Show HN: I built an app to use a QR code as my doorbell (dingdongdoorbell.com)
I didn’t have a doorbell before (multiple reasons) and my house feels unwelcoming without one. So I built a doorbell app that uses a QR code - visitors scan the QR code to ring the doorbell and I get notified on my phone.
Here is an example of the QR code I have on my door. You can scan it and say hello: https://www.thebacklog.net/img/2024/10/show-hn.png
This was also a great excuse to build my first app for Android and iPhone.
I’d love to get some feedback before I spend more time polishing the app. Please try it out and feel free to ask me any questions! No logins or accounts needed.
236 comments
[ 2.5 ms ] story [ 239 ms ] threadI'm not sure if your and my definition of complicated are the same in this case
This is even supposing that I want to do that to begin with (I know for sure delivery drivers are never doing it).
Good job on the project, I really mean it. It doesn't matter what you do, it matters that you've achieved it and for that, congrats. But as a practical semi-object, this has to be one of the worst ways possible to solve the problem.
From the owner's perspective I imagine it's at least a little bit simpler to install an app and put up a QR code. Although if they have to print it out themselves I guess all bets are off.
> Good job on the project, I really mean it. It doesn't matter what you do, it matters that you've achieved it and for that, congrats. But as a practical semi-object, this has to be one of the worst ways possible to solve the problem.
Thank you, those are kind words. I doubt that this is the worst possible way in every context, but working towards better solutions is why we share stuff and ask/give feedback :)
I mean this could be a okay solution for a very certain set of circumstances, but making your visitors scan a QR-Code seems like bad UX, why not have them fill out a form while you're at it?
If I had a situation where it was impossible to run wires through the wall I'd install a old-school knocker on the door and a knock sensor on the inside. UX is intuitive and the knock sensor can still send me things to the phone if I like that.
Wireless doorbells can be found for tens of dollars. You can get them with multiple receivers you can place around your house.
I wonder if instead of complexity you should call this a cheaper alternative to a smart doorbell?
I don't think many of us think of smart doorbells as particularly complex. However, they could be out of budget for many.
Alternatively, you could market as privacy respecting, where a smart doorbell is always recording.
Something like this really needs a periodic refresh or some proximity proof like NFC.
Who invented doors? Perhaps that’s where it all went wrong. /s
About a decade before that, we kids basically only had SMS text messaging, and it was very expensive in my country, mobile data doubly so. There was however a "please call me" feature, where you could send a "please call me" text to a friend free of charge. We used to send please call me's to one another all the time, not because we wanted to be called, it was just the cheapest form of digital communication.
I'm considering setting up an ESP to integrate my old bell's chime with the QR code.
But I agree I wouldn't want a static QR code linked to anything that could bother me.
Oh.
Let's make the doorbell an NFC payment touchpoint. Tap and pay 25 cents to ring the doorbell.
The more you tap (and pay), the more the doorbell will make an effort to reach the person on the other side.
Wanna pay $20 to the doorbell? Sure, I guess it can ring my phone to let me know someone shows up...
Static QR codes make no sense by themselves because they can be replayed. Same goes for "pay with your face" biometrics. The person is supposed to confirm something on THEIR OWN phone, to authenticate themselves and their location. Then the QR code to scan can indeed be static. Since the person's phone has to have the Internet anyway to make requests, simply change the interface on the PHONE.
QR codes printed on a flyer or wherever are meant to "start the conversation". The authentication can happen right after. But keep in mind that, by themselves, they are not enough. For example, if you're trying to do a ticketing system or attendance where people scan a QR code, they can just forward it to their friend. Better to have them PRESENT a QR code to be scanned.
Having said that, WiFi access points and captive portals are better. Because once you authenticate, the next time is seamless. They can be used to take attendance in classrooms, and much more, seamlessly. (Except if it a person's phone is off. So then they have to come up and manually register, or you have to find that out by having a challenge during class that actually requires phones.)
ATTENDANCE ONLINE:
While I'm at it, I will mention one more thing. Authentication and "presence" can also include face recognition and eye tracking. There are lots of models for Tensorflow's JS port, such as "blazeface", that can do it in real-time. You can present a computer interface on your own wall and the person is authenticated with their face. But remember, once again, that this should only be used for your own software within your own organization, which you presumably trust. Because it can be replayed and spoofed by whoever has access to the back-end.
Anyway, for remote learning, this becomes really useful because (e.g. during the pandemic) the teacher can have an on/off signal which M of N students are paying attention, and which are drifting off or walked away from the computer -- all WITHOUT seeing their video feeds. So it enhances privacy.
We've built a simple tool where students can open a background tab for instance, which watches where their attention is, while they use whatever sites. The tool is deployed by the teachers.
If you want to prevent tech-savvy students from spoofing this attendance, you have to ship some of the code, signed with your own HMAC or private key, every time, and do it in a third-party iframe so their JS code can't simply override it. They would have to rewrite the code in the time that the secret key for the HMAC changes (every 10 minutes). For that, they'd need to install their own user-agent, and very few students are going to go that far. But yes, if people do have their own user-agent, then they can pretty much do any kind of replay attack for attendance. Something to keep in mind.
The only way I have found, to do attendance reliably online, in the presence of adversaries capable of wielding their own user-agents and rewriting code on the fly, is to have them join a videoconference and show a signed QR code on their phone while also completing challenges with their face. The private key might have to come from an agency that saw them arrive in person. The only way to defeat this is to corrupt the agency, making it give out a lot of private keys, and then deploy deepfake video avatars at scale (the kind DARPA wants to do) to complete all challenges. At that point, they AI is probably good enough that you prefer the bots to humans anyway LOL.
SYBIL ATTACKS
I will also say a word about sybil attacks. The best ways I have found to prevent them are imposing a cost (but those who can recoup the cost will still do it) or grandfathered accounts. The problem with grandfathered accounts is that people can deploy software to automate existing accounts, and do it occassionally enough to avoid detection. The only way to prevent cheating in tests, for example, is t...
I'm sure your app doesn't actually stream the video back to the server, but how do I as the user, know that? All I can see is you requesting camera permissions and you saying "trust us bro" that you're not streaming the feed back to your server.
Mostly, in our use case, it's because students are already willing to open their camera to teachers, when they demand it, and this is actually considered a more effective and private "upgrade" for everyone.
The way I understood the submission is that if you don't have a doorbell - or especially a smart one - scanning the qr code replaces pressing the button.
Others have mentioned that it would be easy enough to copy it and circulate elsewhere but while that's a big issue in my books I don't see the link to captive portals, student attendance etc.
And then I branched out into related issues of proving presence somewhere — online or offline.
I don’t mean this in a mean way and realise that your comment was mention the spirit of the conversation :)
But again, still more hassle than helpful and if you forget to switch it the problem remains.
People could also print flyers with your phone number on them. Add your email address to spam lists. Etc etc.
Scanning QR codes outside a trusted environment (e.g. a workplace stock keeping system) is asking for trouble. Security advice now routinely recommends not deploying QR codes on your products, nor encouraging your employees/users to scan strange codes.
It's like 1995 all over again.
EDIT: In response to doubters below https://www.bbc.co.uk/news/articles/cz472gy8nd9o
Besides, to paraphrase Dubya: "Goatse me once, shame on...shame on you. Goatse me—you can't get goastsie'd again."
Other than that, it's the same as clicking a link on an email, yes.
QR codes can contain a limited set of data. There's no possibility of a buffer-overflow or malicious program.
Every QR reader I've seen shows you the destination before taking you there.
It might be a scam website - but that's no different to seeing an poster and manually typing in the address.
Yes, QR codes can contain an auto-generated email or premium SMS. But they won't send automatically. The user remains in control.
Source?
Disagree, because:
* QR codes are opaque to humans. You can't visually tell if one is legit or not.
* QR codes often use URL shorteners, so that the URL contained is just https://exam.ple/4pTF6x4M9 is not unusual.
Someone can replace a QR code with a sticker overlay and link to a phishing site. Replacing a URL on a poster is also possible, of course, but harder to make look convincing in the first place and significantly simpler to detect.
* Printed URls often contain shortened links.
I'd argue that most QR sticker overlays are also pretty inept. See a sample at https://shkspr.mobi/blog/2024/07/qr-code-hijacking-attempts-...
So, use common sense here. Links and QR codes are everywhere. And people click or scan them all the time at their own discretion.
This is not like 1995 all over again. All the same protection mechanisms that we've put up since then for links also work for QR codes. There's no real difference between a link I email you and a QR code that you encounter in the wild. You click or scan them and a browser opens and does its thing. I mention email here because email clients typically don't really restrict what you can do with links in them. There's a reason for that: people send a lot of links via email and links are useful. So the fact that some bad actors send people evil links via spam, is not enough reason to disable the feature.
QR codes are just a way to provide links for people to "click". It's not even a new way because they've been around for quite long. The US and Europe are late to this party. Most of the rest of the world already runs on QR codes for quite some time. Especially places like China and Japan.
Ps. I run a company that uses QR codes a lot. They solve a lot of issues for us. IMHO they are severely underused currently.
What reason would you want to be notified of unknown visitors knocking on your doors when you're away? The only people I can see fitting this description are delivery drivers & salesmen?
Further, what if you're home and your phone is in another room, is on silent, or is dead?
What is you have a spouse or housemate? Do both of you get notified?
And there's also a subset of people who get frustrated by having to use QR codes in restaurants, who I suspect would be equally frustrated by this.
Also, a real traditional doorbell is mechanically coupled to the bell, with no electricity at all.
I wouldn't call it a real replacement, but I can see a dozen uses.
What? Door bells worked before phones existed.
Smaller buildings with just a few units usually just have simple dumb wired doorbells. And they are usually not broken.
Different cities/neighborhoods have a different mix of larger and smaller buildings.
This QR code idea is interesting, because it lets you go from dumb to smart, bypassing all of the steps that would normally be necessary (cost, approval, installation, maintenance, etc).
It's not as "good" as Nest etc, but it gets you most of the way there for almost none of the hassle.
Not for me, probably, but interesting.
The other one was a party at someone's apartment and I only had their IRC and twitter handle but not their phone number, and they had a key pad at the entrance (long story, not their fault) and I didn't have the number. And yes, I tried to ping them but they seemed to ignore their phone so I had to wait for other guests to arrive anyway.
My third example would be temporary event locations where there simply is no door bell or the organizers are not where it would ring and again, a phone works but it would leak the caller's number and the organizer's number whereas I suppose you can just uninstall the app or have different URLs generated that stop buzzing after a while.
Situational, as I said.
One thing I've found useful so far is that the notification sound is different from my phone/message chime, so when I hear it I know it's someone at the door.
I'm curious to hear what other people think?
Might be nice to play a "ding dong" sound in the browser?
Overall this feels too complicated. Unfriendly to people without smartphone or mobile internet. I understand this is DIY equivalent of camera doorbell, but I would definitely prefer some no-name chinese radio doorbell both as one ringing and maintaining it.
While a cheap radio doorbell might be better in many cases, there are still circumstances where it's not suitable. I'm trying to figure out which those are?
In general you should display a prompt explaining why a permission is needed (eg. "we need access to your camera to camera to take a picture to send to the owner, click allow on the next screen to allow."), and only ask for permissions after the user accepts the first prompt.
However in this particular case you shouldn't have to request camera access directly. Using <input type="file" accept="image/*" capture="user> will display an system interface (ie. from the browser or OS) to allow the user to take/select an existing picture. It also already has preview and front/back camera selector built in, so you don't have to implement that yourself.
https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes...
I'll have a look at using the `capture` attribute on an input. My initial idea was to do video over webRTC, but the selfie version works okay for a first version
Of course, you would not have learned your first iOS/Android app with that approach. Maybe that's the better lesson to learn though--not everything needs to be an app
I might have a situation where the QR Code makes sense though. I'm renting a location for a party at the top of a building, which is only accessible by transponder cards. So there is no door bell or anything. Instead of having someone letting the guests in, this could be an alternative.
I'd be very curious to hear more about it
Except those pin codes are now commonly disabled for security reasons. So, I was waiting downstairs wondering what to do and in the end just called my friend after which he came downstairs to open the door. That works of course but a QR code would be a good alternative.
Even if it just contained a tel:// link with the phone number. I love QR codes for low tech solutions like this.
This stuff doesn't have to be hard. And you don't even need an app for this. Just print your own code with your phone number, email address, etc. (from any of a vast number of web based generators) and put it near the door with some instructions.
1. Get a QR code to put at your door
2. Visitors scan the QR code using their smartphone camera
3. Get a notification on your phone wherever you are!
OR
1. Install doorbell at your door.
2. Visitors press the doorbell using any of their extremities.
3. Get a notification on your phone wherever you are!
Scenario 1 (QR code) puts 100% of the infrastructure on the client (visitor) side, and scenario 2 (Nest, Ring, etc) puts 100% of the infrastructure on the server (resident) side. [Edit: strained metaphor perhaps, and yes both scenarios require connectivity infrastructure]
So these are completely different methods of achieving the same goal, and there are easily imaginable cases where one scenario would be preferable over the other.
Usually, server-side makes the most sense. Certainly in the case of a traditional wired or wireless dumb doorbell, it's simpler.
But there are cases where server-side is difficult or impossible, especially if you want "smart" features like photos or routing or two-way interaction. Higher cost, permission from property owner if renting, etc.
Pushing the infrastructure to client-side solves these problems. Most users will have the client infrastructure in their pocket already. No wires. No new piece of hardware to maintain, repair, keep charged, etc.
Seems to me a QR code removes the $170 bit that was a key part of the Ring camera value proposition.
And for people who do not live in high-crime areas, but might want the other features of a Ring camera, the value distribution would necessarily be different.
https://www.honeywellstore.com/store/products/portable-wirel...
I would look for something like this: https://www.honeywellstore.com/store/products/portable-wirel...
Knock on the door while ignoring anonymous QR code that could have been left by anyone
Some renting situations make solving those problems difficult, annoying, or impossible.
But yeah, generally a doorbell is a pretty reliable tool.
That's probably true, but I don't live in some places. I have a door with a knocker and a doorbell. Calling/texting me is so damn annoying and pointless. You knock/ring, I get up and answer the door. You text/ring, I might ignore it or at least it could take time to go to where it might be sitting other than in my hand.
If you live in one of these "some places", I doubt the landlord is going to be very happy about people plastering various QR codes on their property, especially if "some place" is a multi-tennant property which typically already have a system in place
Great. I don't think OP made this thing explicitly for you.
And I'm not attempting to persuade you into choosing this doorbell option.
For others, who are not you, and who have different living situations than yours, this could be an interesting option.
Mailman, flyers, delivery not for me, neighborhood kids pushing wrong buttons or just fooling around.
If I have delivery scheduled or there is scheduled maintenance for building I will connect it for that day. Even delivery guys sms/call me when they are in area to check if they should drop by with parcel anyway.
People like friends/family don’t drop by without calling sending a message. There is no unscheduled visits since I was teenager.
For you, if you’re expecting guests, just tell them to ring your doorbell. Get rid of the ambiguity and give them comfort in knowing the “right” thing to do. You clearly gave it some thought and have strong opinions about it. I’m sure other people are just trying to be considerate in a generation where they mostly grew up living with lots of other people.
I'm not the person you're replying to, but the way I see things, if I put a button on the front of my house labelled "visitors, please press me" and then I got mad at my visitors for pressing it, that would be super weird behaviour on my part. The button is the permission.
People who don't want visitors to press the bell either remove it, or tape a bit of cardboard over it or something.
Our doorbell, which was non-functional from when we moved in until we moved out eight years later, and which we were always planning to fix 'next week', is a good counterexample.
Not that we'd get mad at people for ringing the doorbell, but we were very glad that people usually figured out they had to knock.
I had both of those problems at my previous residence. It was an apartment complex with some N½ addresses. Visitors would often miss that bit and be at the wrong door. On top of that, the doorbells were counterintuitive: they were arranged vertically, but the bottom doorbell would ring the top apartment and vice versa, so I forever had visitors and deliveries ringing the wrong bell (and actually mostly for the other units ringing mine.)
If I go somewhere couple times a year I usually feel quite comfortable using doorbell.
For security of course it'll be an SSID that doesn't connect to anything else, because hey, we care about security. ;-)
Another app is: "connect to this SSID and ping6 2345:0425:2CA1:0000:0000:0567:5673:23b5 to ring doorbell!".
Particularly when you consider that some of those attendance injections may contain potential threats or unsolicited commercial messaging, or be designed to cause interference with predefined private processes, or even be designed just to consume processor cycles in unnecessary communication processing across the security layer.
While I like your implementation suggestion it feels a little lightweight for something this important. Please revisit the scope and come back with a more fully fleshed out project proposal.
Just because they are at your door for some reason does not mean they want to give up what has become their mobile ID. People are starting to get protective of it with good reason, since there are so many attacks using the Mobile #/ID...
Also, as pointed out elsewhere, the static easily duplicated QR code has issues for you, but it would also be easy for someone to slap a malicious QR code over your static one, disabling yours and enabling their scam...
Maybe I'm just the wrong generation, or live in a place that still has winter, but a QR code where I need to get out my phone, take off my glove in winter, activate the camera to scan, etc., seems a lot less welcoming.
One thing that is good about your QR code option is that you do receive notice anywhere and you do have their mobile number, so you can reply immediately with a text or call, such as "sorry, I'm running late, not quite home yet, I'll be there in 10min". Ofc, you could also post your mobile number below the wireless doorbell.
Perhaps Option #3 would be a doorbell that can display a scrolling message, so
— wireless doorbell
— sends text to you
— you can reply to doorbell (e.g., "coming downstairs now", or "traffic, be there in 5min", "pls call me at 987-654-3210", etc.)
This way, no one needs to reveal their mobile number, but everyone has the advantage of mobile communications, albeit with a small bandwidth.
?
From what I read it says to scan the code and get a notification anytime it's scanned. Just looked at the android app listing and there seems to be something about taking a selfie which seems rather useless but hey maybe some people like it.
Also love how people keep suggesting wireless doorbells when the whole point of this is not to install any hardware that could be to expensive, harder to setup/maintain than a QR code, or maybe stolen/damaged or not allowed to be installed
OK, maybe the point is to not install any hardware (beyond a sticker), but it seems people are pointing out that a QR code introduces more problems than it solves (trust, spoofing, copying, misdirecting, inconvenience, etc.). If he wants to install no hardware and get a text on his phone, perhaps the easiest thing is to post a sticker with "pls text me at [mobile number]" at the location of the doorbell or QR code?
Given that they have an app I'm sure the QR code leads to a link that will trigger the notification via app on the phone, no text message anywhere.
Again to your last point, no text message, dude just wants to get a notification on his phone without installing some dumbass $300 doorbell
Knocking or a physical doorbell noise is fine for my house. But if I’m not home, they have no way to communicate with me unless they leave a note on the door, which requires them to have paper and me to not be traveling for days.
Expecting guests and random strangers to go out of their way to accomodate that is not ideal. I don't know how I would react if I had to scan a QR code to ring a doorbell but chances are I would leave.
On a side note, a delivery person might actually not want to scan the QR code because (a) if you do this all the day long, it take much more time than pushing doorbell buttons, and (b) if they use their professional devices to do this, they might either have that URL blocked, or scanning a "random" QR code might be against their company's policies because it might expose them to security risks (imagine a phishing page with the login interface of the delivery company, or a site serving malware).
Most phones have an NFC reader as well so should work with Android too.
Similar concept:
1) person taps phone against “door bell”
2) sends notification to user(s)
3) optionally, send “selfie”
IIRC, app clips needed to be very small in size. So something like this could work, even in low bandwidth situations (ie, poor signal strength)
I do very strongly prefer a QR code thing to something like a Ring (as long as the QR code isn't going to a service such as Ring), though, but neither is better than knocking.
I don't like even being in neighborhoods where these things are in common use. Privacy issues aside, I take a prevalence of surveillance systems as an indication that the area they're in is an undesirable place to be. Either it's actually dangerous, or the people living in them think it's dangerous. Either way, that's a bad sign.
I have cameras around the outside of my house. Not worried about crime (despite it seeming otherwise). I don't look at the video feed when people ring my doorbell.
Cameras have been helpful: - Someone accidentally backed into my house. Camera caught it. - Something was delivered that required my attention. Was able to walk back from another house to meet them (knowing they were at my door) - Check out branches/etc. falling on my cars during high wind
It seems a bit convoluted, though. Is there a DPST momentary button I can use instead (removing the need for the hall effect sensor)? I searched on digikey but 'DPST momentary' came back with results that were too bare (just the button), expensive ($50 per unit) and had a long lead time (8 weeks).
Just tap the dc leg between the bell and the chime into a voltage divider - for a 16V doorbell to a 3.3V esp32 io pin, r1=15k and r2=3.3k is exact - and you're done.