Constant updates, skip option

It actually never was. That one toggle switch in the esphome dashboard add-on is enough to turn the notification off for esphome nodes off globally - no automation needed at all. :raised_hands:

Not really, the esphome api has code on both sides - the server which are the esphome nodes and the clients which is the esphome integration in HA core. :bulb:

If you stay on old versions in HA core and on your esphome nodes and improvements or new features are added you canā€™t use them - or - in as a worst case you have regressions. Still it is certainly not necessary to update your nodes with every new release if you read the change log :wink:

Which one toggle are you referring to? The addon update toggle turns off updates to esphome addon. Iā€™d like to be noticed when esphome updates, but not noticed that every device needs an update.

No, thatā€™s not the same. Itā€™s good to be informed about esphome addon update, the (only) problem iā€™m talking about is that after esphome update you suddenly get 50+ warnings floodā€¦

I have all esphome update sensors disabled, so when i update esphome addon nothing happens. Skipping updates leads to same problem: when you look which updates are skipped again you get a flood of 50+ entriesā€¦ Only downside of this is when/if i remove/re-add a node then update sensor is enabled again and it shows a warning at next esphome update. But thatā€™s not really a problem, since itā€™s only one.

Agreed, totally. I always read changelog before update anything. Still, it happened before (and i bet will again) that i missed a breaking change and had to work hours to get things in order againā€¦

My oldest node has Firmware: 2022.12.8 (Feb 6 2023) and still running perfectly. So, getting update warning for such nodes is only unneeded ballast. The node is still doing old things perfectly.

If that firmware is from feb 6 2023, and youā€™re running a bluetooth proxy, youā€™re missing critical updates.

2 Likes

Yes., i know, thereā€™s been done quite a lot regarding BT proxy lately. I do have three proxy nodes around my house (for my 13 xiaomi thermo(hygro sensors), but, no, this one is only esp8266 in a power outlet. So, one switch and one binary sensor (and a few sensors i always have, like wifi signal, IP, uptimeā€¦)

1 Like

You are aware that they are the same? The esphome dashboard updates is the base for the esphome nodes version and they have the exact same release schedule because of that. That will be one major release per month plus bug fix releases. :rocket:

So you should still get each and every update notification for the esphome add-on when turning off the esphome dashboard integration which is in charge to check your esphome nodes against the add-on version (and creating the notifications for each of your out of date node). :bulb:

The esphome dashboard integration :rainbow:

Lucky you itā€™s not 2021.9 or priorā€¦ :joy:

still technically not a security bug you might be safer with a more recent version (like 2023.12.0 or later :point_down:

Still as mentioned before you might also just loose API improvements on the way which would later could lead to weird things requiring debugging from your side.

Some people (including users in this forum) run stone old buggy Tasmota versions like 5 or 6 and are happy with it (because it switches the light :bulb:) - still it contains security vulnerabilities which could be exploited remotely. :boom:

The fine difference between a dumb and a smart switch is that the later is connected and while feature upgrades are not necessary you should at least install necessary security fixes. :brain::dash:

1 Like

Yeah, wellā€¦ iā€™m usually more ā€œwanna the latest and greatestā€ kinda guy, but esp nodes are an exception. HA, addons, hacs stuffā€¦ those i update regularly.
To be honest, most of my esp nodes do have pretty ā€œdecentā€ version, mostly because iā€™m constantly hacking, messing, improvingā€¦ with HA and modulesā€¦ always wanting something more, betterā€¦

Regarding ā€œunauthorized OTA updateā€: hmā€¦ all my nodes are local. So, a hacker will have to break into my local network first in order to reach them. And if he/she does, then nodes will be last on the list to worry aboutā€¦

Note that you should always take precautions with networking, even for devices within your network. If your wifi is using WEP2, which almost everyone is, your password can be obtained in about 12hrs using a RPI or laptop from outside your house. Useful if youā€™d like to share your neighbourā€™s wifiā€¦

ā€œWEP2ā€ā€¦ do you mean WPA2? I donā€™t use wep2, i use wpa2. My router does support wpa3, but sadly many of wifi devices doesnā€™t.
But, ketā€™s say that someone would camp in front of my house with pi. It makes me wonderā€¦why on earth would he/she wanna do that? I donā€™t have anything worthed to be stolen, hackedā€¦

Is that a new method you are referring to?
I tried the common methods to test my network security (eg. hashcat against some packet captures) and threw some GPU at it as well but most nontrivial passwords (i.e. non-dictionary complex passwords) couldnā€™t be cracked within a reasonable time, I found.
Iā€™m inclined to not believe the 12h on a Raspberry Pi figure. But if you happen to have any sources backing that up, that would be interesting to know.

Same here. That would be possible only if using an extremely weak password. Even with significant processing power, a WPA2 password of at least 12 characters and good entropy is not crackable in any feasible time.

The typical way to attack WPA2 is:

  1. Spoof the MAC address of an authenticated device.
  2. Send a deathentication frame to the AP as coming from that MAC. Thatā€™ll force the real device to re-authenticate.
  3. Capture the handshale data.
  4. Rinse and repeat to capture a bunch more handshakes.
  5. Go home and brute force the key at your leisure.

Good luck if the target network has a good password.

WPA3 has management frame protection to prevent deathentication attacks and many other shenanigans, but itā€™s not as widely used yet.

Yes, sorry, it relies on people using guessable passwords that appear on one of the many online password lists and brute forced on a much more powerful computer at a later date. :+1:

WEP is luckily long gone and a WEP2 was never released for good reason :warning:

After it became clear that the overall WEP algorithm was deficient (and not just the IV and key sizes) and would require even more fixes, both the WEP2 name and original algorithm were dropped.

No, no one is WEP2 - really! It never was released! :bulb:

Absolute oversized. A esp32 (typically with battery pack thrown into the bushes :deciduous_tree:) is enough to capture some handshakes (after some forced de-authing) which are then send later to the clouds to crack it :hammer:

The 12hrs figure given is just imagination without any base or just totally made up. Depending on the pre shared key it can be somewhere from seconds (8 digit weak password from 4.8k most used WPA password list) to somewhere technically not crackable (within an acceptable time frame) complex passphrase :lock:

5 Likes

Picking up this thread assuming I understand the original intention - is there a way to flag an ESPhome device to ā€œalways skip updatesā€?

Yes, you can have a device skip updates by setting its update sensor to ā€œdisabledā€.

Bingo, thank you! Would you mind sharing the YAML snippet for that? Iā€™m having difficulty tracking it down in the docs.

thereā€™s no yamlā€¦ go to the update sensor in the UI and disable it.

1 Like

petro is correct. Use the UI and toggle the ā€œEnabledā€ selector off.

2 Likes

Beautiful. Thank you!

Thank you @petro and @arrows.

A recent ESPHome update to 5.2 broke OTA updates for my Athom presence sensors as the new update is too large. Error returned is:

ERROR Error binary size: Error: ESP does not have enough space
to store OTA file. Please try flashing a minimal firmware (remove everything
except ota)

Two folks mentioned this already at ESPHomeā€™s Github pageā€¦ links are at the bottom of my post.

Apparently the Athom Presense sensor may have 2MB flash but is only being detected as 1MB. Not sure if thatā€™s true, but if so then changing the board type in the yaml config to a board supporting 2MB or 4MB may work. Or, could try installing a minimal firmware then the update would fit. But I decided not to bother with tweaking it.

I really donā€™t think these sensors need to update 2-3 times each month (so many ESPHome updatesā€¦) so I followed the steps above to disable the update notification. Thank you for the suggestion! :star_struck: