A security researcher discovered that roughly 1.1 million Wi-Fi cameras made by Chinese manufacturer Meari Technology were accessible to anyone with basic technical knowledge, exposing live feeds, photos, and personal data from homes across 118 countries. The vulnerability was reported and largely patched in early 2026, with Meari cutting off remote access on March 10th.
Sammy Azdoufal, a France-based researcher, found that by inspecting Meari’s Android app he could extract a single key granting access to all devices on the company’s network. Meari’s cameras broadcast data over an MQTT platform using weak default passwords — including “admin” and “public” — meaning anyone who knew how to listen could tap into the stream. Tens of thousands of photos were stored on Alibaba servers at unprotected public URLs, viewable without any login or credential.
Meari is a white-label manufacturer whose cameras are sold under hundreds of brand names. Financial records cited in the original report identify Wyze and Zhiyun among its largest customers, with Arenti, Anran, Boifun, ieGeek, Intelbras, and Petcube also named as partners. Azdoufal says any brand’s cameras could access any other brand’s cameras, since all shared the same servers and passwords.
Meari confirmed the core vulnerabilities in a statement to The Verge, acknowledging that “attackers may intercept all messages transmitted via the EMQX IoT platform without user authorization” and flagging a risk of remote code execution due to weak passwords. The company says it shut down the EMQX platform and required firmware updates, though it has not disclosed how many devices can actually receive those updates or whether affected brands have warned their customers.
Azdoufal received a €24,000 bug bounty on May 7th, but says Meari initially sent what he interpreted as a veiled threat after he reported his findings, and has yet to fulfill GDPR obligations to notify EU residents of the breach. Congressman Ro Khanna, ranking member of the House Select Committee on China, said he would be looking into the matter.
Source: The Verge