
How we hacked our office doorbell using Slack, MessageBird and Now - adriaanmol
https://blog.mollie.com/how-we-hacked-our-office-doorbell-using-slack-messagebird-and-now-b2042c060e29
======
parliament32
Considering you don't actually check who the person is, wouldn't it be easier
to just leave the door unlocked during business hours?

KISS and all that...

~~~
vxNsr
Looks like from the video that it's a multi-tenant building, seems like they
created an easy way for anyone who wants to enter to do it without actually
being authorized.

------
grepthisab
The main advantage that this overengineered solution has over a doorstop is
that no one will upvote an article on HN about a doorstop, and then your
company loses out on the publicly.

~~~
mandelbulb
Yeah, seems like an astroturfing attempt.

------
matteuan
So wait a sec, do you open the door to anyone without checking who is it?

~~~
THE_PUN_STOPS
If that’s true, then on top of that, they’ve now broadcasted that fact to the
world. And they’re a payment services company.

~~~
adriaanmol
You guys are right about that. But first to be clear. This is NOT our HQ, but
an office not working on our core- platform. People sitting in this office can
look out of the window to see who's standing at the door before opening the
door.

Also, please note, this was just a fun small project for us. Making an image
with a camera and posting to Slack would be better. We had much fun making
this without putting a lot effort in it, that was for now the point.

We are aware of all the security issues and are not using this in production
at our main office.

------
jabagawee
FTA:

> MessageBird sends a couple of extra parameters with each request, including
> a callID. When a new request comes in, we’ll make an API call to
> MessageBird, to verify whether this voice call actually happened and if it
> happened within the last 2 minutes. We also used the query parameters
> destination and source from the incoming webhook call and matched these
> against the data from MessageBird. This would make sure that only “real”
> doorbell calls would trigger Slack notifications.

This approach seems to be reinventing the wheel of validating MessageBird
webhook calls. From their docs
([https://developers.messagebird.com/docs/voice-
calling#handle...](https://developers.messagebird.com/docs/voice-
calling#handle-callbacks)):

> Each callback HTTP request is signed with a signature, a base64 encoded HMAC
> found in the X-MessageBird-Signature HTTP header. To ensure the callback is
> coming from the MessageBird platform, we strongly advise to validate its
> signature by calculating the HMAC of the callback and base64 encoding it.
> Using HMAC-SHA256, the HTTP body is the message and the token of the related
> webhook resource is the secret. Only handle the webhook if the computed
> value matches the signature in the HTTP header.

------
dna_polymerase
Opening doors to everyone, using 3 products to do so and depend on other
people's code & services in the process... I think I will pass on you guys for
my payments.

------
Justin_K
Did you hack it or just integrate to it?

~~~
rconti
To be fair, they had to both point _and_ click.

------
sdf43543t345
It seems the definition of 'hacked' is getting looser and looser these days.
Sounds like you just consumed services from a SaaS, thats 'hacking' today.

------
dfsegoat
Related solution built on AWS SQS and a Pi - which takes a picture of the
individual ringing the bell.

It's an email alert - but it'd obviously be trivial to connect up the slack
API to pass the message + image to a channel.

[https://www.hackster.io/taiyuk/iot-doorbell-
faee18](https://www.hackster.io/taiyuk/iot-doorbell-faee18)

------
Jeremy1026
We use a few Dash buttons and a macOS app (with Node.js backend) as our
doorbell solution.

[https://github.com/calltracking/doorbell](https://github.com/calltracking/doorbell)

It's not the most beautiful thing, but it gets the job done of letting us know
when someone is at any of our 3 doors.

------
Jaruzel
I'm going to be 'that guy'....

> How we automated our office doorbell using 3 products already available.

Wrong usage of the word 'hacked' in the original title.

A more hacky way to do it, would have been getting a voice modem dongle that
takes SIM cards, and writing software directly to detect/answer the incoming
call, verify it's the doorbell, post to slack and wait for auth., then play a
WAV back out through the dongle (like a voicemail greeting). Same result, less
dependence on 3rd party services, learn a lot in the process.

It's all well and good using 3rd party services if they are available, but
sometimes these articles are akin to me writing a post on 'how I found
something on the internet using google'.

------
rconti
I just hacked my shoelaces.

