So it turns out buying white label IoT devices from anonymous Chinese firms isn’t the best idea for your privacy. Not that being an established brand means you’ll do much better in terms of security architecture. Remember what Wyze, Eufy, and Ring did?
But this example seems like another level of ineptitude. Not only are the vulnerabilities trivial (you can war dial URLs to get access to camera images), but the vulnerability comes from across anonymous cheap brands sold at various outlets. This will make messaging difficult because it’ll be a bulk list of brands you don’t know.