Hacker buys baby monitor on Amazon, finds mother of all security flaws
A security researcher has uncovered a sweeping set of flaws in baby monitors, many of which use white-label tech stacks from China and are then rebranded and sold to new parents on channels such as Amazon.
-
Baby monitor vulnerabilities exposed 1.1 million families to unauthorized surveillance A French security researcher discovered five critical CVE flaws in Meari-powered baby monitors, including unauthorized MQTT data access, exposed device locations, unencrypted snapshots, and hardcoded encryption keys.
-
Over 300 brands share the same vulnerable platform without consumers knowing White-label manufacturing means parents buying different baby monitor brands on Amazon may actually be purchasing the same Chinese-built system rebranded with different logos.
-
Vendor response was slow and consumer notification remains unclear Meari took 47 days to sign off on the vulnerabilities after initially dismissing them. It remains uncertain whether affected customers were notified or if all devices can receive security updates.
The vulnerabilities affect up to 1.1million internet-connected cameras built on a shared platform developed by Meari Technology, a major Chinese company based in Hangzhou that designs and manufactures video-centric smart home IoT (Internet of Things) devices.
Some of the brands that Meari resells its tech to can be found on Amazon and elsewhere, including CloudEdge, Intelbras, Arenti, Wyze and Petcube.
The most serious issue with these baby monitors is that they allow any user with a free account to receive data streams from other people’s cameras, according to French researcher Sammy Azdoufal.
Fresh from winning a $30K bug bounty after finding a flaw in DJI Romo that allowed him to remotely control a 7000-strong fleet of robot vacuum cleaners, a colleague of Azdoufal's, who had recently become a new parent, asked the ethical hacker to check out a baby monitor she’d bought on Amazon.
The researcher admits that this cannot be assessed by just looking at the product.
“The boxes don't tell the buyer which cloud platform they phone home to, and the apps are interchangeable.”
“Made in China by an ODM nobody’s heard of”
So Azdoufal bought the same brand of monitor, CloudEdge, created a new account, and analyzed its network traffic.
He found the device relied on a technology stack operated by Merai, a China-based company that builds the hardware, firmware, cloud systems, and mobile apps, which are then rebranded and sold globally.
He adds that hundreds of brands share the same underlying system.
“They build the camera, the firmware, the cloud, and the mobile app, then sell the whole stack to brands who put their own logo on the box.”
"'Made in China by an ODM [original device manufacturer] nobody's heard of' describes about 90% of the consumer baby-monitor market."
Sammy Azdoufal, independent researcher
He adds that over 300+ partner brands ride the same backend, including consumer brands such as Intelbras, Arenti, and Petcube.
A “systemic design failure” in over a million devices
The findings, now tracked by CISA, outline five high-risk vulnerabilities, which Azdoufal says reflect design problems rather than isolated bugs.
The most serious issue affects a system referred to as an MQTT broker, which sends alerts from cameras to users’ phones. According to the report, anyone with a free account could receive data from other people’s devices (CVE-2026-33359).
A second vulnerability exposes device information through a static OpenAPI key that requires no user authentication. By querying it with a device serial number, an attacker could retrieve the camera’s external IP address, and this data could be used to estimate the owner's physical location (CVE-2026-33357).
Other issues involved how images were stored and protected. Motion-triggered snapshots were uploaded to public Alibaba Cloud storage, for instance, where links were not signed, had no expiry, and required no login, making them accessible to anyone who obtained the URL (CVE-2026-33359).
According to Azdoufal, in the baby monitor models, these images were only lightly scrambled (using a reversible XOR method), allowing them to be reconstructed with publicly available information (CVE-2026-33361).
The researcher also found that all apps using the platform shared the same built-in cryptographic keys (CVE-2026-33362), which are hardcoded into the software – meaning they cannot easily be changed in the event of an attack.
These five high-risk CVEs add up to a platform built to harvest customer data at scale, Azdoufal says, “secured by defaults that nobody on the inside ever planned to rotate.”
Using publicly-available data, he estimates that the platform that ships these defaults operates 1.1 million registered devices across 118+ countries.
Not even Meari employees are protected, the research suggests, as Azdoufal reported exposed internal company servers containing over 600 employee credentials (including the CEO’s) and operational data tied to Meari’s infrastructure.
Manufacturer’s response
After initially dismissing the findings, Meari eventually shut down the vulnerable EMQX platform, rotated credentials, and released firmware updates for some affected devices. The company also paid Azdoufal a €24,000 bug bounty.
After 47 days, the Hangzhou-based company signed off on the vulnerability disclosures.
It remains unclear how many cameras in use can still receive updates or whether affected customers have been notified. Consumers using CloudEdge devices or other brands built on Meari’s software platform may be affected.
Larry Pesce, vice president of services at Finite State, said the incident reflects a wider industry problem: white-boxed products and fragmented accountability.
“In these business models, margins are razor-thin, which often means security investment gets treated as a cost center instead of a product requirement.
“Everybody wants the feature set, the mobile app, the cloud connectivity, but nobody wants to pay for rigorous security engineering, long-term maintenance, or coordinated vulnerability response. But when something goes wrong, the responsibility chain becomes a maze."
Larry Pesce, vice president of services at Finite State
"The reseller may have branded the device and sold it to consumers, but they frequently have little or no control over the underlying firmware, cloud platform, or update process,” he warned.
In a right of reply, Wyze was keen to point out that the issue does not affect its platform or customer data. According to the firm's CMO Dave Crosby, Wyze develops its own software stack and operates through a separate US-based AWS and Azure infrastructure, rather than relying on Meari-hosted systems.
Crosby added that Meari only supplies hardware for select Wyze outdoor cameras – not indoor devices – and that Wyze began working with the company after the period tied to the reported vulnerabilities, which involved pre-2019 Meari products.
“Wyze has no reported vulnerabilities or exposure related to this issue,” Crosby added.
Additionally, a Petcube spokesperson added that users were not impacted by the vulnerabilities described.
“Meari is strictly a contracted hardware manufacturer – they develop PCBs and assemblies to our specs, but the software running on our cameras is entirely Petcube's," the vendor spokesperson said.
“We don't use Meari's CloudEdge platform, MQTT system, EMQX, or any of their software, cloud services, or APIs. User data lives on Petcube's own servers, not Meari's." they added.
Unlock more exclusive Cybernews content on YouTube.
