yes, but that is for the remote connection, not the cloud login.
see: Disclosure: Supervisor security vulnerability - #146 by Mariusthvdb
Just a food for thought for HA core dev team: maybe it would be worth to run paid security audit of HA?
Not a full one, as if someone has access thereâs too much to break anyway.
Only the âexternalsâ - things that are put up to the internet remotely when someone forwards port to HAâs 8123 default port.
Iâm not fully aware of costs but it would not be a bad thing in the end to end the discussions.
Something similiar to what others try to do (with Truie/VeraCrypt, Signal etc. privacy concerned companies do).
Just to be clear - I do NOT suggest that HA is not safe anymore or anything like that.
It would be just more concentrated, paid and directed attack instead of volunteer ethical hacker who was kind enough to disclose info to team first and not putting the exploit up.
2 Likes
I got the same messages for a long time from my firewalla. Created a security incident for it but got told by Ashton this was proberbly because of a addon. Have never found the reason why my firewall was reporting it. Got Nextcloud addon and transmission at the time with port forwarding. I have disabled portforwarding and only made those avalible via vpn/internal. (Still got Nabu Case for HA access)
This was at 28-06-2022
Yes, I have actually been thinking the same. Although I believe professional pentesting is fairly expensive and it might not uncover anything anyway. Depends on the skill of the company.
It exists. There are even services available for it in Home Assistant for you to automate on them.
I could be wrong, but I think what @KennethLavrsen meant was even if you have disabled Remote Control, be it in the UI itself or via the service, when you then try and connect to your NC URL, it says:
It is possible that you are seeing this screen because your Home Assistant is not currently connected. You can ask it to come online from your Nabu Casa account page.
You login to your NC account and it enables the Remote Control. Whether this is a security issue or not is debateable IMO.
2 Likes
Aah ok, yeah that is currently not an option indeed.
2 Likes
I have remote connection setup via TailScale. If I understand correctly my HA can only by accessed via my devices which have been authenticated with the oauth provider, that I connected to tailscale.
So am I correct in assuming, that the vulnerability does not affect me aslong as noone was able to also get into my TailScale Account (a.k.a my 2FA protected Github-Account) or gain access of my authenticated devices?
Correct, it does not affect you but itâs advised to update anyway
1 Like
Iâm no security expert and worried. I would like to see clear steps how to proceed. Really would not want to do a fresh install.
Recently LastPass had security issues. I read their âbulletsâ and followed their instructions. I felt safe. After this incident, unfortunately, I cannot say the same.
Thinking out of box without technical knowledge on this, wouldât it be possible for HA to have similar approach than LastPass which encrypts all passwords etc that client has stored there? So couldnât HA encrypt the passwords instead of having them plain text? Not being an expert, having them plain text just doesnât feel secure.
Btw. If the backups were password protected, I suppose those are safe? Or does that make any difference if it was possible to access the whole system?
2 Likes
The problem is, if it does, how does it decrypt them?
If it requires you to manually unlock the passwords on startup then you canât restart HA and expect it to work without manual intervention.
If it can decrypt them automatically youâve gained nothing but security theatre. People will feel secure, while having no additional security, and thatâs a Bad Thing
6 Likes
Yeah, I knew that was a stupid question. Just didnât know why 
1 Like
There are no known exploits.
For a 7 year old, low-complexity, no-auth, remotely exploitable vuln in an extremely popula platform that lots of tech workers use and likely link to lots of their other devices & services (and is therefore likely a target of APT researchâŠ), assuming that there are no exploits just because there are no known public exploits is wrong.
My point is that because of the E2EE and decentralized nature of HA&NCC, NC doesnât have much capability to investigate (in aggregate, across the whole NCC fleet) if this has ever been exploited silently.
So, since they canât do it for us, we as users should be given what we need to start looking into our own instances.
ATM itâs impossible for us as a community to start confirming the assumption that there are no exploits for this, because we as users donât have enough information to begin checking our logs for signs that theyâve been compromised.
Iâd also like to get a little clarity on the risk surface via Nabu Casa Cloud⊠Thereâs lots of discussion here about disabling the remote UI, but do we know if that âclosesâ this vuln from being accessible via NCC? What if the Assistant/Alexa/webhook tunnels are left ensbled? None of the announcement or discussion so far seems to actually dig into that.
3 Likes
Given that the vulnerability has been patched as of the most recent update to the Supervisor, Iâd say that all we need to do is confirm whether or not our systems actually have been compromised.
1 Like
You wont find anything nor have the logs. One point: in my opinion low complexity of this is not true at all and shouldnât be set at that level.
If it is - feel free to prove it. 
Itâs already more than 24h after disclose and still no exploits available.
Neither I think 10/10 score will be kept.
ui.nabu.casa is on the public suffix list. It has been for 4 years. Thatâs why the latest ones on a crt.sh search are from March of 2019
I donât think thatâs correct actually and @rantaki3 I donât think it is a stupid question.
AFAIK, I think the normal thing to do and certainly what I have done when writing software that needs password protection (not mission critical security required mind you) is to hash the passwords and store them that way and then you compare the hash of the entered password with the stored one to see if the entered password is correct.
It might be that is what is being done already for HA account passwords, but certainly anything stored in secrets.yaml is in plain text and it would be good to have a way of at least obfuscating these.
Right but home assistant is open source and anyone can read the hash process.
If this was closed source, that would be a different story.
1 Like
Good point. I hadnât thought of that. However, couldnât the hash process could be kept out of the open source code?
Sorry, you are right and I missed this.