Firewall esphome for keypad in physically insecure location

I’d like to set up a keypad entry system that disarms a burglar alarm and unlocks an electric strike and zwave deadbolt, for both a shed and an outside gate that I have.

So far I have something that basically works as far as functionality. What I’m using is a Storm 720TFX matrix keypad (ordered on ebay) and a tri-color LED mounted onto a waterproof enclosure box. I’m powering everything using an outdoor extension cord, where I cut off the female end and attached the wires to a 700mA 5V AC/DC converter I got on Amazon. (The converter was tiny compared to the power cables, but I got right-angle pluggable screw terminal blocks, filed down the pins to fit the converter, and was able to solder them into the converter, so I can just screw down the extension cord wires.) I used a cheap piezo electric buzzer to make beep sounds when keys are pressed or a disarm is successful. I used a panel mount for the LED, which I coated in MG chemicals “water clear epoxy” to waterproof it. (The latter was not a great experience, because I had to get a gas mask and then wait 3 days for the epoxy to dry. I’m wondering if PUR outdoor rated hot glue would be a better solution for waterproofing, or would love to hear other suggestions, though that’s a different topic.)

So while I believe I’ve solved the functionality part of the project, unfortunately, the result doesn’t match my security model, because anyone who physically opens my box can take out the ESP32, download the firmware, and then learn both a WiFi password and, more importantly, an esphome API key. Obviously I do not store the door code on the esp device–I just have the esp32 call a homeassistant service with whatever code the user entered, and if the first 4 digits are correct, homeassistant can forward the remaining six digits to my allegedly tamper-resistant alarm panel. Unfortunately, using the API key, you can call arbitrary services in homeassistant, including disabling other alarm zones and unlocking doors to my main house.

To create a network firewall, I can just use a dedicated WiFi network that connects to a VLAN, and give my homeassistant machine access to that VLAN with iptables rules blocking most ports. However, I also need to prevent the device from calling arbitrary services in homeassistant. Note I’m willing to tolerate the risk of someone who gets the firmware in an undetected way skimming the code or eavesdropping on network communications containing the correct code, but I don’t want them to be able to access anything other than the gate or shed for which they’ve compromised the esp32.

Is there any way to firewall an esp32 device within homeassistant, to prevent it from calling services? Or does anyone have another suggestion? Another thing I was thinking of is using two esp32s. There could be one outside that controls the buzzer, LED, and keypad, but isn’t on the network. Then it could use RS232 to connect to an esp32 inside the shed or gate that is on the WiFi and communicates to homeassistant. I’d feel okay about this for the shed, but not sure it would work for the gate, because I’d still worry about someone being able to get physical access to the esp32 inside the gate.

Thanks for any suggestions or ideas.

Seems way overkill since I can’t see anyone doing anything remotely this complicated unless you’re a very high-profile individual, but I also dig it.

But also interested if this is possible.

My understanding is the OTA password is what they’d need, but it’s unique to each device. I’m wondering if an alternative but physical option would just be to put some tamper resistant device (thinking something simple like the tamper resistant tape, etc.). Then check it regularly and if you ever notice it tampered with, assume the ESP has been compromised and delete said device from HA, change your OTA password and reflash?

Well I may not be high profile, but apparently I have enough of a profile that google thinks state actors are routinely trying to compromise me account. More importantly, when I’m done, I might want to write a blog post about this project or something, so I have to assume everyone knows how the system works and other people might want to do the same thing (in which case the attacker could amortize the cost of devising an attack over multiple break-ins). There’s also just the embarrassment factor that it would be bad PR for someone to break into my house by compromising a security system of my own devising.

Higher level, all off-the shelf keypad systems I’ve found seem to be terrible, so I’d like to create something that works and would be good for most people.

I don’t care as much about the OTA password because as I said, I’m willing to accept the risk of my PIN being skimmed or my device reflashed. Plus exactly as you say, I can place a battery-powered alarm sensor inside the box and know when someone has gotten in. Most weather-resistant enclosures require you to open the front of the case to access the screw holes for the back. So I’m planning to put an IQ SHOCK-S sensor in the box that will trip the alarm if someone opens the box or physically rattles it by ripping it off the wall or drilling/cutting through it.

However, if I’m half way around the world or on an airplane when this happens, I do not want someone who destroys the box to be able to disarm the alarm or get access to the rest of my house, which between the alarmdotcom integration, electric strikes, and ZWave deadbolts is easy once you can call homeassistant services. So I need some kind of firewall that lets homeassistant send beeps, set the color of the LED, and receive codes that have been entered without allowing the esp32 device to do anything else to homeassistant other than sending code_entered events (or whatever I decide to call it).