A million baby monitors and security cameras were easily viewable by hackers
A million baby monitors and security cameras were easily viewable by hackers
百万台婴儿监视器和安防摄像头被黑客轻易窥探
Meari Technology: the Wi-Fi camera maker you’ve probably never heard of. Meari Technology:你可能从未听说过的 Wi-Fi 摄像头制造商。
A baby’s eyes peer directly into the camera lens. A kid with a striped shirt looks up, then away. A boy in a policeman’s costume, a gold star on his chest. A messy bedroom that reminds me of my own daughters, with an unmade bunk bed, a little girl’s hat and headband, and Hello Kitty plastered on the wall. 婴儿的眼睛直视着镜头。一个穿着条纹衬衫的孩子抬头看了一眼,然后转过头去。一个穿着警察服装的男孩,胸前别着一颗金星。一间凌乱的卧室让我想起了我自己的女儿们,那里有没整理的上下铺、小女孩的帽子和发带,墙上还贴着 Hello Kitty。
One thought repeats in my mind: I shouldn’t be seeing this. No stranger should. But bad actors could’ve easily spied on all these locations — and a million more — because many of Meari Technology’s Wi-Fi baby monitors and security cameras were absurdly insecure. If you had access to one of those cameras, you theoretically had access to them all. 一个念头在我脑海中反复出现:我不应该看到这些。任何陌生人都不应该看到。但恶意攻击者可以轻易地监视所有这些地点——以及另外一百万个地点——因为 Meari Technology 的许多 Wi-Fi 婴儿监视器和安防摄像头存在极其荒谬的安全漏洞。如果你能访问其中一台摄像头,理论上你就能访问所有摄像头。
Meari is a Chinese white-label brand whose cameras ship under hundreds of different names. Many are generic-sounding Amazon sellers like Arenti, Anran, Boifun, and ieGeek. But financial records show one of the company’s biggest customers is Wyze; its biggest customer is Zhiyun; and many hackable cameras were from Intelbras. At least one of Petcube’s pet-monitoring cameras appears to be a Meari product as well. Meari 是一家中国白牌制造商,其摄像头以数百个不同的品牌名称销售。许多是亚马逊上听起来很普通的卖家,如 Arenti、Anran、Boifun 和 ieGeek。但财务记录显示,该公司最大的客户之一是 Wyze;其最大的客户是智云(Zhiyun);许多可被黑客攻击的摄像头来自 Intelbras。Petcube 的至少一款宠物监控摄像头似乎也是 Meari 的产品。
Sammy Azdoufal — the man from France who created a remote-controlled army of DJI Romo robot vacuum cleaners without really trying — tells The Verge he found 1.1 million remotely accessible Meari cameras almost the same way. Just by inspecting the Android app, Azdoufal says he was able to extract a single key that gave him access to devices across 118 countries. 来自法国的 Sammy Azdoufal——他曾无意间创建了一支由 DJI Romo 扫地机器人组成的远程控制“军队”——告诉 The Verge,他以几乎相同的方式发现了 110 万台可远程访问的 Meari 摄像头。Azdoufal 表示,仅通过检查 Android 应用程序,他就提取到了一个密钥,从而获得了访问 118 个国家/地区设备的权限。
Every one of those million devices was broadcasting its information to anyone who knew how to listen. Or anyone who knew how to guess the company’s passwords, many of which were still set to default. One of those passwords was the word “admin.” Another was the word “public.” 这百万台设备中的每一台都在向任何知道如何监听的人广播其信息。或者向任何知道如何猜测该公司密码的人广播,其中许多密码仍设置为默认值。其中一个密码是“admin”,另一个是“public”。
When Azdoufal hooked up the MQTT datastream to a vibe-coded map of the world, he says he could see “everything.” He could see into people’s homes. He could see their email addresses and rough locations. 当 Azdoufal 将 MQTT 数据流连接到一张世界地图上时,他说他可以看到“一切”。他可以看到人们的家中,可以看到他们的电子邮件地址和大致位置。
He could also see tens of thousands of photos from these cameras, stored on Chinese Alibaba servers at public web addresses without any protection, including the photos I describe at the beginning of this story. 他还看到了这些摄像头拍摄的数万张照片,它们存储在中国的阿里巴巴服务器上,位于没有任何保护的公共网页地址中,包括我在本文开头描述的那些照片。
“I can retrieve the picture without any passwords, no cracking, no hacking,” says Azdoufal. “I just click on the URL and this image is showing.” “我无需任何密码,无需破解,无需黑客手段就能获取图片,”Azdoufal 说。“我只需点击 URL,图像就会显示出来。”
Azdoufal says he even found an unprotected internal server with Meari’s passwords and credentials exposed in plain sight, as well as a list of all 678 employees with their emails and phone numbers. “I talk to the boss, I have his number, I send a WeChat,” Azdoufal laughs. Azdoufal 说,他甚至发现了一个未受保护的内部服务器,Meari 的密码和凭据直接暴露在眼前,还有一份包含所有 678 名员工的电子邮件和电话号码的名单。“我和老板谈过,我有他的号码,我发了微信,”Azdoufal 笑着说。
He says that’s when Meari finally began answering his emails. Even though reports of vulnerabilities in Meari’s CloudEdge platform date back years, and a late 2025 vulnerability report predicted the damage Meari’s MQTT design could cause, he says the company didn’t take him seriously until its own employees were proven vulnerable. 他说,直到那时,Meari 才开始回复他的电子邮件。尽管有关 Meari CloudEdge 平台漏洞的报告可以追溯到几年前,且 2025 年末的一份漏洞报告曾预测过 Meari 的 MQTT 设计可能造成的损害,但他表示,直到其自身员工被证明处于危险之中,该公司才开始重视他。
On March 10th, Meari cut off Azdoufal’s access — and closed the primary hole. By the time I’d purchased three Meari vendors’ cameras in the hopes of getting a live demo of the hack, I was (thankfully!) too late to see it working myself. But even though there’s no GIF of me getting run over by a robot lawn mower, I didn’t have to take Azdoufal’s word that the potential damage was real. 3 月 10 日,Meari 切断了 Azdoufal 的访问权限,并堵住了主要的漏洞。当我购买了三台 Meari 供应商的摄像头,希望能亲眼演示黑客攻击时,(谢天谢地!)我已经太晚了,没能亲眼看到它运作。但即使没有我被机器人割草机撞倒的 GIF,我也不必仅仅听信 Azdoufal 的话,因为潜在的损害是真实存在的。
“Under specific technical conditions, attackers may intercept all messages transmitted via the EMQX IoT platform without user authorization,” an unnamed spokesperson from the “Meari Technology Security Team” admitted to The Verge, when we reached out by email. “在特定的技术条件下,攻击者可能在未经用户授权的情况下拦截通过 EMQX 物联网平台传输的所有消息,”当我们就此事通过电子邮件联系时,“Meari 技术安全团队”的一位匿名发言人向 The Verge 承认。
The company also says it discovered “Risk of potential Remote Code Execution (RCE) due to weak password issues on the scheduled task platform.” 该公司还表示,它发现了“由于计划任务平台上的弱密码问题,存在潜在的远程代码执行 (RCE) 风险。”
To fix the problems, Meari’s unnamed spokesperson says it shut down its EMQX platform entirely, changed usernames and passwords, and told its customers to upgrade devices to the latest firmware (it claims only versions below 3.0.0 are affected). 为了解决这些问题,Meari 的匿名发言人表示,他们已完全关闭了 EMQX 平台,更改了用户名和密码,并告知客户将设备升级到最新固件(该公司声称只有 3.0.0 以下的版本受到影响)。
But Meari would not tell us: 但 Meari 不愿告诉我们:
- How many cameras or brands were actually vulnerable;
- 到底有多少摄像头或品牌受到影响;
- Whether those brands have adequately warned their customers;
- 这些品牌是否已充分警告其客户;
- Whether these vulnerabilities have already been abused;
- 这些漏洞是否已经被利用;
- What — if anything — prevents an employee of Meari or any of its vendors from spying on people from the other side of the world.
- 有什么措施(如果有的话)能防止 Meari 或其任何供应商的员工从世界另一端监视用户。
Azdoufal says that the way Meari originally designed its system, any brand could access any other brand’s cameras, since they all shared the same servers and passwords. Azdoufal 表示,按照 Meari 最初的系统设计方式,任何品牌都可以访问其他品牌的摄像头,因为它们共享相同的服务器和密码。
While shutting down the EMQX platform did block remote access, Azdoufal confirms, it’s not clear what happens to those million cameras now. Meari has not told us how many of those devices can actually get a new firmware update, or whether Meari’s partners have actually passed along so much as a warning to people who have these cameras in their homes. 虽然关闭 EMQX 平台确实阻止了远程访问,但 Azdoufal 证实,目前尚不清楚那一百万台摄像头会怎样。Meari 没有告诉我们其中有多少设备实际上可以获得新的固件更新,也没有说明 Meari 的合作伙伴是否真的向家中安装了这些摄像头的用户发出了哪怕是一丁点的警告。