A French specialist is sounding the alarm. Electronic baby monitors are a threat to children

This is exactly the story described by French cybersecurity specialist Sammy Azdoufal. It started innocently enough: a friend from work bought an electronic baby monitor on Amazon and asked if such a device was safe. Azdoufal decided to check. It turned out that the smartphone camera application and the cloud infrastructure to which the device connects have very serious security vulnerabilities. As a result, it is relatively easy he managed to gain access, among other things, to photos of babies from all over the world taken by these cameras. They were not protected by any password – it was enough to generate a list of links to the server and the door to the children's bedroom was open. Many of these materials could also be easily linked to the approximate location where they were made. The researcher reported that the problem may affect up to approximately 1.1 million registered cameras and video intercoms connected to the network in at least 118 countries.
The main culprit in this story is Chinese company Meari. It is a manufacturer of hardware and software that is then sold by other brands such as Arenti, BOIFUN, COCOCAM, PetTec, SV3C, Joystek, Luvion and Vimar. Some of these brands can also be found in Polish stores. This is the case, for example, with Arenti cameras, which are available, among others, in the Media Expert network. Some of them may be based on Meari hardware, software and network infrastructure.
Read also: The US army buys the most glitter. This is how the glitter mystery began
Unfortunately, there is no easy way to recognize them with complete certainty by appearance or packaging. Like this The only way to be sure is to check whether the smartphone application communicates with servers with an address ending in meari.com.cn.
It would be best if stores verified what exactly they sell and informed their customers about it, because unfortunately, practice shows that companies that brand and distribute equipment created by someone else rarely provide such communication.
Cybersecurity specialist Sammy Azdoufal easily gained access to photos taken by baby monitors stored unsecured on the manufacturer's Chinese servers.
The researcher informed the company about his discovery before making it public. His more detailed account described by The Verge journalists shows that Meari's representatives initially did not want to talk to him and only when he demonstrated that the problem also affected company employees whose contact information was located unsecured on the employer's internal servers was it taken seriously. Eventually, the main vulnerabilities were patchedand he received a reward of PLN 24,000 for his find. euro.
However, this does not mean the end of the problems. Some of the detected vulnerabilities can only be removed by updating the firmware of the devices themselves — and there is no guarantee that every company selling equipment based on Meari solutions will pass it on to its customers. Not every customer will be able to download and install such an update.
Read also: Cheap bots support the investment in Bemowo. This is what the voice of “residents” looks like
This is not the first story with cameras connected to the Internet
Meari's story is not an isolated case, even in the context of the author of the described discovery. Sammy Azdoufal himself previously described very similar vulnerabilities in DJI cleaning robots. Azdoufal showed that security flaws could have allowed access to data collected by these devices, including camera images and information about apartment layout.
The same researcher previously found serious security vulnerabilities in DJI robot vacuum cleaners.
The biggest failure of this type was made by the Amazon-owned Ring brand. In 2023, the US Federal Trade Commission accused the company of failing to adequately secure access to user recordings. It was not only about hacker attacks, but also about excessively broad rights of employees and subcontractors who could view private recordings from cameras installed in customers' homes.
The biggest failure related to the security of smart gadgets was made by Amazon's Ring brand.
|
YouTube/Ring
Customers of Anker and its Eufy brand experienced similar disappointment. For years, the company has emphasized that its cameras focus on privacy and local storing recordings. Meanwhile, journalists and researchers have shown that some materials – including thumbnails of recordings and video streams – were available over the Internet in a way that is difficult to reconcile with marketing declarations of full encryption and lack of access by third parties. It's effectively a bitter reminder of that in matters related to data security, you cannot blindly trust the declarations of even the largest brands.
However, it reminds us how dangerous vulnerabilities of this type can be a recent example related to the war in the Middle East. A Check Point Research report from March this year shows that Iranian-linked hackers used, among other things, software bugs in outdated Hikvision and Doha surveillance cameras located in Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, Lebanon and Cyprus to obtain information.
Read also: This is the dramatic situation on the helium market. Poland is benefiting from the crisis
How to protect yourself from danger
Stories like Meari's are even more disturbing in the context of how the world of cybersecurity is changing. With the popularization of artificial intelligence-based tools finding vulnerabilities in manufacturers' applications, firmwares and clouds can become simpler, faster and cheaper. This is good news if responsible researchers and manufacturers respond quickly. Worse – if the same mechanisms are used to mass scan the Internet in search of poorly secured cameras, sensors or other smart home devices.
So how can you protect yourself against such situations?
The first and most important piece of advice may sound trivial, but it is related to the only completely certain solution: consider whether a given device needs to be connected to the Internet at all. Does the camera in the child's room have to offer access from the other side of the world, or is local viewing at home enough? Each Internet connection is a potential attack surface, so the fewer such connections, the lower the risk.
If a device needs to be “smart”, it's worth it reduce its dependence on external servers. We recommend that advanced users consider configuring their own smart home management platform based on Home Assistant, which allows you to control devices from many manufacturers within your own network, without sending data to the cloud.
It is usually not very wise to buy smart devices from little-known cheap brands. The example of Ring and Anker shows that buying equipment from a well-known brand is not necessarily a guarantee of security, but the reality is that cheap smart devices from unknown brands often owe their low prices to the fact that their manufacturer minimizes expenses on programmers and after-sales support for their devices.
Once you buy a device that connects to the Internet from a manufacturer known for regularly and for a long time updating the software of the products it sells, then you simply you need to check and install software updates regularly. Yes, they can be annoying, but in this day and age, ignoring them is becoming louder and more public asking for trouble.
Cybersecurity specialists have been repeating another simple rule for years: separate your home IoT devices from the rest of the network. It is best to place cameras, light bulbs, vacuum cleaners or video doorbells on a separate Wi-Fi network – for example, on the router's guest network. Thanks to this, even if one of the devices is taken over, it will not have easy access to computers, phones or home NAS with private data.
Finally, it is worth remembering one more obvious thing: the camera “sees” what we show it. Even the best secured device should not digitally cover particularly sensitive places, such as documents, computer screens, or entrance doors, unless necessary. It's easy to forget about such “analog” security measures, but they are still the most effective.






