Key takeaways
• Intercom security stopped being a checkbox in 2024. The UK PSTI Act (2024) bans default credentials in IoT, the EU NIS2 Directive has been enforceable since October 2024, and the EU Cyber Resilience Act mandates 5+ years of security updates from 2027. Selling an insecure intercom into Europe is now a regulatory event, not just a reputational one.
• The threat landscape has receipts. Akuvox CVE-2023-0354 enabled remote code execution; Aiphone CVE-2022-40903 let attackers brute-force PINs; Mirai-class botnets keep finding intercoms with default creds and exposed RTSP every month.
• Five non-negotiable controls. DTLS-SRTP for media, TLS 1.3 for signalling, signed firmware with rollback protection, FIDO2/passkey auth for admins, and an immutable audit log of every unlock event. Anything missing is a CVE waiting to be filed.
• Hikvision and Dahua are not options for many buyers. US NDAA Section 889 bans them from federal procurement, NIS2 makes them a critical-infrastructure liability in the EU, and most enterprise insurers now ask the question explicitly.
• Fora Soft has been shipping secure video and access platforms since 2005. We rebuilt the web interface for Netcam, one of the earliest video surveillance platforms, and engineered Nucleus, an on-premise communication platform built around hardened audio/video. Book a 30-min call →
Why Fora Soft wrote this playbook
There is no shortage of intercom vendors willing to sell you a slick mobile app. There is a shortage of teams that can ship one without leaking video over plaintext RTSP. Fora Soft has been shipping secure multimedia products since 2005: we modernised Netcam Studio, the descendant of one of the earliest video surveillance applications (WebcamXP, 2003); we engineered Nucleus, an on-premise communication platform where every byte stays inside the customer’s network; and we maintain a 100 % project success rating with a roster of engineers selected at a 1-in-50 rate.
This playbook is what we tell prospective intercom clients in a discovery call: which threats are real, what the regulators now require, what an honest defence-in-depth architecture looks like, which off-the-shelf vendors are credible, when to build a custom platform instead, and what numbers to commit to. The audience is product managers, building owners, security integrators and PropTech founders who need to ship a secure intercom or replace one that no longer meets the bar.
Use the table of contents on the right to jump straight to the question you came to answer.
Building or hardening a secure intercom platform?
Tell us your deployment scope, compliance footprint and target latency. Within one working day we will come back with a threat model, a target architecture and an honest estimate.
What “secure intercom software” actually means in 2026
A secure intercom is a system that lets a visitor request entry and a resident or operator grant or deny it — without leaking video, audio, identity, location or access logs to anyone outside that two-party transaction. The modern stack has four layers: an edge device (door station, panel, mobile reader), a network path (SIP/WebRTC over VLAN, often via a TURN/SBC), a cloud control plane (multi-tenant SaaS or self-hosted) and an identity layer (residents’ phones, operators’ SSO, visitors’ QR codes).
Each of those four layers has its own controls; secure means all four are doing their job at the same time. The most painful failures we have audited were never about the cryptography — they were about a single layer being treated as “internal” and left exposed.
The 2025–2026 threat landscape (with receipts)
1. Firmware-level CVEs that ship in the box. CVE-2023-0354 (Akuvox) was a remote code execution vulnerability across multiple intercom models; CVE-2022-40903 (Aiphone) let attackers brute-force admin PINs over the cloud portal. These are not theoretical — both were exploited at scale before patches reached the field.
2. Default credentials. Mirai-class botnets continue to find tens of thousands of internet-exposed intercoms with admin/admin every month, especially in older 2N, Doorking and Hikvision installs. The UK PSTI Act 2024 made shipping such devices illegal in the UK; vendors who have not refreshed their commissioning UX are out of compliance.
3. Plaintext SIP and exposed RTSP. Roughly 40 % of internet-reachable commercial intercoms still expose RTSP on port 554 unauthenticated. Anyone with a Shodan subscription can scout buildings remotely — a reconnaissance gift to physical-intrusion teams.
4. Replay and BLE spoofing on mobile credentials. The convenience of a phone-as-key is undone if the unlock signal can be captured and replayed. Modern mobile credentials must use ECDH key exchange, signed nonces and proximity verification (RSSI thresholds, secure ranging on UWB-capable phones).
5. Insider abuse and supply-chain risk. A property manager with cloud admin can unlock any unit at any time; without granular audit and behavioural analytics, that is a privacy disaster waiting to happen. NDAA Section 889 bans Hikvision and Dahua from US federal procurement; the EU NIS2 Directive treats them as a critical-infrastructure liability for essential services.
Reach for an immediate audit when: any device in your fleet still accepts default credentials, exposes RTSP to the internet, or runs firmware older than 12 months. These are the three findings that turn into incidents fastest.
The regulatory squeeze in 2025 and 2026
EU NIS2 (since October 2024). Brings “essential” and “important” entities — healthcare, transport, public administration — under a hard security baseline with 24-hour incident reporting and 30-day patch SLAs. Hospitals, airports and critical-infrastructure buildings now flow that obligation down to their intercom suppliers.
EU Cyber Resilience Act (CRA, 2027 with MUSTs in 2026). Every “product with digital elements” sold into the EU must ship a coordinated vulnerability disclosure programme, security updates for at least 5 years, and cryptographic agility (post-quantum readiness for long-life devices). Intercoms with 10-year service lives are squarely in scope.
UK PSTI Act 2024. No default credentials, transparent vulnerability disclosure with a maximum 90-day fix window, and a published support timeline.
GDPR + EU AI Act. Intercom video and audio are personal data; biometric face recognition for access is high-risk AI under the EU AI Act, and is partially restricted in workplace and education contexts. Run a Data Protection Impact Assessment before turning it on.
HIPAA (US healthcare), PCI DSS (if you process payments), SOC 2 Type II, ISO/IEC 27001:2022. Enterprise procurement now expects at least one of SOC 2 or ISO 27001 in the data room. Plan the audit, do not retrofit it.
The five non-negotiable controls — a baseline you can hold a vendor to
| Control | What “good” looks like | Acceptable | Walk away |
|---|---|---|---|
| Media encryption | DTLS-SRTP, perfect forward secrecy, AES-256-GCM | SRTP with stable keys | Plain RTP / RTSP |
| Signalling encryption | TLS 1.3 only, mTLS device enrolment | TLS 1.2 | SIP over UDP, no TLS |
| Firmware integrity | Signed images, secure boot, rollback protection | Signed images, no rollback protection | Unsigned firmware |
| Admin auth | FIDO2 / passkeys, SSO, RBAC | TOTP MFA, RBAC | Username + password only |
| Audit log | Immutable, exported to SIEM, 365 days | Immutable, 90 days | No log / mutable log |
A reference architecture: defence in depth, four layers
Every secure intercom we have shipped or audited slots into the four-layer architecture below. The point is not to look impressive in a sales deck — it is that an attacker who breaks one layer still has to break the next three before they get to the door strike.
Figure 1. Defence-in-depth architecture for a secure intercom platform.
1. Edge device
Secure boot anchored in a TPM, signed firmware with rollback protection, sealed UART/JTAG, a tamper switch tied to a heartbeat, and a local PIN fallback so a network outage does not strand residents at the door. Run any AI inference (face blur for GDPR, package detection) on-device so audio and video never leave the building unnecessarily.
2. Network
A dedicated IoT VLAN with no general internet egress, SIP carried over TLS 1.3, media over DTLS-SRTP, NAT traversal via authenticated TURN behind a Session Border Controller. Egress firewall whitelists, inbound DDoS protection, and mTLS device enrolment so unknown devices cannot enrol themselves.
3. Cloud / control plane
Multi-tenant SaaS with row-level isolation per building, AES-256-GCM at rest, secrets in a KMS or HSM, immutable audit logs streamed to a SIEM with anomaly detection, backups with 90–365 day retention. If your customers are regulated, support a self-hosted or single-tenant deployment option.
4. Identity
SSO via SAML or OIDC, FIDO2 / passkeys for admin login, MFA on every privileged action, and per-building RBAC plus per-unit ABAC so a manager in Building A cannot see Building B. Visitors get time-bound credentials (QR codes, NFC tokens) that expire automatically; residents’ mobile credentials live in the Secure Enclave with revocation pushed within 60 seconds when a phone is lost.
Reach for an on-prem or self-hosted deployment when: the building falls under EU NIS2 essential services, HIPAA, or a national-security context, or the customer’s lawyers will not accept any cloud egress.
Where the major commercial vendors stand
| Vendor | Category | Security posture | Compliance signals | Watch out for |
|---|---|---|---|---|
| ButterflyMX | Cloud SaaS, multi-family | TLS 1.3, MFA | SOC 2 Type II | Cloud-only; check data residency |
| Swiftlane | Cloud SaaS, office + multi-family | WebAuthn, end-to-end mobile creds | SOC 2, GDPR | Face recognition needs DPIA in EU |
| 2N (Axis Comm.) | IP intercom, hybrid | SIP TLS, LDAP/RADIUS | ISO 27001 (parent) | Default creds in legacy installs |
| Aiphone IXG | IP / hybrid intercom | SIP TLS | UL, FIPS in some SKUs | CVE-2022-40903 history |
| Akuvox | IP intercom | SIP TLS (post-patch) | Limited | CVE-2023-0354; verify firmware |
| Comelit | EU IP intercom | TLS, VLAN, SIP TLS | CE; ISO 27001 in progress | Limited cloud features |
| Hikvision / Dahua | IP camera + intercom | Mixed; weak history | Restricted by NDAA 889 | Procurement risk under NIS2 |
Need a security audit of your existing intercom platform?
Threat model, architecture review, firmware analysis, penetration test against the cloud and mobile clients. We come back with a prioritised punch list mapped to NIS2, CRA, GDPR and your customer commitments.
Eight attack scenarios — and the controls that defeat them
| Scenario | Mitigation |
|---|---|
| Credential stuffing on the property-manager portal | Rate limiting, account lockout, FIDO2 MFA, breached-password screening (haveibeenpwned API). |
| MITM on RTSP video feed | TLS 1.3 + cert pinning in mobile and viewer apps; never expose RTSP to the public internet. |
| Replay of unlock SIP message | Timestamp + nonce in SIP headers, one-time unlock codes, server-side replay window check. |
| BLE credential spoofing | ECDH key exchange, RSSI proximity threshold, secure ranging where supported (UWB). |
| Supply-chain firmware attack | Code signing, attestation on boot, staged rollout (5/25/100 %), canary devices. |
| Lost or stolen mobile device | 24-hour credential expiry, push-based revocation in <60 s, MDM integration. |
| Insider sysadmin abuse | Granular RBAC, immutable audit log, behavioural analytics, quarterly access review. |
| Network outage cuts off the door | Local PIN fallback, offline credential cache, UPS, signed offline audit log on the device. |
A realistic cost model — what hardening or building costs in 2026
The numbers below are starting points from real Fora Soft engagements; they assume our agent-engineering workflow, which has trimmed our typical timelines by roughly 25–35 % versus 2024 baselines. Treat them as a sanity check, not a quote.
| Scenario | Approach | Engineering | Time to ship |
|---|---|---|---|
| Security audit of an existing platform | Threat model + pentest + remediation plan | ~$25–55K | 4–6 weeks |
| Hardening pass + auth modernisation | FIDO2, mTLS, signed firmware, audit log | ~$45–90K | 8–14 weeks |
| Cloud-managed SaaS for a vertical (e.g. multi-family) | WebRTC SFU + multi-tenant + SOC 2 readiness | ~$180–320K | 5–9 months |
| Enterprise / NIS2-grade hybrid platform | On-prem option, HSM, SIEM, ISO 27001 evidence | ~$320–600K | 7–12 months |
Mini case: hardening a video surveillance front-end
A long-running client of ours, Netcam Studio, is the descendant of WebcamXP — one of the earliest video surveillance applications, originally launched in 2003. By 2013 the web interface was carrying a decade of accumulated assumptions about “trusted local network” that no longer matched reality.
Fora Soft rebuilt the web interface around three security primitives the original lacked: HTTPS-only access with strong default ciphers, granular per-camera permissions instead of a single admin password, and per-feature audit logging visible to the operator. The UX was redesigned in parallel: thorough wireframing, careful information architecture, a modern visual language. The result was an interface that felt as fluid as a consumer product but enforced the discipline of a security tool.
A separate, parallel project — Nucleus — tackled the other extreme: an on-premise communication platform where every byte of audio and video stays inside the customer’s network. Together, these two projects are the engineering heritage we draw on for any new intercom build. Want a similar hardening pass on your platform? Book a 30-min discovery call →
A decision framework — pick the right path in five questions
Q1. Where will the buildings be? EU only → design for NIS2 / CRA / GDPR from day one and avoid Hikvision/Dahua. US federal → NDAA-compliant supply chain. Multi-region → multi-tenant SaaS with selectable data residency.
Q2. How regulated is the use case? Multi-family residential → cloud SaaS is fine. Hospitals, gov, finance → on-prem or single-tenant cloud + HIPAA / NIS2 controls.
Q3. How many doors and tenants? <500 doors → buy ButterflyMX, Swiftlane or 2N. >5,000 doors with custom integrations → build a private platform; the unit economics flip somewhere around 2,000–3,000 doors.
Q4. What is your identity story? Off-the-shelf SSO acceptable → SAML/OIDC integration with vendor portal. Need passkeys, MDM-bound credentials and tight revocation → build.
Q5. Where does the audit log go? Internal compliance only → vendor dashboard is fine. SOC 2 customers → you need exportable, immutable logs into the customer’s SIEM.
Five pitfalls we see every quarter
1. Treating the local network as “internal”. The intercom VLAN is not magically safer than the internet. Apply the same controls inside the building you would on the public path.
2. Forgetting to revoke. A lost phone or a fired employee should lose access in under a minute. Most field deployments we audit have revocation latencies measured in hours or days.
3. Letting the audit log be mutable. If admins can edit the log, the log is theatre. Stream every event to a write-only sink; sign the entries.
4. Shipping face recognition because “it’s cool”. In the EU, biometric access is high-risk AI and partially restricted; in many US states it triggers BIPA-style litigation. Always have a non-biometric fallback and a documented DPIA before turning it on.
5. No firmware update story. A door device with a 10-year lifespan that cannot be updated is a CVE waiting to be filed. Sign images, support OTA, plan rollback, fund the SLA.
Reach for an external pentest when: the platform is about to enter production, before any RFP that requires a security questionnaire, after any major architectural change, and at minimum every 12 months thereafter.
Reach for a custom build over off-the-shelf when: the deployment is over ~3,000 doors, the audit log must stream into the customer’s SIEM, you need a vertical-specific UX (hospital, government, hospitality), or you want to private-label the platform for a network of security integrators.
KPIs — what to actually measure
Security KPIs. Mean time to patch a critical CVE (target <30 days), revocation latency for lost devices (target <60 s), share of devices on the latest signed firmware (target >95 %), MFA enforcement on admin accounts (target 100 %).
Reliability KPIs. Cloud control-plane uptime (target 99.95 %), local fallback PIN success rate during cloud outages (target 100 %), unlock latency p95 (target <1 s for mobile, <2 s for QR).
Business KPIs. Reduction in security-guard hours per building, reduction in lost-key replacement cost per resident per year, NPS from residents and managers, time-to-occupancy for new tenants (mobile credentials cut this dramatically vs. issuing physical keys).
When you should not deploy a connected intercom
Three situations where we have advised pausing. If you cannot fund the patch SLA, you will own a fleet of internet-connected boxes that quietly become a liability. Either commit to the operational discipline or stick with a non-networked intercom. If you operate in EU public spaces and want face recognition, the AI Act may make the deployment illegal — reframe to non-biometric methods. If your only differentiator is “cheaper”, you will be undercut by Hikvision rebadges within a quarter; lead with security and compliance instead.
There is also a softer failure mode: shipping mobile credentials without a clean offline fallback. Networks fail. Phones die. A door that cannot be opened during an outage is a worse outcome than a door that needs a key.
Privacy and compliance — the artefacts a regulator will ask for
Data Protection Impact Assessment (DPIA). Mandatory under GDPR for video monitoring of public-facing areas and for biometric processing. Run it before the system goes live; revisit annually.
Records of Processing Activities (RoPA). Your customers will ask for them; have them ready, building by building.
Data Processing Agreements with every sub-processor. Cloud hosting, video storage, push-notification provider, email vendor — if any of them sees personal data, you need a DPA on file.
Vulnerability disclosure policy + SBOM. CRA-aligned disclosure programme, a published security.txt, and a signed Software Bill of Materials per firmware release. Auditors will ask; your customers’ CISOs will ask.
Wiring intercom security into a WebRTC stack
For modern video intercoms the canonical pattern is a Selective Forwarding Unit (Janus, mediasoup, LiveKit) terminating SRTP / DTLS streams from the door device, with WebSocket signalling secured via TLS 1.3. Door commands ride MQTT with per-device ACLs; push notifications go through APNs/FCM with end-to-end encrypted payloads, never with the unlock token in plaintext.
Co-locate the SFU and the cloud control plane in the same region as the building to keep unlock latency under one second. Reserve a separate STUN/TURN tier for the intercom traffic so it cannot be flooded by other tenants. We covered the broader streaming pattern in our overview of secure video communication software.
2026–2027 trends to watch
Passkeys and passwordless. FIDO2 / WebAuthn replace passwords for both admin portals and resident apps; mobile-wallet-native credentials (Apple Wallet, Google Wallet) become the dominant carrier.
Post-quantum cryptography. Door devices have 10-year lifespans; NIST-approved PQC algorithms (Kyber for key exchange, Dilithium for signatures) start shipping in firmware in 2026 to stay safe through “harvest-now-decrypt-later” threats.
Edge AI for privacy. Face blur, package detection, loitering alerts and visitor classification run on the device; only metadata leaves the building. The same pipeline that powers our real-time audio emotion analysis work applies here.
AI assistants on the intercom. LLM-driven visitor screening (“package or person?”) and voice control (“buzz in the courier”) become table stakes for premium tiers. Audit log them carefully.
FAQ
What is the single most common security failure in intercom platforms?
Default or weak credentials in field-deployed devices. Mirai-class botnets continue to find tens of thousands of intercoms with admin/admin every month. Closely followed by exposed RTSP video feeds and outdated firmware older than 12 months.
Which encryption protocols are mandatory for a 2026-grade intercom?
DTLS-SRTP with perfect forward secrecy for media; TLS 1.3 only for signalling and APIs (TLS 1.0/1.1 must be disabled); AES-256-GCM for data at rest; mTLS for device enrolment; and code-signing on every firmware image with rollback protection enforced by secure boot.
Can I still buy Hikvision or Dahua intercoms in 2026?
Yes, but expect friction. NDAA Section 889 bans both from US federal procurement and many private buyers have inherited that policy. EU NIS2 treats them as a critical-infrastructure liability for “essential services”. Most enterprise insurers and CISO questionnaires now ask explicitly about Chinese surveillance vendors.
When should I use face recognition for intercom access?
In private commercial settings with explicit, granular consent and a documented DPIA, it can work. In EU public spaces, workplace and education contexts, the EU AI Act partially restricts it; many member states (Germany, France) are stricter still. Always offer a non-biometric fallback (passkey, NFC, PIN).
Cloud, on-prem or hybrid — how do I choose?
Cloud SaaS works for multi-family residential, small office and hospitality — lowest operational burden, fastest time to ship. On-prem is the right answer for hospitals, government, finance and any building under EU NIS2 essential-services scope. Hybrid (cloud control plane, on-prem media) is increasingly the enterprise default.
How do I prove SOC 2 / ISO 27001 readiness to enterprise buyers?
Maintain a public security page, a DPA, an SBOM per firmware release, an immutable audit log accessible to the customer, a vulnerability disclosure programme, and the SOC 2 Type II or ISO 27001 report under NDA. Most enterprise procurements now require at least one of those certifications in the data room.
How long does a Fora Soft secure intercom build typically take?
A security audit + remediation plan ships in 4–6 weeks. A hardening + auth modernisation pass runs 8–14 weeks. A multi-tenant cloud SaaS for a vertical (multi-family, hospitality) takes 5–9 months including SOC 2 readiness. An enterprise / NIS2-grade hybrid platform with on-prem option, HSM and ISO 27001 evidence runs 7–12 months. Our agent-engineering workflow has trimmed all of these by ~25–35 % versus 2024.
What about post-quantum cryptography — do intercoms need it now?
Yes for any device with a 10-year service life. The CRA effectively requires cryptographic agility from 2026. Plan for NIST-approved Kyber for key exchange and Dilithium for signatures; design firmware so the algorithm can be swapped without replacing hardware.
What to read next
Secure video
Secure video communication software for facilities
The wider video-comms patterns that an intercom platform inherits.
Architecture
Video intercom software — integrating video and audio
A deeper look at the multimedia stack underneath any modern intercom.
AI features
AI-powered intercom software systems
Where edge AI fits inside a hardened intercom platform.
Healthcare
Healthcare intercom software benefits
HIPAA-grade considerations when intercom meets clinical workflow.
Case study
Netcam Studio — modernising a video surveillance UI
How we hardened the front-end for one of the longest-running video surveillance products.
Ready to ship a secure intercom platform?
Security in intercom software stopped being a marketing line in 2024. NIS2, the UK PSTI Act, the upcoming EU CRA and the supply-chain rules around Hikvision and Dahua now make insecure intercoms a regulatory event — not just a reputational one. The good news is that the engineering pattern is settled: defence in depth across edge, network, cloud and identity, with five non-negotiable controls (DTLS-SRTP, TLS 1.3, signed firmware, FIDO2 admin auth, immutable audit log) and a serious patch SLA.
Buy ButterflyMX, Swiftlane or 2N when you have under ~500 doors and a vanilla use case. Build a custom platform when you serve a regulated vertical, when the audit log has to live in your customer’s SIEM, or when the unit economics tip past ~3,000 doors. Either way, design the security in — do not retrofit it.
Let’s scope your secure intercom project
A 30-minute call covers your deployment scope, compliance footprint and target architecture. You leave with a buy-vs-build recommendation, a threat model and an honest estimate.
.avif)
Comments