Anyone Could Have Been Watching Your Kids on Certain Baby Monitors

Another day, another Wi-Fi camera hack. “A million” network-connected baby monitors and security cameras were visible to hackers, exposing many households to extreme privacy violations and security concerns.

As The Verge claims in a bombshell report, hackers could easily, remotely view baby monitors and security cameras made by the Chinese white-label brand, Meari Technology. This company makes and sells numerous network-attached camera devices on major marketplaces, like Amazon, under different brand names.

Sammy Azdoufal easily found 1.1 million remotely accessible Meari cameras, The Verge explains.

“Just by inspecting the Android app, Azdoufal says he was able to extract a single key that gave him access to devices across 118 countries,” The Verge reports.

As The Verge‘s Sean Hollister rightly explains, there is something extremely disturbing about having access to a camera inside someone’s home, all without their knowledge. Spying on a baby staring into a baby monitor, children playing in their room, and private family moments playing out is morally reprehensible, and it appears that anyone in the world could have been doing it for months or years.

Azdoufal’s name may be familiar to PetaPixel readers, as he is the same person who earlier this year remotely accessed the cameras inside thousands of DJI robot vacuums. Azdoufal used the same general approach to hack into the Meari cameras, although this is arguably a much more onerous and disturbing situation than DJI’s robot vacuum network.

Azdoufal could see many thousands of photos from Meari’s various cameras, offering him an intimate look inside people’s homes. These photos were stored on Chinese Alibaba servers with public web addresses and no protection. He also easily tracked down all of Meari’s employees and login credentials.

“I talk to the boss, I have his number, I send a WeChat,” Azdoufal says.

Meari reportedly ignored Azdoufal for a while, although when the company finally responded, it also closed the primary security hole.

“Under specific technical conditions, attackers may intercept all messages transmitted via the EMQX IoT platform without user authorization,” a Meari spokesperson told The Verge.

The company failed to acknowledge how many cameras and which camera brands were vulnerable, whether customers had been alerted or warned, whether anyone other than Azdoufal had exploited the vulnerabilities, and what measures, if any, the company has in place to prevent its employees or vendors from spying on people, which is a huge concern with cameras connected to the web.

Fortunately, Azdoufal says most of the issues he uncovered have been fixed, and he has been paid a €24,000 “bug bounty.” However, he also claims the company initially threatened him, telling him that it knew where he lived and that he had committed a crime.

Azdoufal has detailed his complete story, including the many weeks of going back and forth with Meari and what he considers to be shady behaviors on Github.

Even though it appears Meari’s vulnerability has been addressed, that may do little to quell the fears people rightly have about the cameras in their homes and whether they are truly secure.

As PetaPixel noted when covering the DJI robot vacuum security vulnerability, which has also been patched, “This is far from the first time a piece of home tech has had security vulnerabilities, and unfortunately, it is unlikely to be the last.”

Unfortunately, this is just as true today as it was in February.

Image credits: Meari Technology