Or… how insecure is the two wire video doorbell implementation from Avidsen.
About a month ago I bought the Avidsen Visiophone YLVA 2+ and the reason why I chose to buy a wired video doorbell over a wireless one, was due to security concerns. Lucky me… I found that with the current device it takes almost the same time for someone with a Quick Charge enabled Power Bank to enter my house as with someone with the door’s key!
Immediately after unboxing the doorbell and removing the single screw from the doorbell for an initial inspection I noticed that both Entry Gate’s and Door’s control electrical contacts where located at the doorbell site. Wait… it couldn’t be, I may be wrong… let’s read the manual.
Page 27 of the PDF (Page 7 of the English Version manual):
No! Bad luck! Exactly what I thought!
Page 29 of the PDF:
The doorbell, with all the controls, is secured in place with a single Philips screw without any form of tamper protection!
Page 32 of the PDF:
How to control a 12V electric strike plate for the door and the Gateway entry control:
How to get 12V from a QC Power Bank
Power Bank’s rated as QuickCharge 3 (QC3) and later, can output 12V by using Sam Mallicoat’s reply from hackaday:
It’s easy to set a QC3 supply to 12V with just two resistors and a toggle or push button switch. Here’s how: Take a 10K Ohm and a 2.2K Ohm and solder in series across the Vbus (red) to ground(black wire). The tap between the two resistors will measure about a Volt. Solder D+ (green to this tap. Then wire the D- (white) through a N.O. switch to the same tap.
Apply adapter or power pack supply and wait 1.5 seconds to push the button. Presto, 12V @1.5! No need to hold the button, the supply stays at 12.
Schematic [Updated: 03/07/2020]
The output when using a Blitzwolf BW-P6, 10000 mAH with Quick charge 3.0
Breaking into the house
So the procedure is as follows:
1st Step: Unscrew the single Philips Screw.
2nd Step: Apply 12 volts to LK+ and LK- contacts.
3rd Step: Get into the house! (Optional, screw the doorbell back to leave no traces)
This is a serious security issue and every owner should be aware of.
I tried to contact Avidsen from their site’s Contact Form and using two emails from their contact page without any luck. I hope that this post will reach owners out there to avoid any bad situations.
Furthermore, my doorbell is not the only model. There are many more :
- Effet miroir
- Effet miroir ref: 642277
- Krasten 2
- Nora Noir
- Smart 761
- Thomson 7" ref: 512162
- Ylva, 2+, 3, 3+, 3+ Compact
The worst of all is that they are aware of this issue: It seems that Avidsen’s – Thomson Smart Bracket 2 model suggests in the manual the use of silicone as a solution:(Updated [02/07/2020]: No that’s not correct! Thanks to CityZen and Roamin for their comments)
From Visiophone Smart Bracket 2 – Thomson manual:
Even some of their 4 wire Video doorbells have the same vulnerability:
The same problem seems to exist on their wireless model also:
Be careful… this is not the only company with this vulnerability
After my findings with the current device, I found out that there are many companies out there using two wire implementations for doorbells leaving entrance control exposed. Pay special attention if you plan to buy or already using a wired doorbell for the way the entrance control works. Most of the times the manuals are online, so you can avoid situations like this one.