HA security and hacking

Preamble:

First, the obligatory, ‘I’m-about-to-post-something-that-someone-might-take-issue-with-on-a-public-forum’ explanation, that I don’t intend to ruffle anyone’s feathers, except in a way that might provoke positive action

Second, this issue has nothing to do with being a ‘noobie’, not very technical or anything else. It is not about people or their abilities it is about the issue I am talking about.

Thirdly, I know all the arguments about HA being open source and everything that entails (blah, blah, blah).

So,

There are a couple of threads at the moment regarding being hacked and one more that I have seen that talks about accidental exposure of secrets in GitHub.

This frightens me and just to give some context, HA is the first thing I have opened a port on my router for (and yes, I’ve had a router for long enough for that to mean something). I have been tempted in the past but decided the risks weren’t worth the benefit.

I not computer illiterate by any means but I don’t know everything about everything and network security is something I know little about at any detailed level.

Finally then my point is this. If HA is to succeed or even survive as I guess we all hope it will, shouldn’t someone be looking at the security of HA in some detail and acting upon it’s ‘holes’ and weaknesses? There is a page on the HA website which one may or may not see (https://www.home-assistant.io/docs/configuration/securing/) but that is cursory at best and at worst unintelligible for some). Hass.io is touted as the way forward and indeed is quite brilliant in the way it hides much of the underlying technology but even many of these brief security instructions it seems are not relevant to it.

And when it comes to other non-HA specific issues like port forwarding, SSH, SSL, reverse proxies etc. etc. etc. there is little or no guidance. It’s like fitting a lock to someone’s front door and then telling them they have to learn to cut the right key.

If I had come to HA today and looked on the forum I would NOT have installed it as it appears to be fraught with problems when it comes to protecting ourselves on-line.

Imagine if a journalist was writing a feature on home automation now and they had looked at the forums. The negative impact of the very real issues raised recently would have such a long term negative effect that I think HA would struggle to ever shake it off.

Please…. If anyone with any influence is reading this can the focus move away from adding components and even from fixing existing documented bugs, and instead on to securing (as best as is possible) HA for everyone. Idealy out of the box.

I don’t believe HA has a future at all if this isn’t addressed. And that would be a shame.

With the new Google Assistant cloud component you basically don’t have any reason to open ports anymore. I think this is the right direction, making possible to run HA without any exposed port.

Unless someone wants to access their HA instance from outside their network, which a lot of people do enjoy the ability to do. I, for one, need that ability, because Alexa/Home doesn’t support everything yet.

This is a double edged sword.

On the one hand, it is up to the user to understand the security of their network, which doesn’t necessarily mean it is Home Assistant’s responsibility to hold the user’s hand in this regard. It is up to the user to take on the responsibility to maintaining their network security. Sadly, people love to shout how they want their privacy and security, but don’t want to take the time to learn it.

I’m not sure what else Home Assistant as a project could do to warn people about the real dangers, as it should be expected and understood what the dangers of opening up ANY service to the outside world. How does this fall under HA’s responsibility?

That page is now linked from the Getting Started and the top level of the installation guide. There are also some more warnings now.

However, I’m with @flamingm0e on this - like any other software there’s a limit to what the developers can do to avoid people shooting themselves in the foot. That security page can be improved I’m sure - and you can submit edits yourself

Now, as it reads, your post suggests that you believe that Home Assistant is riddled with vulnerabilities. If you’ve got details of those, please do pass them to the developers (contact details can be found on every page of the web site).

Klogg and flamingm0e highlight the two opposing approaches to security

• It should be handled by HA
• It is the responsibility of the user

As someone who is trying to make some sense of it all, it would seem that the solution is somewhere in the middle. HA should do what it reasonably can do to provide security and the user must be aware of what is good practice.

I come to HA from an Electrical Engineering background and am comfortable with building sensor hardware for my house, but I have had to get up to speed on how I can make my setup secure as I want to be able to access it remotely. I have also scoured the forums for help and guidance. My current system is a very simple testbed to allow me to iron out issues before I commit to building a full system.

The result is that my simple system sort of works (DUCKDNS, LETS ENCRYPT) but with some errors and some components that now don’t work (UK Met Office and Yr weather components). I’m also getting my single Sonoff controlled lights coming on for no reason. Not sure if this is a glitch on the Sonoff unit or a hack. I haven’t investigated it yet.

I really like HASSIO, with its add-ons, and I think it will allow me to implement significant amounts of home automation. However, like Klogg I have this background worry that I’m building a system with subtle security flaws in it and that I should just abandon the external access capability, which would be a shame.

I suspect that all the information we need is available, but it is scattered about in forums and Github issue pages.

It would be great to get the view of the HA developers on HA security.

Jim

You probably won’t get that here (the developers almost never come to the forum), however…

Home Assistant’s primary protection mechanisms are:

• It uses aiohttp for the web interface, this is the thing that’s most at risk of introducing a “subtle” vulnerability. If it was an in-house developed interface I’d be concerned, but it isn’t.
• The use of an API password for limiting access. There is now work underway to improve this with a proper authentication layer, but it does exist.
• The use of SSL to encrypt remote connections to stop people sniffing that password.

For what it’s worth, I’ve been running Home Assistant exposed to the Internet for over a year now using this approach. Maybe some of that needs to make it into the official docs?

Are you using your Sonoff with the existing wall switch via GPIO14? If so the following is mandatory

• Solder a 10k resistor between GPIO14 and 3.3v
• capacitor (100-500 pF) between GPIO14 and GND.

This might be what you’re looking for Tor

Haven’t had to go the capacitor route yet, I did have a couple ghost switchers but then a couple that didn’t. But now I just put them on all my Sonoff GPIO14 wall switch/button installs.

We might need to split this Sonoff talk off into its own thread though.

IMG_20180413_1639144048×3036 2.67 MB

It is something really complicated for the developers. But they have the choice of not allowing, and they do.

Not allowing what?

People to do what people do? Aside from warning people, what more do you honestly think the developers should do?

And keep in mind, the developers are volunteers and this is a product of love, not profit.

They could keep the idea that they will only support local network operation.
And you will go somewhere else to learn how to use outside of your network.
I feel it just adds more problems for them to deal.

I’m all ears.

How do you propose the developers lock down this open source software so that you can only use it locally?

It’s not like the software goes and opens the ports for you…

Like not supporting certain things as components. But these days are long gone.
People would complain about not being supported and people will complain when things like these happen.
It’s a loose-loose situation.

Would that not limit Home Assistant massively. This is one area where HA excels.
The main issue is the end user not understanding the risks associated with exposing anything to the internet.
The devs can only warn them, in the end its up to the end user to either accept the risk or not.

Yes, it would limit.
They really need to revise the documentation to help people out.

Like what? What components would you remove support for?

Google Assistant? Alexa?

Those 2 things can be mitigated by using the ‘Cloud’ feature.

What other components require opening ports and exposing their system?

I have been down this road with FreeNAS for years. It amazes me that people want to open up their NAS web GUI to the internet because they want to play with it while they are not at home. They ignore all warnings of security and open it up anyway. They do it with their SAMBA shares and they do it with their admin portal, despite being warned. People will do what they want for convenience. You cannot stop stupid.

I think from a simple ‘noob’ point of view it would be nice if HA was built secure to the point that we shouldn’t be at all worried based on:

1. We have an API password (which should be forced unless only accessing from local network, and even in this case, HA to remain secure to the outside world)
2. We want to access HA from external to our network and therefore follow a straight to the point tutorial for mapping the port in the router to the HA instance.
   HA should be fully secure even with this port forwarded.

My question now (as someone with limited knowledge of network security compared to many on here) now stands at: Is my HA instance at risk if I have both the above items covered?

All this talk about SMB shares being accessible confuses me simply because my understanding was that the SMB share that I have is only being shared to my local network and not becoming available to the rest of the world. I do have a password on my SMB and guest is turned off, but how I am to know that I’m not still at risk. It would be nice to know that HA (from the developers) has this locked up tight for me. That’s the type of assurance the commercial products make us believe we have. I know this is free open source software which I am very appreciative of, however if it is to stand out from the rest I think this needs to be inherent.

I understand that many people have gone to additional lengths with things I know nothing about such as reverse proxies, but these defences shouldn’t be needed for a system like this. It should be secure on its own.

At the moment I hope my HA server is secure…but I really don’t know for sure.

This is impossible. If you want fully secure, keep it off the internet.

Do you have a REALLY good API password? No way for someone to guess/crack it?

Correct. Unless you forward the ports for SMB, it is inaccessible outside of your network.

do a port scan from an external source. Does port 445 show up as open? No? Then it’s not at risk.

Your SMB share actually has nothing to do with Home Assistant itself. It is an addon that YOU enabled and configured to make your life easier.

So really the only way to be secure is by using the cloud service…because lets be serious, we want external access, its how we check on things whilst away etc.

I get that I added it etc, but as you have said above, if I haven’t forwarded a port for SMB then I’m all good, which I haven’t. (no port 445 showing up on Shodan)