@frenck To mitigate such issues in the first place - Support for client certificates would be awesome. Only reason holding back this is the lack of support in the android app. Is something like that being planned? Similar technology is used by the DavX5 App (also open-source), which might be a good example to implement something.
This would mean that only trusted devices, having such a client certificate would have access to the HA instance.
The server instance would not require direct support as the validation and check of the certificate can be achived via a web server like nginx or apache in front of it.
I must admit I’m pretty disappointed, the community has been asking for Open letter for improving Home Assistant's Authentication system (OIDC, SSO) - #40 by pjcarly for a long time. This would allow people to put solutions like oauth proxy in front of HA, completely sealing it out from anonymous access but the maintainers don’t want to deal with it - they’d rather rely on their own auth provider implementation which is, in my opinion, not the way forward opening doors to issues like this.
Yes and No. There can always be vulnerabilities without anyone knowing untill someone finds out. If you lookup windows vulnerabilities you get a whole lists of issues that lived longer than 9 years. Some vulnerabilities are not so much of checking if someone is logged on or not. Some vulnerabilities go way deaper… I would say lookup Meltdown & Spectre https://meltdownattack.com/.
So yeah always be sceptical and stay up-to-date with the latest version
There is not much technical to talk about, if you have one of the listed installation types you have been vulnerable, as described in “about the issue” section as well.
That should have been the case, the vulnerability discovered managed to access it nevertheless.
Sorry to hear you feel that way, but that is the honest answer: We don’t know.
Home Assistant is something you self host, we have no idea insight into anyone’s system so we honestly don’t know.
There is none. Even if there was, this issue has been around since 2017 (as also written in the post). Unless you have recorded every single request made against your instance and kept records or those since then, you wouldn’t be able to tell. Even if then… it would be guessing.
Yes. This has been answered above a couple of times as well. Home Assistant Cloud is end-to-end encrypted, meaning even Nabu Casa can’t do anything to step bad vectors to go through (as all they see encrypted data… #privacy).
Just want to chime in that its possible (if one trusts Cloudflare and Google oauth) to get the best of both worlds–exposing minimal apis to the internet (ex: google assistant integration) while requiring additional authentication for all others.
Setup Cloudflare Zero Trust (with identity provider of your choice) and add a exclusion for the apis you want to expose.
Thanks to the Home Assistant team for the disclosure and auto-update of a serious security issue!