The best approach in situations like this is to assume you were compromised and change your passwords.
Sure, but it would also be really helpful to know if thereās other mitigation steps I need to take. If someone was able to get my Amazon credentials via the Alexa Media Player integration, for example, then I definitely want to be sure to do a much more thorough audit of my Amazon account than just changing the password.
First, thanks for addressing these issues and improving the security of our systems!
Second, can you elaborate what level of access an attacker would need to exploit this? For instance, do they require local network access, or could it be exploited from the external network to a home-assistant instance that has an https external interface that is open on the firewall?
Thanks,
Benjamin
It sounds like you know what you do. See on the blogpost, you need just search for an directory traversal attack
, which is enough information to search in the logs. I guess you missed that part above.
If there was no route from the outside to inside, than the outside attacker couldnāt exploit it I guessā¦ but an insider could. That said, the vulnerability itself stays the same from that perspective.
It is your call to decide how to act upon this. Our advise stays the same: If you had any of these custom integrations, update your credentials.
If your instance was reachable by the attacker over the internet and you had one of the mentioned components installed, you were vulnerable.
Add-ons and integrations are not the same things.
The custom integrations affected are listed in the blog post.
I did see that part, but I also donāt know the specifics of various web attacks. I did some Google-research, and I think from what Iāve found that most directory traversal attacks have /../
in the path, so I grepped for ā/\.\./
ā.
And I did already start the process of changing my passwords; Iām not trying to avoid that. However, I donāt know for sure that changing my Amazon password forcibly logs my account out from everywhere. Amazon doesnāt provide a way to view information about when and from where my account has been logged into, and doesnāt notify me when my account is logged into. So if I had any concrete evidence of stolen credentials, I would start the fun process of actually contacting them to be thorough.
Is there any evidence to suggest this exploit was used in the wild?
That is answered in the blog post:
Hello, I created a Amazon Alexa Smart Home Skill a while back. I have āproactive eventsā setup where the client_id
and client_secret
are in my config. I do not see where I can reset the client_secret anywhere. Elsewhere in the guide, I followed it exactly and so am not using long lived access tokens. I am wondering if this client_id and client_secret are sensitive? If I am thinking about it correctly, there is no risk as someone would need to link the skill using their Amazon Account first.
Really well handled guys.
Thanks for getting on top of this so quickly and the great communication.
Sorry, totally missed that, must have scrolled slightly further, will re-read incase I missed anything and ask another stupid question.
Rofl, donāt be so hard on yourself!
Better to ask once to many.
Very well handled, kudos!
One suggestion, and maybe someone from the community can step up and provide this, but it would be great to see a full path we might look for to discover abuse of this vulnerability among the various integrations. Grepāing proxy logs for ā/ā¦/ā¦/ā is a decent start, but the path of the vulnerable webview (if thatās a thing) would be very helpful as well.
We donāt know all affected Custom Integration. There could be more and all are different. It would take you into wrong security feelings to mean its only this on the list or there exists a known attack vectors. If you using Custom Integration, update your system and change your secrets. The issue in HACS as example would be around over 2 years until someone found it.
That confirms my opinion to access HA only from the local Network and VPN.
I am all about responsible disclosures and believe this was done in a responsible way. Where I struggle with all of this is the belief that the core team needs to do a little soul searching in terms of how integrations fit into the bigger picture.
Iāve seen integration developers shot down for PRās based on deprecated methods/changesā¦but very often, those developers are unsure of how to implement those changes to their component, and then it goes stale. I get that pre V1, things may have been changing quicklyā¦and that people are volunteers. But good people are scared away from trying to add more integrations and feel disenfranchised to the lack of collaboration on the PR requests for new integrations.
On another note, why I run HACS and custom integrations is because there are items that have been sitting for months in the dev queue/ new integrations queue, and arenāt progressing. Take a look at this integration- PR opened 9/5/2020, and it still hasnāt been assigned a reviewer. https://github.com/home-assistant/core/pull/39695#issuecomment-708424107
What Iām trying to see is to lighten the load, more people need to be involved. More people will be involved in they are supported along the way. (I hope this comes off as supportiveā¦Iām trying to write it that way but not sure exactly how it will translate.)
Was the chap who spotted and informed about the exploit a ha user? Just wanted to say thanks