On May 11, 2026, The Verge, a US-based technology online media outlet, reported that French cybersecurity research Sammy Azdoufal discovered in early March that over one million smart devices in 118 countries – including baby monitors, security cameras and pet-monitoring cameras, can be remotely accessed. Anyone who knows how can view private images and live streams from these devices.

The manufacturer of these devices is a Chinese company named Meari Technology (觅睿科技) (Meari). Meari is an Original Design Manufacturer (ODM) or white-label manufacturer, meaning the company designs and builds products, which are then sold and rebranded by other companies. In this case, Meari claims that the company’s products have been distributed to more than 100 countries, with over 35 million users, according to its official website.

Sammy Azdoufal has discussed with the Natto Team how he reached out to inform Meari of the vulnerabilities in their products and how he encountered difficulties for over two months, from when he first contacted Meari Technology on March 2 to when the five high-risk Meari vulnerabilities were formally disclosed on May 11 by RunZero, an official CVE Numbering Authority (CAN) and enterprise exposure management and asset discovery platform.

The Natto Team felt Sammy’s deep frustration during this process. Sammy told the Natto Team after he discovered the vulnerabilities at the end of February that he just wanted the company to fix the vulnerabilities as quickly as possible because seeing the faces of strangers’ children floating on the Internet made me “want to throw up.” However, after he emailed Meari on March 2 about his vulnerability discovery, he received no response for nine days, despite Sammy’s effort to contact the company through all possible channels. When Meari’s security team finally did start communicating with Sammy on March 11, Meari initially responded with what Sammy characterized as “veiled threats.” Eventually the company did address the primary flaw and issue a bug bounty award for his help, but this took six weeks of frustration, which Sammy has documented on his Github page.

This reminded us of the Natto Team’s previous report that detailed the story of Australian security researcher Sick Codes and his discovery in 2020 of vulnerabilities in Android TVs made by TCL, a Chinese multinational electronics company and the world’s second-largest TV manufacturer. The Natto Team’s previous research suggested that The TCL case in 2020 had taught the Chinese government and companies a lesson in how to respond to vulnerability reports by independent foreign researchers.1 However, six years later, Meari appears not to have learned the lesson that TCL did in 2020.

Indeed, the Meari case exposes a deeper problem. Meari’s Infrastructure-level vulnerabilities, not device-level flaws, enabled the exposure of over a million IoT (Internet of Things) devices. The case suggested that Meari fails to embrace the secure-by-design approach, in which security is proactively embedded into a system from the ground up. In fact, according to Sammy’s security audit analysis, which he shared with the Natto Team, Meari Technology: “possesses by-design, architectural access to every camera deployed worldwide. This is not a single misconfiguration or an isolated bug. The platform’s core architecture -- from MQTT [Message Queuing Telemetry Transport] broker topology to credential provisioning, from alert image storage to peer to peer (P2P) relay infrastructure -- is built such that the vendor (Meari) and anyone who compromises the vendor can monitor, control, and extract footage from any customer’s camera at any time, without the customer’s knowledge or consent.” Sammy documented 12 independent pieces of evidence in his security audit and discovered “each individually proves some degree of vendor-side access. Taken together, Meari establishes that no meaningful security boundary exists between Meari’s backend infrastructure and the end-user’s camera feed.”

It appears that Meari’s by-design, architectural access to every camera deployed worldwide may have its own reasons. The Natto Team noticed that the same week in March 2026, when Sammy was anxiously waiting for a response from Meari, the company went public on March 9. Chinese market commentators praised Meari’s successful IPO as a market recognition of Meari as a smart IoT firm “with core technologies and global market capabilities.” Meari’s share price doubled in the second trading day, reflecting investor enthusiasm for the company’s future growth. The contrast between a company with unsecure products distributed globally and a company celebrating its success domestically makes us wonder who Meari Technology really is.

In this piece, the Natto Team takes a deep dive into Meari Technology to understand how a domestically acclaimed tech company maneuvers the global market, how Meari’s response to vulnerability reporting reflects the ecosystem of vulnerability management in China, and how companies like Meari compete to develop artificial intelligence (AI) technologies.