With everything i read from you, i honestly think that Home Assistant is not the right platform for you!
There are certainly enough other projects/applications that we use on a daily basis that also have a security vulnerability that we don’t know about.
We can be glad that the Home Assistant team reacted immediately to the issue and that there is already a patch for it!
In my opinion, there is no point in constantly criticizing the Home Assistant people now. I’m sure there will be details on this as soon as they are worked out.
Until then, just follow the common advice that applies after a vulnerability is made public. There are countless of these on the Internet.
If an integration has an authentication failure, it should report that and ask you for new credentials (re-auth). Some integrations, might not be able to offer that (as the provider, for example, doesn’t show the difference between a connection failure or a login failure), in those cases the integration can be simply re-added (without removing).
Could everyone asking about all HA systems compromised get to know that:
issue was reported by ethical security researcher
there were no exploits available before the supervisor update (and probably still are not)
knowledge to exploit this was not trivial and still is not (despite ‘low complexity’ set by HA team)
Stay cool and if you are worried, just rotate your credentials. I do not rotate mine as I was not able to exploit this even with details described, thus it means that my installation was safe anyway.
Thanks for the researcher for being ethical! Keep up good work.
True. There are several CVE’s and when any your device or software contains one… How often so you investigate the system integrity in consumer level? Most time you do an update and fine.
I think we can be thankful about the Info at all. Also it is good and its also best practice for auch scenarios that it was fixed first and then shortly after announced. So for ppl being always up to date are directly protected.
I think in the Last months there we’re good examples how to not communicate such important things… Yes I am looking to you lastpass!
also, I had some trouble finding the correct trigger, as the number of people in zone.home here does not reflect what we needed.And tbh, I am still not sure, probably will end up with some compromise of both parents being out of the home (or either of them) using a binary based on the group with those persons…
the switch is added by Frenck’s Spook. jeez, have only been trying that for a week or so, and already forgot what entities that provides.
it’s slightly confusing the binary reflecting the result of those services is called binary_sensor.remote_ui
Thanks. I didn’t know those docs existed! I thought I was getting close to being a veteran after two and half years, but I still learn something new every day.
There is no need to play the person or to make it personal.
You created the perception that Frenck was using incorrect terminology when you said:
This was wrong, and I pointed that out, because that is not what the phrase means. You may not understand what was meant, but it wasn’t wrong. If you maybe posed it as a question or made a suggestion, you might’ve received a different response.
This is derogatory. Nobody said or implied anything like this. We all learn things all the time. It is not wrong to clarify the meaning of something, which is what I did.
I would like to summarize my impression on the situation right now
We know the issue was reported by a “good guy” and not the result of someone that have been attacked and robbed of critical information
There is a good chance that noone has known this issue before and has taken advantage of it
There is a risk which is not zero that soneone in secret has known about it and attacked several of us without us knowing - yet
Nabucasa reacted fast with a fix
Nabucasa is not disclosing in detail how to exploit the issue. You can find out by looking at the Github checkins but it will take some extra vital days to learn. These are the days people need to upgrade their Home Assistant installations. People may be on vacation and has turned everything off. It is important to hold back on information that gives the evil attackers a head start. Even if it means that the 1% of you that could use the information to scan logs etc will have to wait. It is the right and normal approach. I have been in the security team of the open source projects TWiki and Foswiki and this is the exact plan we also followed.
People talking about rejected PRs for 3rd party authentication schemes. That would not have helped. As I understand the issue is that there are APIs exposed that do not require authentication at all. So that discussion is important but not relevant for this issue
What I am not happy about it that I learn that the xxx.ui.nabu.casa URLs are possible to fish out. Call me dumb. I think most of us had the impression that these long random strings provided some layer of security. On the contrary. You can do one search on the net and have the complete list of all nabu.casa URLs and then just start from an end to see if the installation is vulnerable. I would have liked to know that so I could have taken more care to ensure the remote control switch was set to off
I am deeply worried about the fact that I can log into my nabu.casa account and turn the switch on again. I would like to be able to disable this. I can see the conveniance of the feature but I’d rather be more safe and miss the feature. This I would like to see Nabu Casa take an action on for the April release. Just a simple setting where I can turn this feature off.
I know I can just log out of nabu.casa but that also disables the linking to Amazon Alexa and it is the Alexa feature that made me subscribe to Nabucasa in the first place and which makes me want to remain a customer.
tldr; Good work Nabucasa! Sad that the vulnerability is there but we are only humans. Please add the feature to disable remote enabling of the remote control for us that want that extra security
