Uh, it is not the same thing at all… 
4 Likes
How is an incorrect assumption on your part a scam?
4 Likes
Random URL or not, the moment you connect to your internet provider you get an IP (random most likely also) , but that is in the end the “Door” into your devices.
Anything that have direct access to the internet, without real protection will be found indexed and cached.
“Browser tool bars, especially ones made by companies that run crawlers, such as Alexa and Netcraft, can report visited URLs back to their parent sites, ready for the bot to come and crawl later”
… just to mention one of your own potential “fault-behavior”
… And i don’t even wanna mention or think about Google, or Microsofts “register”
I don’t intend to upset you or make you paranoid , just use common sense, and not “mynabucasa1234secretpassword”, And btw. the moment you open port 80, (or other well known ports) , make sure you have a network-monitor to verify the result … NO matter if you just got a new IP number, and don’t have any public domain-name
We are many with this incorrect assumption.
I am 100% behind bkpath here.
The use of a URL that looks like https://yd748fdl398dmsagljd98djajh34gs23.ui.nabu.casa/ gives the false impression of a very secret URL which you cannot guess even if you have the best super computer in the world. But the fact is that you can issue a command and get a list of all the Nabu Casa customer URLs. You could as well have used URLs like https://6523.ui.nabu.casa/
Many developers and network experts talk down to users as they are idiots. You cannot expect any normal person to know that a url with a 32 character hash looking is available in public. We are not talking about my IPS may know, or CIA may know. We are talking about the fact that anyone can open the browser and 20 seconds later they have a complete list of all Nabu Casa URLs without having done anything illegal and without having any special access.
Scam may be a hard word to use because it indicates ill intention to harm. But I understand why people feel it is a scam because it should have been documented that this URL is not at all kept secret. If I had known - I would have turned off the feature in HA long ago. And I have it off now. Except last week where I had use of it. And then it was my choice to turn it on a few days.
I am sure the Nabu Casa guys did not know this fact either to be honest. I do not think it meant as a scam. I think it was ignorance. I think someone as Nabu Casa found out by reading this thread. And I can forgive ignorance. We cannot all know everything. But don’t tell us that we normal customers - paying customers - should have known this.
3 Likes
I’m sorry, but name resolution is the backbone of the internet. There’s no scam here. It’s just how it works.
I’m sorry if some people got the impression that there’s security through obscurity, but that is not the only option: Picking or generating a large random ID like this is also a step that doesn’t require users to come up with their own input to get a unique URL. It requires no user intervention.
While you can source all the NC URLs, it’s not the same as knowing a specific individual’s URL.
3 Likes
That is correct. But it enables an attacker to try the vulnerability of all Nabu Casa customers. I would think a well crafted script could do that it minutes. For non Nabu Casa but an open port in the router it will take longer before they find you.
And Parautenbach as I say I do not this it is intended as a scam. But I understand why people have that feeling, because of the lack of description of how things work. There should be a note saying these addresses are public and remind people that they still need to take care with password quality just like if they poked a hole in their router. And in my view a hole in the router is actually more safe because you cannot be singled out as one of 1000s. You are 1 of many many millions of IP addresses
1 Like
that’s not really accurate though. If someone was trying to target you specifically and they knew your location, unless you are using a VPN then they would not need to try all ip addresses since of course ip addresses are based on location
you are about 1000km of track here( meaning you are wrong in your thoughts/believes) business is global, or at least in this case “local” within country borders — othervice , Country is the most specific you’ll get in most cases
… and im speaking of my "landline# fiberconnection … My CellPhone operator places me in southern part of the country
If they target me?
Easy. lavrsen.dk
Knock yourself out
What I mean is - when a vulnerability is discovered in a specific software, then it makes a difference if you have to scan the entire Internet to find 10000 users that have it exposed to the Internet versus being able to download a list of the 10000. Eventually they will find you, but it gives most users some days to patch the software and those days or weeks are essential.
2 Likes
Which is why the majority of the world by now knows very well that they always have to look over their security, AND in specific their passwords "algoritm# 
… Windows users, and now a days ALL people running around with their phone-no-pin.code-ready to answer to blibs and pings, … i know, well i guess you don’t run around with a mobile phone, with no pin-code, and full access to your bank, home, insurances etc. etc. … thinking ahhh i always have my phone on me, noone ever get access to this, without i see it (i never leave it out of my sight) …
1 Like
While scam might be a bad choice of words, I can’t describe how disappointed I am in this implementation. If they had used a wildcard cert all the URLs would not have been exposed. Now can you take security serious and use an implementation that exposes all clients daily. I only switched to using nabu casa because it was supposed to help fund ha. It seems I made a bad assumption about security and should have stuck with my VPN. Now I have a major problem. I have no way to know if my HA was compromised. In the event it was, then their is a possibility that all other network connected devices on my network have been compromised. So wifi switches, esp devices, tvs, and other IOT devices could all now be hooked.
Does anyone have clear instructions on how to export just configuration data from HA in a fashion that can be reviewed and then reloaded in some fashion on a clean HA install? I know I could grab the .yaml files but this doesn’t include configuration for things like my zigbee network. Any additional recommendation for watching my IOT devices for indication of compromise would also be appreciated.
This Supervisor vulnerability completely bypassed authentication. Your password is irrelevant in this case. You only needed to know the URL.
This vulnerability was absolutely catastrophic. Pretty much the worst case scenario for security. I hope that the appropriate consequences will be taken with respect to how this part of HA is managed and audited in the future. Considering how this vulnerability has gone undiscovered for years and how far reaching the access it granted was. And especially considering the past high horse we-know-better attitude the Supervisor devs displayed towards users and their supposed bad security practices (see the whole pwnd password thing). HA needs to be professionally pen tested. I know this is expensive. But who knows what else lingers below the surface.
That said, the Nabu Casa URL exposure thing is different. That’s how non-wildcard certs work for subdomains, for better or for worse. The random URLs are just security theater. Afaik NC never advertised it as a security feature, but a lot of third party online resources did, adding to the confusion. So it’s perfectly understandable that many people thought it would increase security. You can still pay for an NC subscriptions as a way to help HA development. But on the technical side, there are much better solutions for a secure HA access (VPN, secure tunnels, limiting IP ranges, port knocking, etc).
That was a conscious decision on their part. With a wildcard cert they could intercept all customer traffic, which is problematic. They did not want to go that way. It’s a tradeoff.
2 Likes
Yes, every computer in my house has to be viewed as possibly compromised. Computers used to do online banking, etc. I can barely stand to think about the exposure this vulnerability potentially caused for every nabu casa customer. Errrrrr.
Once again if anyone has a good suggestion on how to approach addressing this security issue (possibly multiple compromised machines) across my home network I’d love to hear some input. I’m thinking I need to segregate my home network now between important machines and IOT/entertaminment/HA machines. I’ll probably need to start by reloading any important machine with personal information after I’ve created a new LAN segment to support them. I’ll need to set up two wifi networks, one for each side. Lots of work.
Nuke it from orbit, it’s the only way to be sure.
4 Likes
These words are pulled directly from the cloud page on the home assistant interface
“Integrations for Home Assistant Cloud allow you to connect with services in the cloud without having to expose your Home Assistant instance publicly on the internet.”
Seems to imply that using nabu casa never exposed your instance publicly on the internet, as nabu casa is an integration.
I guess what’s done is done, I better get busy with the Nukes.
3 Likes
The HA cloud web page states
“Integrations for Home Assistant Cloud allow you to connect with services in the cloud without having to expose your Home Assistant instance publicly on the internet.”
This seems to imply to me that nabu casa doesn’t directly expose my instance publicly on the internet.
1 Like
Where exactly does it say that?
Setting → Home assistant cloud
without having to expose your Home Assistant instance publicly on the internet.
End to end encryption is pretty far from “publicly”, but I see your point. Poor wording.
1 Like
I assume this refers to Alexa and Google (the two integrations provided). Remote access does not need to be enabled in order for those to function.
1 Like