It might refer to those, but cloud is also an integration that is part of the default HA configuration.
getting a notification every now and then in this topic, I keep hoping for some NabuCasa contribution here.
Weâve kept calm for some time, to give the NC team time to take appropriate action, and organize their armors against these kind of vulnerabilities, but given the ongoing release cycle I would expect this to get some more official response now?
as Alex states above:
This warrants a formal response imho.
3 Likes
My observations over the last five or so years forces me to respond with, âgood luck waiting for thatâ.
Mine says âhyperboleâ.
No actual intrusion examples, instant patch.
Not personally perturbed in the slightest.
YMMD.
2 Likes
I donât agree, this was/is a serious matter.
True, and insomuch as it is true, is comforting.
Thatâs fine and I suspect that most have to some extent shrugged and moved on. Especially as we have little or no choice now.
However, be that all as it may, I do think that some kind of reflective announcement should have been forthcoming from the commercial (and responsible) arm of this project.
1 Like
Yes serious, but not âcatastrophicâ.
Ok, fair enough.
I didnât realise you were responding to a quote within a quote
Yeah looking back I could have been clearer.
The thing is, you donât knowâŚ
And thatâs reason enough.
Iâve changed all passwords and tokens exposed to HA before the patch. What exactly is the risk now?
1 Like
Good question indeed.
That is why I hoped for a response by NC team.
1 Like
Nabu casa still has not enabled blocking remote access via nabu casa. If an attacker succed in breaking the security at Nabu Casa they can enable remote login to our HA instance. I just verified this a day ago. Even if you turn off remote access inside Home Assistance, you can bypass this and turn it on again from the Nabu Casa website.
I have removed all remote acces in my own network and I am annoyed that the way to lock this back door is to unsubscribe Nabu Casa and find an aternative way to setup linking to Alexa which is the only thing I really use that subscription for. And I am working on that since it seems Nabu Casa does not care
I have to disagree here. This vulnerability was pretty much the text book example of catastrophic:
- It was relatively easy to pull off
- It required minimal knowledge of the system, no social engineering required
- It gave full administrative access to the system and the local network
- It bypassed all authentication
- It did not leave any logs or any way for a victim to know if they were hit
- It was undetected for years
Thatâs pretty much as bad as it can get. Aside from your PC literally exploding in your face ala Die Hard 4, thereâs pretty much nothing worse vulnerability-wise.
Now, were there any realworld damages from it ? Hard to say, because of points 5 and 6 above. But most likely not. But this is not because the vulnerability wasnât serious. It was purely because HA is not a widespread webservice and not generally well known outside of home automation enthusiasts. If a bug like this was discovered in something like Apache, the damage would be massive.
I think we should not downplay how serious this thing was. The fact that there were no visible damages was pure luck. It certainly warrants a serious introspective look at internal devsec and code quality review practices at NC. This was the most serious (known) vulnerability in the history of HA.
3 Likes
I am also seriously considering my subscription to NC.
I use it only for remote access with the Android app and I have been thinking for many months that Iâd rather go via Tailscale which cuts out all middlemen. Only inertia and the fact that NC works so well and so easily have stopped me.
I always intended to continue paying monthly to support the project but I am in two minds now, partly due to the silence on this subject.
Yeah nothing to do with the fact that it was patched immediately it was made known. 
I was forced to use it because NC no longer works through my employerâs proxy. It works well.
It was in the code for years. Noone knows if someone found it earlier and possibly abused it. There was plenty of time. And there is no way to know, because it doesnât leave any traces. If was probably not abused (at least not massively, we would have heard about that), but only because the amount of people actively looking for flaws like this in HA is way lower than for widely used software like Apache. So it was luck and the relative insignificance of HA that saved us.
Yes, once it was discovered, swift action was taken. That part was handled well. An official conclusion should be posted though. This thing was too serious to just let it fade as if it never existed.
Edit: After the publication of the official report by elttam research (see below), I just canât let this stand that way. This was handled extremely poorly by HA / NabuCasa. It took them over a week to even acknowledge the problem, the security researchers had to push them. The vulnerability was patched poorly and had to be repatched three times. This is not only a textbook example of a catastrophic vulnerability, it is also the textbook example of how something like this should not be handled.
1 Like
Youâd know. That sort of data breach is exchanged for crypto currency pretty quickly.
Maybe, maybe not. HA isnât a very high profile target (typically home users, not fortune 500 company servers or similar), and the install base is rather small. So I guess any attacks would have been either opportunistic / trollâish in nature or extremely targeted. The latter would be much more dangerous. But I guess if youâre at risk for that, youâd probably know and take appropriate steps to protect yourself.
So yeah, I agree that the actual real life consequences are probably insignificant. That doesnât make this vulnerability any less serious. NC needs to make sure their coding practices are reviewed and devs take security as an integral part of the coding process, so that the chances of things like that to happen again are significantly reduced.
The backyard door to your HA home was wide open for years. You can only assume that noone knew. But you will never really be sure. Do I care about this for my install ? No, not at all, because I never used Supervisor. I never trusted that thing. Others may have assessed their risk and concluded that there was nothing to worry about (I guess you fall into that category). But yet others will feel uneasy about this. And these users need to be taken seriously.
The problem here is: when thinking about âextremely targetedâ, you donât have to go as high as to the CEO or CFO of a company you want to get insights into. Basically anyone working at a âremote work, yes pleaseâ company (which are tons since the pandemic) probably has a laptop at home which has a direct VPN connection to the company they work at. I donât think that just anyone who would check those boxes has the mega awareness, that a wide-open homeautomation tool indirectly might grant access to way more than just the temperature readings inside their fridge for the last 10 days.
I myself am not affected by the supervisor vulnerability overall (as I dont have a direct exposure of our setup to the outside world), but the longer this thread gets without additional proper communication (except from individual moderators e.g.), the more weirded out I get by HA/NC and how they handle this.
2 Likes