Many homes with small children have surveillance cameras or baby monitors installed. They allow you to monitor the child while it sleeps, providing peace of mind. However, this convenience can turn into a nightmare if the security of these devices is compromised, exposing sensitive information to potential intruders.
What Has Happened?
Security expert and independent researcher Sammy Azdoufal recently discovered that Meari brand cameras, including electronic peepholes and baby monitors, were inadequately protected. Through a straightforward analysis of the Android app, he extracted a unique key, granting him access to over a million cameras worldwide, across 118 countries. The full details of his findings are available in his GitHub repository.
What is Meari?
The brand Meari Technologies may not be familiar to many consumers. This is primarily because Meari operates as a white label manufacturer, producing products for several other brands. Cameras made by Meari can be found on platforms like Amazon under various names, including Arenti, Anran, Wyze, and Petcube, often rated positively by users. However, the underlying security issues affect all these brands.
Non-existent Security
The vulnerability lies not in a particular model but in the overall system architecture. Many brands sharing Meari’s technology utilize common servers and even credentials, leading to a disastrous lack of security isolation. Azdoufal found that the MQTT system, used for real-time communication between devices, lacked adequate protections. Many of these cameras were still using default passwords like “admin” or “public,” making unauthorized access shockingly easy. Even stored alert images—captured when motion is detected—were found on unprotected Alibaba servers and were accessible via simple URLs.
In an unsettling discovery, Azdoufal uncovered an unprotected internal server containing the passwords and contact details of 678 Meari employees, emphasizing the severity of the oversight. Remarkably, he didn’t have to hack into a system; he merely needed to know where to look.
The Response from Meari
Initially, Meari did not take Azdoufal’s findings seriously until they realized that their own employees’ data was at risk. Following this, they began to respond to his communications and addressed the vulnerabilities. In a statement to The Verge, Meari acknowledged that “under certain technical conditions, attackers can intercept all messages transmitted through the EMQX IoT platform without user authorization.” However, key questions remained unanswered, such as how many camera models were affected or whether the vulnerabilities had already been exploited.
Tensions Rise
Azdoufal was eventually compensated with over $24,000 for identifying these security flaws. However, the negotiations were fraught with tension. Meari allegedly sent him veiled threats, suggesting that his access to their servers was illegal. The company even attempted to downplay the situation by publishing altered security bulletins to create the impression that they had prior knowledge of the bugs.
What to Do if You Have a Meari Camera
If you own a Meari camera, knowing whether it is affected is challenging, as Meari manufactures for over 300 different brands and there is no official list available. If you suspect that your device falls under this security breach, it is advisable to unplug it when not in use, as the issue is rooted in the cloud infrastructure, which you cannot rectify yourself. Additionally, be aware that some captured images may still be accessible. Residents within the EU have the option to lodge a complaint with their data protection authority.
In summary, while baby monitors and surveillance cameras provide essential security for families, their vulnerabilities can have serious implications. It’s crucial to remain vigilant and informed about the devices we use in our homes.