Critical Security Flaw Exposes 1.1 Million Meari Technology Cameras to Remote Access

A significant security vulnerability has been identified affecting approximately 1.1 million Wi-Fi baby monitors and security cameras manufactured by Meari Technology. The devices, which are sold under various white-label brands including Wyze, Arenti, Anran, Boifun, ieGeek, and Intelbras, were found to be insecurely configured, allowing unauthorised remote access.

Security researcher Sammy Azdoufal discovered that the flaw stemmed from shared default passwords and exposed credentials on public servers. Common default passwords such as "admin" and "public" were found on the devices, enabling attackers to intercept messages transmitted via the EMQX IoT platform without authorisation.

The exposure extended beyond simple camera access, as tens of thousands of photos were stored on public web addresses on Chinese Alibaba servers without protection. Additionally, an unprotected internal server contained Meari's passwords, credentials, and a list of 678 employees with their emails and phone numbers.

In response to the findings, Meari Technology has shut down its EMQX IoT platform and changed passwords to mitigate the risk of Remote Code Execution. The company has urged customers to update their firmware to version 3.0.0 or higher to ensure full remediation of the security issues.

Azdoufal received a €24,000 bug bounty on May 7th for disclosing the vulnerability. However, concerns remain regarding the effectiveness of the fix, as it is unclear whether all affected devices can receive the necessary firmware updates or if partners have adequately warned consumers.

While Meari Technology initially attempted to backdate security bulletins to March 2nd, the announcements were ultimately published in April. The company also failed to provide a named spokesperson during initial inquiries, though an unnamed representative later admitted to the technical conditions allowing unauthorised interception of messages.