As the only German manufacturer in the AV-TEST comparison test on the subject of video intercoms, we admittedly had quite high expectations of the “IP Video Station” by DoorBird. On the feature side, the product is in no way inferior to the other candidates in the test. In the article, however, we already briefly reported why there are some points with regard to IT-security and data privacy that avoid a high overall rating. In the following, the identified problems and the resulting consequences will be discussed in more detail.
The mobile Android and iOS applications (Android v4.60, iOS v4.60) give a solid impression: The static analysis did not identify any obviously critical weak points and there was also no reason to criticize the code obfuscation nor the implementation of the encrypted communications. Even locally on the user’s smartphone, no unprotected sensitive information was stored and thus exposed to potential malware.
What particularly strikes us about the mobile applications is how password security is handled: The passwords used are generated exclusively by the application itself. This means that in the event of a password change, the user cannot enter a freely defined password himself but can only have a new one generated by the app. However, the generated passwords can only be described as somewhat complex and secure (always fixed length, low complexity). Probably the intention here was to avoid the randomly generated passwords being even more difficult for the user to remember. The advantage of password generation is, of course, that it prevents the user from setting up weak passwords. On the other hand, the attacker can also reconstruct the method for generating the passwords from the source code, which at least gives him the knowledge of the rules for the password generation. This can significantly reduce the search space and thereby the effort for a potential brute force attack.
All in all, there is no real reason for us to criticize the application.
However, the situation is different for the point “Local communication”. Here DoorBird provides an example for a classic problem, which we unfortunately still see occurring frequently: Unsecured local communication. The manufacturers and in this case explicitly DoorBird often assume that the local communication is not worth protecting because it should run in a protected network. This, however, is a dangerous assumption and also loads the responsibility onto the customer. Even in an encrypted network, it cannot be assumed that all network participants are automatically legitimate users of the product. There is also the possibility of a device that is compromised by malware, for example, which can then read and/or manipulate the unprotected local data traffic of the device.
In the case of the DoorBird video station, the user name and password for user and administrator access to the device can be read locally. Since video and audio data are also transmitted locally unsecured, they could also be read and manipulated by a potential attacker. However, he would have access to these anyway by receiving user credentials. In addition, the transponders belonging to the system can be learned and unlearned via the admin functions.
The transponders themselves have some possible attack vectors due to the technology used. Explicitly those of DoorBird used here are however at least on an adequate security level and thus not easily attackable.
For online communication, the test also revealed an important aspect that had to lead to a negative rating for this point. The login process itself is adequately encrypted and, according to our tests, is also effectively protected against the usual man-in-the-middle attacks by the recommended mechanisms.
The situation is different, however, for rather inexplicable reasons for the transmission of the video and audio data captured by the video station. These are sent from the device to the cloud via unsecured http and from the cloud back to the user smartphone via equally unsecured UDP. Data of this type is of course worth protecting and should be transmitted in encrypted form. The necessary infrastructure for secure encrypted communication seems to be in place – as we did confirm for the login process.
Unfortunately, the DoorBird solution also cannot score points in the area of data privacy. A detailed general data privacy statement does exist, but it has no product reference to the video station and only applies to the DoorBird website. Accordingly, essential information on the data collected, processed and stored by the product itself is missing here. Especially because the DoorBird app requests various permissions (camera, microphone, location, etc.) that could be used to collect personal data, detailed information would have to be provided here.
By the way, we had already noted similar criticisms in the test of an older Doorbird product more than 1.5 years ago (https://www.iot-tests.org/de/2018/02/unterwegs-und-doch-zuhause-die-doorbird-ip-video-tuerstation-im-test/). At this time the GDPR was not even active yet. Seem like not much of an improvement going on in this area.
As a consequence, we can only give a negative rating for this test category as well.
DoorBird’s IP Video Station unfortunately reveals some obvious weaknesses in our quick check, of which we might identify several in a more in-depth test – there are some indications not mentioned here.
Especially the flaws in local and online communication are of great importance. Since an additional negative rating in the area of data privacy also had to be carried out, we are unfortunately unable to award any of the three possible stars here.