Hmm I reverse proxy through cloudflare then again through my synology… I think I’m pretty secure!
1 Like
This is a terrible argument.
I can’t build an entire car from scratch myself either, but I still expect the brakes to work correctly on the one someone else built for me, and I have the right to be “unhappy” about it if they don’t.
2 Likes
Nothing is perfect… especially software!! … 
They patched and resolved it in a reasonable time after it was disclosed. That’s how it works. If security firms find a vulnerability they have to report it to the software maker before making it public and the software maker has, I believe 90 days to patch the security vulnerability until they can go public with said security vulnerability. It was fixed in a very reasonable time table and is no longer an issue outside the issue with other potential integrations where the Integration maker is in charge of the security and authentication. What do you want them to do about that? Just take those integrations away and remove them and go back to the integration maker and tell them to redo the security? People would be way more mad if their integrations stopped working then the number of people who even heard of this issue.
Security firms often go looking for issues that haven’t even been exploited in the wild. In fact, there is no data suggesting this type of attack was ever even used in the wild which is the case with many security vulnerabilities that are found. Are you mad at Google, Apple or Microsoft because I would speculate you are using one of the 3 and guess what, they all have security flaws in them. Some known, others not. Heck, there was a security flaw in bash for over 20 years before a security research team found it. There is zero evidence that it was ever exploited before it was patched and existed for 20+ years in something used WAY more than home assistant by business and home users.
Most baf actors want to go after businesses because that’s where the money is. Your normal consumer is low hanging fruit as far as they are considered so unless you click on every email that shows up in your inbox you are fine. In all honesty every piece of software you use probably has a security flaws in it. It may not be known but it’s there which is why security research teams exist. It’s there job and I would speculate that over 90 percent of security flaws they find have never been used ior exploited in the wild.
It’s easier to send out a million spam emails to businesses, hope one person who works at a company with terrible IT security opens it so they can slowly infect sensitive data and encrypt it will malware then sit around and try to come up with new security flaws, especially for niche software like home assistant. Apple didn’t even have antivirus software until they became more popular because everyone used Windows so that’s what was targeted.
Most bad actors aren’t even smart enough to do that anyways. They are smart enough to take something really complicated that someone else has made easy to use and learn to use that without truly understanding how it works. They are called script kiddies and it’s easier to use existing known security flaws or more likely, mostly done through email. Point is most bad actors aren’t the ones that discover known security flaws. They count on human stupidity WAY more because it’s easier to exploit which is why the elderly are way more likely to get infected or fall for scammers.
While security flaws are important to fix once discovered, there are existing security flaws in Android, iOS, Windows and every flavor of Linux out there but finding them and exploiting them takes a very, very smart person and those people can make a lot of money working as a security specialist. So if you are going to freak out about this then you might as well throw out your smartphones, get rid of your computers and cancel your internet all together.
Show me one piece of evidence on how this security flaw was used because you can’t. There are probably other security flaws in Home Assistant but finding and exploiting them is something else entirely and any bad actor smart enough to do so isn’t targeting home automation software because there is way more money finding security flaws in something billions of people use like a smart phone OS.
The research – considered the most extensive of its type to date – found that only 4,183 security flaws from the total of 76,000 vulnerabilities discovered between 2009 and 2018 had been exploited in the wild.
6 Likes