Not much information
No, the point is Nabu Casa should get 90 days to fix it before they explain what they did.
1 Like
It will be interesting to see the details. Just remember there’s a big difference between hacking a device you have in your lab, and one you’ve found installed (properly) in the wild. As yet we don’t know where on this spectrum the hack occurred.
Either way, I’m glad there are white hats out there doing this important work.
2 Likes
What I’m short term interested in; is it Home Assistant Green specific, or more a general HA problem ? Details we will know in 90 days.
3 Likes
It appears to be HA OS specific. A little more detail (not much) in this reddit post: https://www.reddit.com/r/homeassistant/comments/1oczwnt/home_assistant_exploits/?share_id=J3w2L7EtHNDcxtrrebnJG
2 Likes
Definitely HAOS and maybe affect docker installs.
A lot of SSRF talk so somehow they accessed HA resources by bypassing login?
from the X posts:
a three bug chain with a container escape for unauth RCE on the host OS
and
including an SSRF and a command injection
and
arbitrary file write and cleartext transmission of sensitive data
i only have conjectures of the sequence or if these were different or same vulns.
At this point I assume the HAOS would have to be exposed externally.
1 Like
Sorry, but it’s currently a weird question, because you are not going to get an answer…
Quoting the text…
After the zero-day flaws are exploited during Pwn2Own events, vendors are given 90 days to release security updates before Trend Micro’s Zero Day Initiative publicly discloses them.
And HA is not going to say anything until after whatever it is is patched.
I have a friend that does this white hat hacker stuff for a living, he won’t even tell me until after it’s patched whatever it is.
1 Like
Why is this posted in the “Social” category? Why is there no “Security” category?
Some time ago, I asked here about precautions in the development process to detect and prevent supply chain attacks.
The responses showed different attitudes: some weren’t aware of potential threats, others used whataboutism to downplay the issue, and some simply found security topics annoying.
Transparency matters here. Not in the sense of publishing the 34 zero-days before they’re fixed. That would be irresponsible. What I mean: this Pwn2Own incident should have been announced immediately in the forum, in a dedicated security category.
Transparency means documented security processes in build management that are actually practiced and enforced. It means having people who are responsible for security in the development process. Without this, we’re vulnerable to highly automated attacks that already use AI.
We shouldn’t wait for a major incident to happen. What concrete steps can the community and Nabu Casa take? A security category in the forum would be a start. What about a public security roadmap or regular security updates?
If an announcement is made it will be in the Blog category. That is where official posts are made.
If it is serious enough there may be even a forum wide banner.
Let the devs investigate.
2 Likes