Avoid Adding Personal Information in your Location/Home Name

First off, if your instance isn’t exposed to the internet (remote access is setup) this doesn’t pertain to you and the warning can be ignored. I am not sure if this information is exposed when using a proxy or Nabu Casa’s Remote UI, Ill try to test and update later.

The problem

During onboarding one is prompted to enter a home name/location.

This information is exposed in the response given when connecting to your Home Assistant Instance. One easy to show example is the searches performed by Shodan and available to anyone.

tDDOq4T

If you review the searches you will quickly find some HA instances with the home address used or the surname included. Also included in the results is the city with which the IP address is associated with.

Using the address (examples I saw had house number and street) or the Surname combined with the city one can pretty easily determine the house associated with this HA instance. I have a very unique surname and my house number street name combination is also rather unique in my country. Using either of those bits of information combined with the city shown in the Shodan search (or easily found using the IP address) one could get my exact home location with ease.

The Risk

The risk on this is pretty low in my opinion. Someone would need to be local to you and actively trying to attack home assistant users. Home Assistant has default security has gotten a lot better recently by requiring a password by default so you don’t see instances fully exposed to anyone looking.

Should a security vulnerability be discovered on the HA frontend, one could determine your exact location with this information and if your locks or garage door are included in your instance gain access pretty easily. Furthermore, if your security/alarm system is exposed via HA that could also be disabled.

The Fix

I opened a Pull Request (PR) to add a warning in the docs for any new users.

[Update 9/13/2021] My PR with the warning was closed as the issue is going to be resolved through no longer displaying this information. Another PR cites that, “The API endpoint /api/discovery_info now only return blank values. This endpoint is scheduled to be removed in version 2022.1”

For current users, assess the risk yourself and make your own decision.

If you change this information it should be immediately updated and won’t show in searches through the common tools. For sites like Shodan that cache the information it will remain exposed until the next time you get scanned and the information is updated.

Make sure your instance is secure, for tips on securing your instance see the thread linked below.

4 Likes

I agree. There should be a warning, but I don’t think a lot of people will write their whole address in there.
Talking about Shodan: people make bigger mistakes, for example exposing their Tasmota devices to internet. Took me two minutes to find those:


Balcony lights or irrigation (Bewaesserung) is one thing though, but the other day I found a garage door opener - this can get dangerous quite fast.

If someone’s address was 1600 Pennsylvania Avenue NW, Washington, DC 20500; I saw at least two instances of Location: 1600Pennsylvania as the entry in the first couple of pages of results. That combined with the city and state being shown as “Washington, DC” via the IP address really narrows it down.

Absolutely crazy. It has been awhile since I have ran Tasmota, doesn’t it have some sort of password protection? Or is it not a default?

I wonder if these are intentional exposures and people don’t realize the risk or they are being inadvertently exposed.

1 Like

Yes it has, but is not default. You have to set a password.

I don’t think they are.
But I don’t have an idea what is happening here, sometimes it looks like a whole machine with all its IPs is forwarded/exposed to internet, not just one or two ports.

MyBalanceNow Wrote:

Thanks for response, Really helpful and thankful for me.

I put an update in ‘the fix’ section but it looks like this issue should go away over time regardless if people change the info presented.

[Update 9/13/2021] My PR with the warning was closed as the issue is going to be resolved through no longer displaying this information. Another PR cites that, “The API endpoint /api/discovery_info now only return blank values. This endpoint is scheduled to be removed in version 2022.1”

1 Like