1.1 Million Cameras, One Shared Secret

Researcher Sammy Azdoufal discovered that Meari Technology's white-label IoT cameras shared a single hardcoded MQTT key, giving him access to 1.1 million devices across 118 countries. By inspecting the Android app, he extracted the key and could view live feeds from baby monitors, security cameras, and pet cams sold under dozens of brand names.

Meari is a Chinese white-label manufacturer whose cameras ship under names like Arenti, Anran, Boifun, ieGeek, and even Wyze, Intelbras, and Petcube. Financial records show Wyze as one of its biggest customers.

The Technical Breakdown

Azdoufal hooked into the MQTT datastream and mapped the exposed devices globally. The core issue: every camera broadcast its information using default or guessable credentials. Common passwords included "admin" and "public". Worse, tens of thousands of photos stored on Chinese Alibaba cloud servers were publicly accessible via simple URLs — no authentication required.

"I can retrieve the picture without any passwords, no cracking, no hacking," Azdoufal told The Verge. "I just click on the URL and this image is showing."

He also found an unprotected internal server containing Meari's passwords, credentials, and a list of all 678 employees with their emails and phone numbers. The company only responded after he proved he could reach the CEO via WeChat.

Vendor Response and Patches

On March 10, 2025, Meari cut off Azdoufal's access and shut down its EMQX platform entirely. The company issued a statement: "Under specific technical conditions, attackers may intercept all messages transmitted via the EMQX IoT platform without user authorization." It also admitted to a "Risk of potential Remote Code Execution (RCE) due to weak password issues on the scheduled task platform."

Meari claims it changed usernames and passwords and told customers to upgrade devices to firmware version 3.0.0 or later. However, the company refused to disclose how many cameras or brands were vulnerable, whether those brands warned customers, or whether the vulnerabilities had been actively exploited.

Azdoufal notes that Meari attempted to backdate its security bulletins to March 2nd to appear proactive. The bulletins are dated March 12th, published in April. Meari also has not fulfilled GDPR obligations to notify EU citizens about the breach.

What This Means for Developers

This incident highlights the dangers of shared secrets across IoT fleets. Meari's design allowed any brand using its platform to access any other brand's cameras. The MQTT architecture lacked per-device authentication, and the EMQX platform had no authorization checks.

Developers should:

  • Never hardcode shared keys across devices.
  • Implement per-device credentials and certificate-based authentication.
  • Ensure internal servers are not exposed to the public internet.
  • Follow responsible disclosure timelines and respect GDPR breach notification requirements.

Ongoing Concerns

Intelbras spokesperson Kennya Gava told The Verge that only "fewer than 50" units of three Wi-Fi video doorbells had a potential vulnerability — contradicting Azdoufal's data showing high camera concentrations in Brazil. Intelbras would not say whether Meari had contacted them or whether they would warn customers.

Wyze and Petcube did not respond to requests for comment. EMQX also did not reply.

Azdoufal received a €24,000 bug bounty on May 7, 2025, but remains dissatisfied with Meari's response. He filed five CVE reports with Tod Beardsley of runZero.

Immediate Actions

If you own a camera from any of these brands, check the firmware version. If below 3.0.0, update immediately. If the manufacturer has not provided an update, consider disconnecting the device from the internet. For developers building IoT products, audit your authentication mechanisms today.