In the course of the video intercom comparison test, we of course also looked at one of the Far Eastern models sold in Germany, in this case the Somikon Wifi HD video doorbell which is distributed in Germany by Pearl.
As by far the cheapest product in the comparison test, we admittedly had no great expectations. In fact, the device had to take some criticism in the test – the relatively large number of minor problems, especially regarding data privacy, prevent a good rating here.
Customers look out in vain for an associated mobile application under the name Somikon. However, the intercom can be controlled with the “DophiGo” app from the actual manufacturer of the Xiaotun device. The application (Android v2.5.1536, iOS vX) is not very lightweight with a good 17MB, but compared to its competitors it is comparatively slim. It is also noticeable that the entire functionality of the Android application is contained in shared objects (.so). This kind of implementation most probably had not been chosen for security reasons. However, it has the effect that reverse engineering is made so much more difficult because the original source code cannot be reconstructed from the shared objects as would be the case with a classic Java implementation. Other methods for reverse engineering via e.g. code injection still exist, but are comparatively complex. Thus it is at least more difficult for a potential attacker to find exploitable vulnerabilities this way.
Our static analysis reported potential vulnerabilities and implementation errors in the applications, among others also in the third-party advertising modules and trackers, of which unfortunately almost typically a lot are contained: Alibaba, Tencent, Xiaomi and Huawei, to name but a few. In order for them to fulfill their data-hungry mission, the app can also requests pretty much everything in terms of permissions that the system provides. For example, the application also collects information about other installed applications and whether the user is using WeChat and Whatsapp. The phone number is also recorded. Not surprisingly, this information is also transferred to the manufacturer and other services. Some of the information collected is also stored locally on the smartphone. We were also able to find the stream preview image, which is loaded and displayed to the user before the app switches to the live image, unsecured, stored externally on the SD card. The image is also accessible to all other applications stored on the smartphone due to the storage location – concerning from privacy perspective. Which perfectly sums up the conclusion for the application.
IP-based network communication could not be detected for the Somikon. Bluetooth communication is only established with the smartphone to set up the device and transmit the network information. The quick check tests however did not identify any obvious weaknesses in either communication.
When communicating via the Internet, however, the device suffers from a number of weaknesses that negatively influence the rating for this test section. Although the actual login process is encrypted and adequately secured against common Man-in-the-Middle attacks, most of the rest of the communication is not encrypted.
For example, the preview image stored on the SD card is also downloaded via an unsecured HTTP connection. But even worse is the lack of security for the actual video stream of the camera. Of course, for data privacy reasons alone, this image and audio data should be secured from access by third parties. In addition, some status information about the user and user smartphone, such as IMEI or smartphone model, is transmitted unsecured.
Based on this, we cannot give a positive rating for this area.
All in all, the Somikon Wifi HD video doorbell lacks some important mechanisms to guarantee at least basic security. Especially in the area of data privacy we can only certify a “questionable” in many regards. Also in the area of online communication some points have a clearly negative impact on the overall rating. Only the fact that the local communication does not allow for any real weak points and that the data privacy declaration provides at least some valuable information save the products rating to barely 1 of the 3 possible stars for the quick check.