Many homes with small children have installed surveillance cameras or baby monitors. They allow you to monitor the child while it sleeps and, if it cries, you can go to see what is happening in an instant. All advantages, except when the camera in question has a security flaw that gives access to anyone who can look.
what has happened. Security expert and independent researcher Sammy Azdoufal discovered that Meari brand cameras (including electronic peepholes and baby monitors) were completely unprotected. By simply analyzing the Android app, Azdoufal was able to extract a unique key that gave him access to more than a million cameras spread across 118 countries. All your research is detailed in its GitHub repository.
What is Meari?. Surely the brand Meari Technologies does not sound familiar to you, it is normal because it is a white label manufacturer, that is, it manufactures for other brands. As explained in The VergeMeari cameras are sold on Amazon under various brands, such as Arenti, Anran, Boifun, ieGeek, Wyze, Petcube, COCOCAM, PetTec, SV3C, Joystek, Luvion and Vimar. Doing a search on Amazon Spain we found cameras from many of these brands, some of them with thousands of positive reviews.
Non-existent security. The problem was not in a specific model, but in the entire architecture; Many of these brands shared servers and sometimes even credentials, so the system did not have any type of isolation: any of these brands could access the cameras of another. Additionally, the MQTT system (a machine-to-machine messaging protocol that ran on the EMQX IoT platform) did not have adequate protections, allowing real-time viewing of what was happening in thousands of homes. He also discovered that many cameras were still using default passwords such as “admin” or “public” and what is even worse, the alert images that these cameras save (for example when they detect movement) were stored on Alibaba servers without any type of protection, accessible simply through a URL.
And this was not all, he also found an unprotected internal server where he found passwords for Meari and the list of 678 employees, including their emails and telephone numbers. He didn’t need to hack anything, just know where he had to look.
The answer. According to Azdoufal, they did not take him seriously until they saw that their own employees’ data was being leaked, then they began to respond to his emails and solved the main failure, cutting off access to their cameras. In a statement sent to The Verge, the company admits that “Under certain technical conditions, attackers can intercept all messages transmitted through the EMQX IoT platform without user authorization.” However, it did not answer key questions such as how many camera models were affected, whether different brands have warned users or whether the vulnerability had been previously exploited.
Tensions. Azdoufal was paid more than $24,000 for finding the bugs, but it was after several weeks of negotiation in which Meari did some pretty shady things. According to the researcher, the company sent him messages with veiled threats such as that the access he had made to their servers was illegal, that they were ready to “protect his interests” and that they knew his address. The company also tried to pretend that they knew about the bugs before, publishing security bulletins with altered dates.
What to do if you have a Meari camera. According to the researcher, Meari manufactures for more than 300 brands and on the official website we have not found any official list, so it is difficult to know which brands are affected. If you suspect that your camera is one of these, Azdoufal recommends unplugging it whenever you are not using it, because the problem is in the cloud and is not something you can fix yourself. Also, please note that some images may still be accessible, and if you live in the EU you can lodge a complaint with your data protection authority.
Image | Xataka with Gemini
In Xataka | NASA has had its space systems exposed to hackers for three years: an AI discovered it in four days
GIPHY App Key not set. Please check settings