Many in the community are skeptical about the security of commercial smart home devices, and for good reason. It’s not like you have to look far to find examples of poorly implemented systems, or products that are abandoned by their manufacturers and left without critical security updates. But the design flaw in this video doorbell really drives home how little thought some companies give to their customer’s security.
As explained by [Savvas], and demonstrated in the video after the break, all you need to do if you want to get into a home equipped with one of these vulnerable door bells is pop the unit off the wall and hit it with 12 volts DC.
Incredibly, the terminals that connect to the electronic lock inside the house are completely accessible on the back of the unit. They even labeled them, on the off-chance the robber forgets which wire is which. It’s not even as though the thing is held on with some kind of weird security screws, it’s just a garden variety Phillips.
In the video, [Savvas] even shows he used a little gadget attached to a QuickCharge USB battery bank to get a portable 12 VDC source suitable for tripping these locks. Which, interestingly enough, is based on a trick he read about in the Hackaday comments. Something to consider while penning your next comment on these storied pages.
[Savvas] says he’s reached out to the company to get their side of the story, but so far, hasn’t received a response. We aren’t surprised, this is a fundamental flaw in the product’s execution. Clearly they wanted to make an easy to install device that doesn’t require any additional electronics in the house, and this is the inevitable end result of that oversimplification. All the more reason to roll your own smart doorbell.
I do love that it lends credence to every lazy action/sci-fi movie’s keypad hacking scene!
In the real world, Sybex-type locks are not difficult. It’s time, but practice makes speed and a bit of graphite on the buttons lets you know which ones aren’t used. Of course this sort of stuff should only be done on a practice lock or with the owner’s permission.
I wonder if a powerful coil could induce a current that would do the job so you wouldn’t have to deal with the screws. Not familiar with these devices, with good reason as it turns out.
The first thing that came to mind when I read this was a scene in the original Teenage Mutant Ninja Turtles where Leonardo slices a keypad off the wall with a katana, then twists the two exposed wires running to it together, opening the door it controlled. Looks like this video is basically that IRL.
I think there are three reasons for the lack of security, and I don’t know which order they should appear in:
1 – Lack of care (by the designer)
2 – Defined contraints (being told by beancounters what corners to cut)
2 – Cost (it *has* to be cheaper than every other shiity door lock / security system out there)
3 – Garbage in garbage out.
Give the wrong specs to the contractor, he/she will build what you asked for on paper even when your specs are flawed.
contractor hell we do that daily within our own organization
Cost is probably it. Embedding intelligence on the secure side of the door requires two embedded systems instead of one and some components.
This is super lazy and unforgivable, but sadly typical home mechanical locks aren’t a whole lot better.
Locks are only for keeping good people from getting too curious. They don’t really provide any security from determined attackers. But even so, this is pitifully weak.
Agreed. Locks and any security measures are really only there to keep an honest person honest as anything made by a person can be unmade by another person.
That being said this sadly comical as it appears that the bare minimum effort was employees in the design.
Are you saying that the burglars who keep going around people’s houses checking for weak security before they try to break in are honest up to the point where they find an unlocked door?
Yup. Most burglaries (in the UK) are opportunity attacks. Unlocked doors and windows left open are the easiest targets.
I think you missed the point.
It’s the same as whether you return the wallet you found on the street with the cash, or keep it. The adage is just mistaken – if the person takes the opportunity, they were not honest to begin with. What that means for the argument: locks serve no purpose. Criminals get in anyways, honest people won’t.
It’s rather that even the weakest security deters some criminals who aren’t competent enough to defeat it, or the time it would take to get through would risk too much exposure and they leave it alone.
Most locks are easily defeated by someone with a bit of experience, in some cases, almost no experience. You don’t have to look further than the Lock Picking Lawyer on YouTube for a lot of examples.
https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ
He makes single pin picking locks look soooo easy!
He’s done many electronic locks recently, maybe that’s where the inspiration for this came from…
If I learned anything from his channel, it’s that the RamSet gun has many uses.
I don’t know what kind of doorbell that is, but I have never seen one that unlocks a door. Mine certainly doesn’t. It just rings the doorbell and sends a notification to our phone es.
I think that the part they left out was when the resident heard the doorbell and buzzed the visitor in, it was just sort of implied.
This one seems to have an RFID feature to allow it to unlatch the door. Regardless of what the trigger is, it is capable of unlatching the door if you install it to do so.
I have seen some, especially for offies and shops. Actually my bank as a twin door that opens pressing the outside button. Then you enter the fist door (and activate a metal detector) if the metal detector doesn’t trigger you could then press a button and open the second door.
Also my GP has a door that opens pressing a button to enter the waiting room.
His site rejects my comment as spam, maybe he read the HaD comments:
The schematic for getting 12V out of a powerbank has the output shorted together and connected to D+.
I’m assuming his circuit is not built that way, but his schematic definitely shows it like that…
the VBUS and GND would be the output points to use. there’s no need to have the output running through the 2.2k and 10k resistor. the + and – shouldn’t be showing near the ‘tap’ but instead should be near VBUS and GND markings.
the schematic is probably wrong, looks wrong.
I don’t think his schematic is wrong, just before it is the quote from the hackaday comment explaining how to enable 12v on a quickcharge 3.0 charger. He says make a voltage divider of about 1v between vbus and gnd , tap D+ to that voltage and momentarily set D- to that same voltage and the charger will switch states and output 12v @ 1.5A
I imagine this protocol is similar to how USB C voltage switching is done. I suspect if you wanted to you could get a power control chip that would do the protocol “correctly.”
It’s a mistake in the schematic. The outputs should be wired from the other sides of the resistors.
The site seems to reject all comments as spam. Keeps it nice and clean of comments, in any case.
Hey there, the comments at novamostra.com are currently held for manual moderation to avoid spam.
Now, about the schematic, as @Roamin mention (and you can also read in the original blog post), is not my own invention rather but something which I found on hackaday from someone else ( Sam Mallicoat ) and I just implemented it. It’s a simple voltage divider which activate the respective output (12V) from the QC enabled Power Bank. (the only difference is that I labeled the resistors in reverse order). At the original blog post, you can see the schematic’s implementation with the 12v output, the only difference is that for the specific model of the Power Bank the switch must stay at the “connected” position.
For anyone who wants a simple wiring and calculation of the two resistor voltage divider, have a look here: http://www.ohmslawcalculator.com/voltage-divider-calculator
You should re-read what we’re saying about the schematic. It is wrong as shown and should be changed. The part about the voltage divider is fine. The wrong part is where you’ve shown the output attached to.
The problem is that on the right side you show “+” and “-“, implying that those are the outputs. They aren’t. The output +/- terminals are still VBUS and GND on the original connector. That’s what CityZen’s saying.
Oh … ! Thanks for pointing this out! I updated the schematic!
You can tell he’s a good neighbor. He replaces the screw after breaking in.
a single 23a battery would open that, smaller even than a tripple a
When you say “23a battery” are you trying to say A23 battery? 55mAh.
I’d expect a 9 volt battery would work. And the terminals are on top, so you could just stick them right on the terminals, no wires needed.
good point, the coil of a relay isn’t super voltage picky
nah they will swing very wide in regards to input voltage, a 12 volt relay probally would actuate at 6 to 18 and not even think about it
Normally yes. And if one 9V battery is not enough, use two. :-)
I learned this trick from the Scott Bakula pilot for “Infiltrator”. Just have to get deep enough into the lock to find where the wires are to the latch actuator and hit them with some power. This doorbellthing just conveniently puts them practically out in the open, with a “Break in here” sign.
You encounter the same problem with lots of commercially available gate control systems. In many cases the cables to the motor are left completely unprotected and can simply be cut, stripped, and connected to a car battery with jumper cables. I demonstrated this to a family friend (with his permission) after he doubted my concerns about the security of his new gate. We remedied the problem as best we could with some liquid-tight flexible metallic conduit. Not a perfect solution by any means, but better than the previous situation. Any security system that leaves access available to opening mechanisms operating at standard voltages without any sort of encrypted electronic lockout is effectively there for show.
A car battery is quite a heavy overkill for this purpose. A 3s LiPo or even 1-2 normal 9V batteries should be enough.
A car battery is just what I had on hand that matched to he voltage requirement. It is also something that everyone driving up to the gate has access to and thereby highlights the security issue.
I would also be concerned that 9V batteries would not meet the current requirements of the motor to open the gate as it was a reasonably good size.
Oh no, not flexible conduit, now I’ll have to jam the sharp end of my tire wrench into it.
With the piss poor design of the opener delay and inconvenience was the best I could manage.
This is just laughable. Avoiding this attack vector is literally the first thing that comes to mind when pondering how to construct an electronic access control system as a wee beginner.
I installed a video intercom for a friend just last week, had exact same flaw. I think most of them can be hot-wired like that.
I wouldn’t put these on my front door, but on a gate for example it’s less of a risk since it’s much faster to jump the fence :)
Made in China. This sure looks like state sponsored supply chain backdoor.
I wonder what would happen to the portable 12V power supply if someone installs one of these panels for show only, and commons up the red and the black wires out of sight, or alternatively, connects them to a 12V siren, or ….
That only depends on the power capability of the 12V source. The USB thing has probably internal current limiting/short circuit protection. If you use a car jumper pack or LiPo, the thin wires will turn into an electric heater. This is often 0,14mm² to 0,25mm² wire, with a few amps it gets that hot that it wants to strip it’s insulation.
A siren will probably sound.
Is the schematic shown here vastly simplified ?
A single normally open relay on the solenoids power doesn’t seem right to me, that’d mean someone could try this trick with something more than 12V and blow the coil in the relay, locking the residents inside.
But why even use a separate supply, when the unit is being fed already?
That cuts your tools down to pretty much a scrap of wire.
Which is why they should make wires illegal to own unless you’re a licensed security door access system professional.
By the looks of the enclosure its made of plastic, I wouldn’t be surprised if a powerful neodymium magnet would be all it takes to actuate the relay and open the door.
That’s worse, many “commercial” units like that don’t even require voltage to be supplied… they simply use a dry-contact (relay output) to trigger the door release. Which makes it a matter of popping the door station, shorting two wires together…. and enter.
Bottom line, from a “proper” security standpoint, you need ALL of those elements centralized and not exposed to the exterior in any way.
If you just replace the philips screw with a robertson then no one will be able to break in! (Well except in Canada.)
It’s not. If you fried the coil, the latch plate would no longer open, but the door latch could still be retracted with the handle as normal, so the residents would be able to get out, but unless they also had a key, they wouldn’t be able to get back in.
I’ve seen enough Lock Picking, Lawyer to tell that: according to the diagram, if you place a strong magnet close to the relay, it might simply trigger the door to open since the power of the locking mechanism wasn’t from the lock’s circuit but directly from the power socket.