Video doorbell company Doorbird charges its customers $80 for a remote admin password reset, an outraged customer has said.
Robin Hunt told The Register: “I bought a DoorBird IoT intercom. Then my mobile phone broke, which had the admin password on it, so I mailed them and asked what to do.”
The company responded by sending him a PDF form to fill in. In it, they explained that for customers who “entered the email address for your door station at the admin section of the DoorBird App (DoorBird App – Settings – Administration), we are able to provide you with your login credentials immediately via email free of charge.”
Doorbird added, on the form, that it does not store the admin credentials of its door video intercom product.
For those who hadn’t registered an email address in advance with company support, the procedure is as follows:
If you have lost the login credentials of your door station and not deposited an email address, the device has to be reset to factory defaults and a security check has to be performed. You will receive new login credentials.
Because this process is attended to us with considerable effort, we provide this service charged with a flat rate of USD 80, -. The new login credentials are sent via DHL or UPS to your address indicated in this form, alternatively by Email.
Customers are invited to email Doorbird their: full name; email address; postal address; the device’s MAC address; their ISP; the postcode in which the IoT intercom is located; “the copy / photo of your valid identity card (front and back)” and the original online order ID, among other items. New login creds will be sent “by registered mail” to the postal address given by the customer.
Given that Doorbird's product allows customers to view people knocking on their front doors via smartphone and unlock them remotely, perhaps this could be seen as an example of taking security seriously.
Their website, however, has no mention of the $80 penalty for asking to have your device’s password reset. It appears only customers asking for resets (i.e. those who have already locked themselves out) are sent the demand directly, so as to keep it out of the public eye.
“My bank doesn't charge me $80 for a password reset! On a $349 device this amounts to extortion,” complained Hunt. “In essence, if you don't keep the piece of paper (!) which is shipped with the device and contains the admin password, you're f*cked.”
DoorBird has yet to respond to The Register’s emailed enquiries. ®