Or… how insecure is the two wire video doorbell implementation from Avidsen.
About a month ago I bought the Avidsen Visiophone YLVA 2+ and the reason why I chose to buy a wired video doorbell over a wireless one, was due to security concerns. Lucky me… I found that with the current device it takes almost the same time for someone with a Quick Charge enabled Power Bank to enter my house as with someone with the door’s key!
Immediately after unboxing the doorbell and removing the single screw from the doorbell for an initial inspection I noticed that both Entry Gate’s and Door’s control electrical contacts where located at the doorbell site. Wait… it couldn’t be, I may be wrong… let’s read the manual.
Page 27 of the PDF (Page 7 of the English Version manual):
No! Bad luck! Exactly what I thought!
Page 29 of the PDF:
The doorbell, with all the controls, is secured in place with a single Philips screw without any form of tamper protection!
Page 32 of the PDF:
How to control a 12V electric strike plate for the door and the Gateway entry control:
How to get 12V from a QC Power Bank
Power Bank’s rated as QuickCharge 3 (QC3) and later, can output 12V by using Sam Mallicoat’s reply from hackaday:
It’s easy to set a QC3 supply to 12V with just two resistors and a toggle or push button switch. Here’s how: Take a 10K Ohm and a 2.2K Ohm and solder in series across the Vbus (red) to ground(black wire). The tap between the two resistors will measure about a Volt. Solder D+ (green to this tap. Then wire the D- (white) through a N.O. switch to the same tap.
Apply adapter or power pack supply and wait 1.5 seconds to push the button. Presto, 12V @1.5! No need to hold the button, the supply stays at 12.
Schematic [Updated: 03/07/2020]
The output when using a Blitzwolf BW-P6, 10000 mAH with Quick charge 3.0
Breaking into the house
So the procedure is as follows:
1st Step: Unscrew the single Philips Screw.
2nd Step: Apply 12 volts to LK+ and LK- contacts.
3rd Step: Get into the house! (Optional, screw the doorbell back to leave no traces)
This is a serious security issue and every owner should be aware of.
I tried to contact Avidsen from their site’s Contact Form and using two emails from their contact page without any luck. I hope that this post will reach owners out there to avoid any bad situations.
Furthermore, my doorbell is not the only model. There are many more :
- Asgard
- Bulla
- Effet miroir
- Effet miroir ref: 642277
- Krasten 2
- Nora Noir
- Smart 761
- Thomson 7" ref: 512162
- Ylva, 2+, 3, 3+, 3+ Compact
The worst of all is that they are aware of this issue:It seems that Avidsen’s – Thomson Smart Bracket 2 model suggests in the manual the use of silicone as a solution:(Updated [02/07/2020]: No that’s not correct! Thanks to CityZen and Roamin for their comments)
From Visiophone Smart Bracket 2 – Thomson manual:
Even some of their 4 wire Video doorbells have the same vulnerability:
The same problem seems to exist on their wireless model also:
Be careful… this is not the only company with this vulnerability
After my findings with the current device, I found out that there are many companies out there using two wire implementations for doorbells leaving entrance control exposed. Pay special attention if you plan to buy or already using a wired doorbell for the way the entrance control works. Most of the times the manuals are online, so you can avoid situations like this one.
The schematic for getting 12V out of a Powerbank seems to contain an error.
Your ouput-terminals (or what I assume represents the output based on the +/- labels) are shorted together and connected to D+. I assume you meant to take the power from vbus and gnd, but maybe you should update your schematic.
I don’t think the picture with the silicone gun is to protect someone from opening the box, but rather so that water doesn’t infiltrate between the wall and the back on the doorbell. The text only says to wire 2 or 4 wires depending on the system , and then to test the video call.
Yes, indeed that’s the case! Thank you for the translation!
I think the caulking is just shown for weatherproofing the wiring, or for making a neater installed appearance, but not for security (since they show the caulk bead going between the panel back and the mounting surface instead of between the front and back panels).
Yes you are right!!
Your schema is off and won’t provide ANY voltage to the outputs because there is a short circuit between the two output poles..
The output probably is between VBUS and GND (“before” the resistors, not after), i.e. directly attached to the powerbank?
As I mention in the post, the schematic is something which I found on hackaday from someone else ( Sam Mallicoat ) and I just implemented it. It’s not appropriate for every USB Power Source but specifically for QC enabled Power Banks. It’s a simple voltage divider which activate the respective output (12V) from the (QC enabled) Power Bank. The only difference from the simplest form of voltage divider which you can see here is that I labeled the resistors in reverse order. The first video shows how the Power Bank switches from 5V output to 12V after connecting D- line to the voltage divider. Providing about 1 volt to the D- 1,5 second after turning on the battery is enough to switch the output to 12V.
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?