First off, if your instance isn’t exposed to the internet (remote access is setup) this doesn’t pertain to you and the warning can be ignored. I am not sure if this information is exposed when using a proxy or Nabu Casa’s Remote UI, Ill try to test and update later.
The problem
During onboarding one is prompted to enter a home name/location.
This information is exposed in the response given when connecting to your Home Assistant Instance. One easy to show example is the searches performed by Shodan and available to anyone.
If you review the searches you will quickly find some HA instances with the home address used or the surname included. Also included in the results is the city with which the IP address is associated with.
Using the address (examples I saw had house number and street) or the Surname combined with the city one can pretty easily determine the house associated with this HA instance. I have a very unique surname and my house number street name combination is also rather unique in my country. Using either of those bits of information combined with the city shown in the Shodan search (or easily found using the IP address) one could get my exact home location with ease.
The Risk
The risk on this is pretty low in my opinion. Someone would need to be local to you and actively trying to attack home assistant users. Home Assistant has default security has gotten a lot better recently by requiring a password by default so you don’t see instances fully exposed to anyone looking.
Should a security vulnerability be discovered on the HA frontend, one could determine your exact location with this information and if your locks or garage door are included in your instance gain access pretty easily. Furthermore, if your security/alarm system is exposed via HA that could also be disabled.
The Fix
I opened a Pull Request (PR) to add a warning in the docs for any new users.
[Update 9/13/2021] My PR with the warning was closed as the issue is going to be resolved through no longer displaying this information. Another PR cites that, “The API endpoint /api/discovery_info now only return blank values. This endpoint is scheduled to be removed in version 2022.1”
For current users, assess the risk yourself and make your own decision.
If you change this information it should be immediately updated and won’t show in searches through the common tools. For sites like Shodan that cache the information it will remain exposed until the next time you get scanned and the information is updated.
Make sure your instance is secure, for tips on securing your instance see the thread linked below.
