The problem here is: when thinking about “extremely targeted”, you don’t have to go as high as to the CEO or CFO of a company you want to get insights into. Basically anyone working at a “remote work, yes please” company (which are tons since the pandemic) probably has a laptop at home which has a direct VPN connection to the company they work at. I don’t think that just anyone who would check those boxes has the mega awareness, that a wide-open homeautomation tool indirectly might grant access to way more than just the temperature readings inside their fridge for the last 10 days.
I myself am not affected by the supervisor vulnerability overall (as I dont have a direct exposure of our setup to the outside world), but the longer this thread gets without additional proper communication (except from individual moderators e.g.), the more weirded out I get by HA/NC and how they handle this.
Do you use it as an ‘always on’ VPN or turn it on and off as you need it?
If always on, I’m assuming you must have an Exit Node? Is that your HA or another node?
(I know it’s off topic here, feel free to move, take to DM or simply to answer and hope I have no further questions )
My solution for the foreseeable future is an automation: If the state of binary_sensor.remote_ui turns on the service cloud.remote_disconnect is called.
That is brilliant. I tested it and I can occationally get to a login prompt but then from there it fails. Seems to block logging in this way. Not the way we should have to do it but …
In case some wants a working automation, here is the yaml
Exactly. My purpose of Nabucasa is mainly Alexa and Google Home. I remote connect with Wireguard. With Wireguard my iPad and iPhone as well as my laptop seemlessly connect via Wireguard when the IP address is 192.168… and otherwise connect directly to any other IP. This way everything I need on the road is available with one single solution which I trust 1000 times more than anything HA.
yeah, but let me get this straight (I dont use Wireguard, so unsure just yet after reading the docs and watching Frencks vid), for that to work I would need:
to use an intermediary external DuckDns (or any other) address again
install and setup the 3d party Wireguard app on All of the devices I want t allow HA to be used on
install the add-on and create profiles for all of those devices
create configs on those devices (family members, so, well you know…)
add a port forward on the router
anything I forgot
I can see how that might be safer, but it certainly is not easier, and the phrase ‘out-of-the-box’ is something of the past in that scenario. And when getting this complex, security scenarios tend to get ignored.
Not even talking about the ordinary http/https issues we see when trying voice assistants, local or cloud. Is solutio this all transparent for that, or do we need to add stuff like, mentioned in the #beta on Discord just yesterday:
a valid cert (let’s encrypt) and either split dns (to resolve to local IPs) or hairpin nat (and port forwarding via your public IP) would do it
Still feel it would be way better if HA offered the security we’d need… and report back to us what they changed and how to go forward.
First, I use Wireguard installed on a different machine than HA.
apt install wireguard (any debian derived distro)
Rest is education. Find an up to date guide and follow that
You need either a dyndns or fixed IP. Since I host a webserver, I always had fixed IP and my own domain name. So for me it is apt install and open one single udp port in router.
On IOS devices you install an app and scan a QR code that you create in a terminal.
Not as easy as the Nabucasa remote access. Not at all. But in my view much more secure. It is a matter of who you trust. With 2000 open bugs and many of them being closed by a bot or declared as feature requests and closed, my trust level of HA is very low. I have high regards of the people behind Wireguard.
Instead of Wireguard You could use ZeroTier One or Taiscale. These are both close to 'out-of-the-box solutions.
petro uses Zero Tier One, tom_I uses tailscale. What better recommendation do you need?
I have finally got around to using Tailscale full time now too if that helps (I was using it only for my laptop when travelling).
The only downside for me is that both of these solutions require some setup on every device that wants to use your ‘network’ (that is not entirely true for Tailscale if you use the subnet feature I don’t think, but I don’t yet so can’t comment) and Tailscale does not make it all that easy to add a new user as ZeroTier does, unless you have your own domain. Which is a shame and might be the reason I move Zero One.
Honestly, if you haven’t already, give them both a look. The Tailscale website even has (what looks like) very fair and objective comparisons of many of the various vpn options available.
I am now carefully considering my NC subscription. Frankly much as I love the project and what they have done, their silence on this issue and intransigence on some others makes me wonder where their motivations lie now.
I use it for a separate software. It’s limited btw, won’t work with Amazon or Google home, etc. you basically need to have ZeroTier on all devices that plan to talk to each other.
Today, Elttam, the security research company that discovered this vulnerability, released a comprehensive blog post providing detailed information about it.
What a shame Nabu Casa didn’t report this before Floo posted in the forum.
And, I’m no expert in these things but most of the final section, “CVE-2023-27482: AUTHENTICATION BYPASS IN HOME ASSISTANT” doesn’t seem to shine HA or Nabu Casa in a particularly good light.
Sadly, neither does it fill me with a great deal of confidence.
The timeline doesn’t look too clever either:
17/02/2023 - We begin researching the Home Assistant Supervisor Integration and discover the vulnerability
Excellent read. Brutal too. Basically this confirms our worst predictions. This vulnerability gave an attacker full root access to the system with remote code execution. An attacker could literally do anything to your system, including the install of a permanent backdoor without leaving any traces for you to detect and had full access to your internal LAN:
The finding resided in the Supervisor integration which allowed for a remote unauthenticated attacker to achieve Remote Code Execution (RCE) on the target Home Assistant instance, and consequently, full access to control all smart home devices, stored data and credentials, and also internal access to the home network.
Furthermore, an attacker may achieve remote code execution as root on the host system by installing and configuring the SSH & Web Terminal Add-on.
The way NabuCasa reacted and ultimately resolved this issue was not smooth at all and very unprofessional. That’s not a good sign. This reinforces my opinion I mentioned earlier in that I really hope this catastrophic vulnerability will make the devs reevaluate their devsec processes in the future.
And about the likeliness of this being found earlier by a possible malicious party, consider this part of the timeline:
17/02/2023 - We begin researching the Home Assistant Supervisor Integration and discover the vulnerability
It took them 3 days from not even knowing what Home Assistant was to finding an RCE vulnerability and filing a full report about it. Three days. This vulnerability was in the code for years. Food for thought.
Here is a technical description and proof of concept code to reproduce the vulnerability yourself:
Why did the communication stop?
Why were you totally silent about the issue at the April release party?
And in the May release party?
Just silence.
It is still not possible to block enabling remote access as a Nabu Casa customer.
And who can trust Nabu Casa now?
Noone notice a secret posting on Github. Noone gets email notified about it. We have been exposed to this issue far into March. This is a scandal.
I can’t really speak for the developers, but I know enough personally about programming to know that it is possible for a change made in an update to a bit of code to unintentionally undo a previous change that fixed a major security issue. I also know enough to understand that if you don’t have a good background in cybersecurity, you probably can’t properly explain to the people that use your software what the consequences of an issue like this are and would rather have someone with that degree of knowledge do it instead.
)
(I was using it only for my laptop when travelling).