HA and General Internet Security

I just have a question, not all necessarily HA related.

Last night my garage door opened a few times while I was sleeping. Looking at the logs I noticed that my binary sensor I use for tracking was away and home a few times. When that happens it triggers a few switches that tells my garage door to open. My Door is not exposed in HA but I believe it’s possible that somebody was able to remotely control my UI. Either way I’m trying to get a few recommendations on what I can do to best secure my internet.

I’m using a static IP from my isp and I’m thinking I need to start there as far as security goes. I’m looking to the most cost effective way to secure our network and HA.

I think it also wouldn’t be a bad idea to try to implement Duck DNS ( I have tried in the past without success but after this I think it would be a good idea to get this done too)

Any suggestions you guys have I would love to hear it as your all so much smarter then I am when it comes to all of this stuff.

Thanks guys!

Just a quick question. You said your binary sensor that you use as a device tracker went home and away a few times. That triggered your garage to open. I get that, it happens. Especially in the beginning as you’re setting things up, and getting your trackers to be as stable as possible. What makes you think that someone accessed your UI? Not saying it could not or did not happen, but I would start by getting your device tracker/binary sensor squared away. Worry about your physical security 1st while working on your internet security as well. Just my recommendations.

I should have also included that I mainly use Apple Home Kit for most of my controls and strictly for my security controls (Door Locks & Garage doors)

Currently I use a Boolean for each member of my home in home kit. I have home kit turn the switch I if they person comes home and off if that person leaves. In home Assistant the binary sensor changes based on that Boolean.

I also have a Boolean that is in home kit that I have set if anybody in the family comes home the switch turns accordingly. If the switch turns on my garage opens and if it turns off the garage shuts ( thus give us complete automation as the door manufacturer will not allow the door to be controlled without acknowledging either open/close commands. (Kinda defeats the idea if you have to press “ok” before it opens or closes)

A few weeks ago I had this same problem and I also had our tts messages fire randomly and weirdly the MP3s that were set to play played a a much slower speed then it normally should. I am using a pi3 and I know it’s not very powerful but it still caught my attention as it seemed strange. So a few weeks went by and all has been well until last night.

I’m not sure what happened but I don’t think it was my device ghosting out of the “zone” because Apple has always seemed to be accurate with their geofence.

I’m just trying to see what I can do to better secure our internet and HA instance.

There is a way to set conditions on our booleans to not trigger during a certain time correct? Maybe if I set between 11pm and 7am it will at least give me and my wife piece of mind knowing that at least our door won’t open when we’re sleeping.

Thanks for the reply BTW I love all the devs and community here I’m absolutely addicted to HA and I’m trying to learn as much as I can.

I have a very similar setup. I use homekit to turn on and off a Boolean based on when I arrive and leave. Although it is very stable, its not perfect. Also, you can definitely set time conditions on your automations so that they will not run during specific hours.

I want to be clear security is very important and you should make sure to have a secure setup. With that said the odds are much, much higher that your homekit, or iphone did in fact trigger as away, and back home. It happens to most people at one time or another. There are a lot of threads on here about presence. Many people use a combination of multiple presence senors to make it more stable.

I for example use the IOS HA app, I use ASUSWRT (wifi), and Homekit. I group these together into a Bayesian sensor. I use a combination of these sensors in different ways to do different things.

If you know that you will never want your garage door to open between those hours, go ahead and set the condition, but still work on verifying your presence. I mean you could have the issue at 10:58pm, or 7:02am. :slight_smile:

1 Like

There are already guides about security in the docs, and there are a few threads here, I’d read those first and ask specific questions.

Your problem of the garage door sounds like a problem with presence detection. It’s pretty easy to extend the presence detection (I group network, bluetooth and app based tracking), or add logic to require certain things.

1 Like

This doesn’t make sense, if automations are able to control your garage door it’s exposed in HA, it’s as simple as that.

DuckDNS doesn’t offer any level of security.

As @Tinkerer wrote, do some reading there is a lot(!) of information about security in the docs and on this forum. If you have door locks and your garage door exposed to the internet without any level of security you probably have a much bigger problem as random MP3’s being played.

My garage door is not directly exposed, I use HomeKit to trigger the Boolean switches that opens the garage door. The automation is strictly accomplished with the iOS home app.

I understand that in a way it is exposed. Because of the Boolean coming from HA.

I have read the documents I try to absorb as much as I can. I have been playing around with my Pi since December and I have t been able to grasp everything that I have tried in the past. There’s a steep learning curve and to be honest not every document is clear on what to do with certain components. I do have some security in place I’m not a idiot.

I basically was just looking for suggestions on how I can secure my setup better and have a bit of a background on my setup and tried to explain why I wanted to do so.

I know there’s very smart helpful people that are willing to share their ideas and examples so I can learn more and better ways to do what I’m trying to accomplish. I in no way blame the platform for security flaws because that is up to us to secure our homes.

Like I said looking for guidance from people who know more then I do is all I was after.

1 Like

Like was mentioned above, DuckDNS does absolutely nothing for security. All it does is allows you to type a domain name into your browser to access HA instead of typing your external IP address. As a side event it also provides an automatic means of keeping the domain name current with your external IP address if it changes.

the next thing people usually think of is using SSL certs (letsencrypt, etc.). While they do provide an additional bit if security the effect is pretty minor. All it does is prevent someone from easily listening in on your internet traffic when you are on a public wifi/internet system by encrypting the traffic between your mobile device and your home router.

Either of those two things won’t protect you AT ALL if someone gains access to your open port and can manage to break your password.

You should AT LEAST make sure you have a strong password (or better yet, use the new auth protocol which requires a user name AND a password) along with enabling the IP_ban and setting the threshold fairly low (3-5). That will prevent a casual attacker from trying to brute force hack your password and then gain entry to your house.

The next level up is using a VPN of some sort. I just recently started using PiVPN and it was fairly easy to get implemented. All you need is a spare Pi to run it on. And it’s free… It requires only one open port that you choose to be open on your router and even if someone finds your open port they can’t connect to your VPN because they need an encrypted key file to connect. There is one down side to that set up that I just came to realize - unless you open access to the front end thru your router at your HA port then some external services that require access to the API won’t work. I actually just started working on a way to hack around that limitation but I haven’t got it done yet.

There are other options for heightened security in the docs but I don’t have any experience with them at all so I can’t really comment on them. I’m definitely not a tech security expert. :smile:

The ultimate goal is to have the fewest number of open ports on your router and if you have have open ports then protect them with the highest security level you can and still maintain functionality.

And don’t feel bad that there is any confusion on this. The docs aren’t very forthright in emphasizing the importance of it and a lot of people (including me until just recently) don’t really fully grasp the issues associated with it.

I hope this helps…

Use a reverse proxy like Caddy or Nginx to do this pretty easily.

I use Duckdns, LetsEncrypt and Caddy which gives me only 1 exposed port and it’s not a low port number - as Tinkerer says, hiding the door does a lot to deter passing hacking attempts. I also use strong passwords for everything but I don’t use a VPN as that blocking external access via Google Assistant just defeats the whole purpose for me. It’s an acceptable level of risk for me.

I agree (and I said as much above) but a reverse proxy doesn’t do anything for security if they do find your open port. It’s still just completely & simply relying on a password to protect you.

Having a common open port is like putting the keys to your house in a locked box on the side of the road for everyone to see and only protecting the lock with a password.

Using Letsencrypt is like using your password to open that lock box but hiding it from all the other people standing around watching you that are also trying to figure out how to open it.

Using a high port reverse proxy is like hiding the lock box under the door mat (which a lot of people know is commonly done). It’s better but the keys are still only protected by a password if someone happens to find the lock box and has ill intent.

Every person has to implement whatever level of risk they are comfortable with but it is paramount that you go into those decisions with as much info as possible so you can make the best informed decision as possible.

As an aside you can use the HA cloud to access Google Assistant, can’t you?

It costs a little but it goes to a good cause and prevents having an open port. I’ve started using it for my echo devices and it’s working great so far. And as of now it’s still free! :grinning:

You can but it’s not worth paying $5/month for me.

Good luck finding my open port, domain, username and password and cracking it in 5 attempts though. Have at it.

No reason to get offended.

I’m just putting the info out there since it seems as a lot of people don’t even think about things like this. or in those terms.

I’m sure your set up is perfectly safe enough for your needs. And likely the needs of the biggest majority of users on here.

Extra information is never a bad thing tho.

1 Like

No offence taken.

Problem I see is people like to make this SO complicated that most people either do nothing because it’s too hard/confusing or they get scared into not exposing their HA to the Internet at all.

1 Like

I think setting up the PiVPN has pretty much been the most straight forward thing I’ve done in relation to HA. Especially with the support of a great guide from @Robbrad.

It was even easier than the initial HA set up. Not to mention trying to wrap my head around Docker, NGINX & Letsencrypt. :crazy_face:

And I think it’s probably the biggest thing I’ve done to help protect my HA.

If it becomes too limiting and stops meeting my needs I’ll revisit it and decide what to do then.

1 Like

I’m not sure if you can run that (PiVPN) if you’re running HassOS?
In any case, I want external access for Google Assistant so it’s too limiting for my use.

Any information and any discussion is great. Without it I wouldn’t even know where to look next. I appreciate the information and I have to secure my stuff better. I do want to be able to access my stuff from outside of my home network. I had my isp give me a static ip for that reason.

I stuck it onto a spare RPi I had laying around so the HA OS is irrelevant.

But I can understand your concern for GA. I figured $5 a month wasn’t too big of an issue for the extra security.

You can still access your HA from outside your network using a VPN. Actually that’s the exact reason that you would need it in the first place.

im thinking a vpn is probably the way to go, now its finding the right one.

Like I was saying above, PiVPN is super easy. At least for me. and it’s free.

I would recommend running it on a separate Pi than your HA tho. So the cost would be the cost of another Pi unless you have one laying around.

http://www.pivpn.io/

they have a few links to some off site tutorials. I think I used the first one along with the guide I mentioned above for a great in depth walkthrough.