Over the last few weeks I have learnt a lot about network security thanks to the people on this forum but I am still a long. long way from being anything close to an expert. I do believe however that I am a quite average/typical hassio user so on that basis I think it would be useful to get a consensus view on some fundamental security configuration.
It is a shame you cannot set up a poll on this forum because I would like to start off by asking one simple question:
Using hassio with DuckDNS and LetsEncrypt but ignoring any other add-ons or IoT devices for now, would you consider one open port on the router, 8123 or (preferably?) something else and a strong HA password is sufficient security?
And cheekily, I’d also ask, is this a view based on knowledge or gut instinct?
There are obviously lots more questions, issues and ideas and I don’t want to trivialise the subject by distilling it all down to this one question but this seems to me to be a good starting point.
But if you think I am being too naĂŻve please be nice about it.
With IPban enabled to prevent a brute force attack and a domain name that does not include “home assistant” yeah you’re well enough protected. Based on enough knowledge to be dangerous (i.e. a little).
I don’t know what webserver is actually being used, but if it’s something that Paulus wrote himself, or with a small group, I have no idea how secure it is.
Security of the network can be boiled down to the following three things (probably more, but these are the ones I’m concerned about)
Transportation security (this is handled by LetsEncrypt and the SSL certs)
The server providing the service (what is providing the webservice in this case, the python aiohttp server)
The service being provided (home assistant in this case)
It isn’t just what t he attackers can do to your home automation, or turning things on and off. It’s what else is on your network (at my house, we have too many computers, tablets, phones, etc) and what is stored on there that could be lost.
I’m not aware of any security analysis that has been done on aiohttp or on homeassistant (and I don’t have access to the security team at work this weekend) but I’m not prepared to risk everything on them.
I would (and at some point will) setup a reverse proxy using nginx, or some other well examined and tested code.
(As for my credentials, I’m the Application Maintenance Manager at work, have taken several app security/app hacking courses over the years, and have considered switching to the security team. But, this advice is worth exactly what you paid for it I am aware of enough security issues that I know to be afraid about what I don’t know)
Misconfigured web server is as bad as poor application security.
It is possible someone may exploit HA in some magical way to run actual code on server but where’s the money? This is risk no matter what you put in front. You equally likely to open photo from Facebook and exploit phone or PC and pull passwords.
My point is assuming no KNOWN expliot. Password and single port is OK for what it is protecting. Not likely home their going around checking if you have HA so they can unlock door. Less likely they know how. Less likely if they knew how they would break in home with unknown cash value item that must be sold for pitence of profit. Unless they simply hate you and do as revenge.
Use only what you understand and feel comfortable with. And do basic security at start(good password, update firmware and such and read docs of software you use to understand config settings)
Maybe later you add webserver in front with 2fa or tied certs for access. But take time to again, read docs and understand your webserver config. Not just DO some instruction you find online and copy past their config after make small change of IP address.
Use security you are comfortable with and that will be enough. Understand more and your security will improve.
If you (this is generic, not aimed at you @tmjpugh) don’t understand security, you really shouldn’t be doing it. It is so much easier to do it wrong, than right. But it all comes down to your personal risk acceptance
So now you’re assuming that the fella that is hacking my network is sitting outside my house? That seems very highly unlikely given the collective IQ of the people in my area…
I would consider 1 port forwarded (high random port number) and a strong API password to be sufficient along with SSL. I achieve this by using Caddy so I only have 1 port exposed but still retain all the functionality I need/want.
I guess this highly depends on where you live. Here in Germany there regularily are groups of professional burglars travelling through the whole country. And these days a lot of the homes with higher value goods worth stealing are obviously protected by alarm systems. Still these guys manage to break in. That’s their job. So you can bet they have some technical expertise as well.
All the stars have to align and they have to have knowledge of many things, like the fact that you have home assistant, they need to then crack into your server to get access…and they have to know where you live.
Basically, they would have to hack every home assistant instance they find, look for one that is near them (if you have home zone set up) and then they have to go through the trouble of gaining physical access after disabling your alarm system.
And in most cases, any security is worthless if you don’t closely monitor it. The average homeowner doesn’t have the time or training to implement a well engineered security plan and to monitor that plan. Every router in the world (which includes yours) is scanned thousands of times per day looking for open ports.
Not here. Here theives put on overalls and fake IDs of local utilities-companys, ring the bell and ask if they can check up on the energy-counter because there have been some issues. Especially elderly people don’t suspect anything and let those thieves in. So that’s the social engineering route.
Regarding (wireless) shutter contacts they carry RF-jammers. Doesn’t matter if it’s Home Assistant or whatever. If the signal that the door has opened doesn’t get through, the door can be bypassed without triggering an alarm.
I partly agree, that a hack is rather unlikely. But the guys around here to observe potential targets for longer periods of time. They would actually be a pretty reliable way of presence detection since they have an eye on when somebody is at home. ^^
Anyways, if I did my living by stealing, I’d also have a look at homes that are exposed to the web. Those homes half way across the globe of course aren’t relevant. But if I plan on travelling through europe and stealing as much as I can, I’d definitely do my research beforehand and have a look at those homes that I could access while scraping the internet while doing research.
Or to sum it up: (successful) criminals often are much more intelligent than the majority would expect.
So they don’t use home assistant or technology at all. So basically your home assistant is safe in this case.
So it doesn’t matter if you have home assistant.
The problem with this approach is that you have to know WHERE to look. How do you know that house across the street has anything exposed to the internet? How do you find that house on the internet?
All I’m saying is that you’re more likely to be eaten by a shark than have a thief hack your network to get into your house.
The problem for me was not that it wasn’t secure, but rather this installation is for a vacation home where I may need to add/remove access for guests. A single api_password wasn’t going to work.
I ended up using an NGINX proxy behind a cloudflare proxy. Cloudflare handles multiple user accounts and also much better security.
I have Facebook/google as an identity provider, ssl encryption with a 15 year key, ssl client verification so that I can verify that any incoming requests are truly from cloudflare. Lastly I deny any requests that aren’t coming from cloudflare ips.
Someone should really add instructions on how to use a cloudflare proxy
What I would like to be able to do on the hass.io front end is set up an “allowed subnet” similar to the hass.io configurator add on. If you aren’t on the list of subnets, hass.io says NO and doesn’t even reveal that it is infact Home Assistant. Same concept as a firewall. And then you can allow subnets in by exception.
Apart from that, opening a port and settings a strong HA password should be sufficient, provided there are no known exploits for HA.
The next level of security would be having your Home Automation ecosystem on a separate LAN/WiFi away from all your “trusted” devices, e.g your laptop. This will protect your trusted assets from a compromised HA.
I am not a network security expert, but in my opinion, LetsEncrypt and DuckDNS have nothing to do with security in terms of securing your host/exposed port.
DuckDNS is a dynamic DNS service which lets you talk to your home IP address by a nice name. LetsEncrypt provides a certificate to ensure that the host you are talking to is actually (most likely) the correct one and the coupled SSL encryption make your connection to that host hard to intercept and read passwords or other confidential traffic.
The only layer of security is your HA password.
So I would say, no it is not particularly secure. It is like having a simple (depending on your password strength) lock on your front door. Whereas other mechanisms like VPN, SSH-tunnels or TLS client authentication provide much more advanced security by enforcing more complex methods for authentication.
I am aware of enough security issues that I know to be afraid about what I don’t know)