remote Code Execution" — meaning an attacker could run any program on the devices without permission.

One Weak Link, Hundreds of Products at Risk

The breach reveals a fundamental problem with white-label manufacturing at this scale: one security failure can affect hundreds of different brands across the globe at the same time. Think of it like discovering that many seemingly different car brands all use the same engine from one factory — if that engine has a flaw, millions of cars are suddenly vulnerable, not just a few.

Azdoufal had access to these devices until March 10, when Meari Technology cut off his connection and closed the security hole. Meari's quick action suggests they understood how serious the problem was, though it is unclear from available information when they first discovered the flaw.

Similar Breaches Have Happened Before

This incident fits a pattern we have seen many times in the world of connected home devices. In late 2020, researchers found that ThroughTek's Kalay platform — used by companies like Xiaomi — had a serious security flaw that exposed millions of smart home devices. Attackers could potentially intercept audio and video streams from cameras without the owner's knowledge.

Earlier, in 2015, security firm Rapid7 tested nine different baby monitor brands and found that all of them had serious security problems: passwords hardcoded into the device software, video transmitted without encryption, and weak protections on the services that control the cameras. These were not minor issues — they were fundamental design flaws present across every product tested.

The Government Is Starting to Step In

Federal regulators have taken action against similar security failures before. The Federal Trade Commission (FTC) fined TRENDnet for sending customer login information in a format that anyone could read, rather than encrypting it. The agency also sued D-Link over security holes in several of its cameras, including the Digital Baby Monitor Day/Night Cloud Camera.

These cases set expectations: companies that make connected devices handling sensitive video from inside people's homes have a responsibility to build security in from the start, not add it later as an afterthought.

What Meari Actually Makes

Meari manufactures baby monitoring cameras with motors that pan and tilt automatically to keep the baby in view — models like the Baby 2T, Baby 4T, and Baby 5T. They also make simpler LCD monitor screens for the same purpose (the Baby 2M and Baby 3M with 4.3-inch and 5-inch screens).

Beyond baby monitors, Meari's products span pet cameras, 4G outdoor cameras, and the Pet Feeder P1. This broad product line means that one security failure at the platform level can ripple across many different use cases — and reach customers who bought products from dozens of different brand names without realizing they all came from the same manufacturer.

Why This Matters

The broader context here is that white-label manufacturing creates a hidden concentration of risk. When hundreds of brands depend on a single underlying platform, one security mistake becomes a global incident affecting millions of devices. A customer who buys a Wyze monitor and a neighbor who buys an Arenti camera could both be vulnerable to the same hack — even though they bought different brands from different stores.

Connected devices in homes — especially in nurseries and bedrooms — collect intimate audio and video data. The economic pressure to ship products quickly and cheaply often means security gets less attention than it should. As more devices like these enter our homes, the stakes for preventing large-scale vulnerabilities rise sharply.

Meari Technology does have a dedicated team to handle vulnerability reports from researchers, partners, and users, though the effectiveness of that process in preventing this incident remains an open question.