Well this fundamentally dives into the issue of open source software. If I use a 3rd-party API or plugin from say Microsoft that is closed source, I have Microsofts assurances that that plugin is secure within the realm of their abilities and legal requirements whatever those may be. In the case of a breach, Microsoft can be held accountable for their insecure code (or at least attempted to be held accountable)
Open source software doesn’t have any real chain of accountability, such that yes, I do feel that if you want to create software that is end-to-end secure you do need to look at all code. That includes all third party libraries at least ran through some modern and robust automatic code validation tool for known malicious code. Where this is difficult is in an extremely large codebase, however HA isn’t and even with the libraries that can be used by third parties, the number of lines of code comes no where near the size of say an operating system, such as linux which absolutely does have to ensure security is maintained for all commits.
I suppose that the major issue I see here is that what is preventing someone from writing a component that does malicious things and that users unknowingly enable? Who’s to say that hasn’t already be done and has yet to be discovered. We simply do not know because those validation checks are not being performed.
I’m glad you mentioned Linux. You are comparing apples to oranges. Linux is open source and maintained by those that wanted a better more secure system then Microsoft. Again it is open sourced for the most part and the end users report issues and those that know what they are doing make fixes. Linux also doesn’t check every plugin(application) you can install it. The only plugins that show in their repository are those they have vetted. So home assistant can pull all plugins they haven’t personal vetted and only show those they have. Leaving everything else as a custom component. Security requirement meet. Now closing off the openness of home assistant.
You also mention closed source software. How many of the plugins are hacks to open that closed source software. I don’t see Philips coming to home assistant and saying “Hey, awesome program let use make it easier for you to integrate with an official home assistant plugin.” Or USPS, UPS, FedEX, etc.
Code review (automated or manual) isn’t all that’s needed. Someone did a bit of a thought experiment on this very issue about npm packages. In that ecosystem what’s uploaded as a package doesn’t necessarily match whats put in github, I don’t know if that’s the same as python, but this means code review isn’t necessarily a mitigation to the risk - you’d need to run it and monitor network traffic, compute etc on a running instance and as discussed in that article there are ways to hide that.
There also needs to be some moderation around discussion of all the different attack vectors by doing some threat assessment. HA is still relatively niche, so has a reasonably small user base, it’s not processing payments - it’s just turning people’s heating and lights on and off. You might say well what about burglars - they’re most likely just going to put a brick through your window or climb in the window you left open. I think you’d need to be a high value target to justify being hacked to release your smart locks (which I personally wouldn’t recommend for their own lack of security), and then you’re probably not running HA.
The way I see it the most likely issue is going to be unsecured HA instances that are being exposed through people’s routers by those who haven’t read the available documentation - and then it’s going to be pranksters/weridos who think its funny to flash your lights and maybe watch your cameras. These are generally low effort attackers. The fastest route to closing that out for ‘noobs’ would be to extend the cloud service to allow remote control (similar to the service that OpenHAB has/had a couple of years ago).
True I think the cloud will be the best way for beginners but Home assistant cloud has only been around now 6 months. Only in beta since early march so three months. With Paulus only starting paid full time development for Homer Assistant on April 12 2018, a month and a half.
It is listed right on the installation page before you even think of configuring anything. It goes back to the user going back and securing their system if they want to open it up.
We can’t assume that everybody is knowledgeable to read the whole Debian guide and understand. I haven’t. We also have to be careful to not ostracize the users who had issues with they should have know better.
This by any means that is home assistant responsibility.
However, as a community, I feel that is our responsibility to understand why it happens to help avoid.
Go through the getting start guide and place your self as someone who is using Linux for the first time because he/she wants to have a smart home.
(I’m talking about just setting a password to secure locally)
The problem is that if you use SSL and duckdns, Configurator and Terminal WILL NOT CONNECT unless those ports are forwarded. Will not connect on the LAN OR over the internet. A VPN is not going to help my Google Assistant integration. There is no other simple way short of setting up reverse proxies etc etc and I don’t see any need to go down that rabbit hole. I have complex usernames and passwords and API key and I don’t believe there is any significant risk in my setup.
My HA APS is also set to auto-ban after 5 wrong passwords and so is configurator. In fact teh Configurator also uses the sesame option to whitelist the IP address so in addition to cracking that, they need the username and password.
Then something isn’t setup correctly. I use several services in my home network that their GUI is HTTPS. You should never have to port forward for something that you use inside your own network. Port forwarding is for WAN use.
You can use the cloud integration for the Google Assistant stuff but of course there is the cost for that(later).
I’ve said it many times I don’t like the current state of how things are done with exposing HA to the net. You should be able to put a random base URL combined with a random username and password. Fortunately the username piece is coming soon.
Key thing here is you clearly have not tried those specific addons I mentioned. So try those instead of talking through your hat. (using the iFrame inside HA)
And no I am not going down the cloud path for GA. Why should I? I have a perfectly secure system right now just as it is currently set up.