HA security, whose responsibility?

I recently closed the (only) router port I had open for HA and I’ve been through denial, anger, bargaining and depression and have probably reached acceptance now :slight_smile: I’ve been quite busy on this forum recently trying to understand and learn about network security and the issues.

One thing still irks me though, and that is how often I was asked why I even wanted external access. Ironically it seemed to me that those most likely to ask were those who appeared to have excellent network security skills and could therefore feel comfortable ‘safely’ opening up their network.

I’m not here to be disrespectful or cause any upset to anyone and I fully grasp the reasoning behind the questioning. What I take issue with is (and it is a common theme with HA in my opinion) that the entity that is Home Assistant promotes and promises so much but so often seems stop short of living up to the responsibility that comes with that ‘marketing’.

The HA home page very clearly offers three strands of ‘features’: Observe, Control and Automate, with control being described as the ability to:

‘Control all your devices from a single, mobile-friendly, interface.’

That to me strongly implies the (undoubted) benefits of accessing HA from anywhere.

I do not believe that that is a responsible thing to offer the, I would guess large numbers of people, who are attracted to HA by the homepage and promises of home automation on a Raspberry Pi.


i guess security is our own problem.
and it should be with an free open source project.

to show you how that works:

some time ago HADashboard was created by Andrew.
he did create it for himself and wanted to use that inside his own house.
he shared it and others start to use it.
of course there were also people who wanted to expose it to the outside and they asked if he could add a password possibility.
after some time he did add that possibility.
now people use his dashboard outside there own network?
does that make him responsible for the security?

i dont think so.
and HA is not different.
we can together try to find out how to get it as secure as possible. but we cant make anyone other then ourselves responsible for it.


HA already has some documentation about what what actions can or should be taken to improve the security of your HA installation (https://www.home-assistant.io/docs/configuration/securing/) but the user has to understand what’s behind those recommendations/suggestions. This can’t be the responsibility of the HA project as it is a) a very broad topic and b) way beyond the scope of the project.
Although there are a lot of helpful people around, be it the forum, on discord, reddit or elsewhere who are willing to help those who ask for help. If you don’t feel comfortable opening a port on your router then don’t do it. Many more suggestions have been made in your other thread. (HA Security. Consensus?)


Hate to say it, but security is our own responsibility.
If you open up any port to the internet, you run the risk of exploits being found and used against you.

1 Like

I don’t think the security is HA dev’s responsibility in the sense they could be pursed over any ‘losses’ users experience.

But as a provider of a piece of software that is supposed to be internet facing, they do have a responsibility to make the software reasonably secure by default and point the user in the direction of how to improve the security.

The docs do talk about increasing security, but I am not sure that I would say the default settings are inherently secure, which makes it somewhat dangerous for ‘casual’ users.

HA is supplied under the Apache License. Sections 7 and 8 refer to warranty and liability, which are typical for open source projects.

Basically, as I saw it summarized in another project, if you you break it, you get to keep both parts.

So far you all seem to have, except @Targettio missed my point (Edit: I was typing this as @gpbenton replied so I exclude him / her too :slight_smile:) . There is no doubt in my mind, as there should be none in anyone else’s, that network security is my responsibility. That is why I closed my open port and have accepted that for me that is the only sensible option.

It is also my responsibility when I use Google, Facebook (I don’t :slight_smile:), Microsoft or anything at all.

My point is that HA is selling itself in part on a feature that is inherently unsafe without sufficient (IMHO) pointers or guidance.

Security discussions often resort to analogies. I wouldn’t expect to buy a lock for my front door without fitting instructions and a key which I can believe is near enough unique to my lock. I would also expect some kind of standard mark to show that it is believed to be secure (to some level). I don’t accept that HA delivers the analogous reassurance or documentation in a way that is consistent with it’s ‘marketing’.

That’s all.

I don’t expect the Devs to hold anyone’s hand or (necessarily) do anything different (it is open source, blah blah blah) except to point out the risks upfront and be a little more circumspect as to how they promote the system to new users.

As an aside, I have only been here since about March but I feel like there has been a huge increase in discussion here over the last month or so about hacks and security. Am I right to think that and if so does anyone have any thoughts as to why that might be?

1 Like

Yes, but most of the ones I have seen have been started by you, so I’m not sure that really counts. :grinning:


@gpbenton touche!

Not entirely true though :stuck_out_tongue_winking_eye:

The default settings are actually secure. It is so secure that you don’t even need a password as long as you only let people on your network that you can trust. What makes it insecure is people opening ports who don’t know what they are doing or who aren’t spending enough time to think about the possible security implications this might have.

Bottom line is, if you expose a port it is your responsibility. Just as it is your responsibility to lock your front door, not the manufacturer of the door.


if you buy a lock for an inside door you dont get instructions how to secure your frontdoor.
and thats just how it is.
HA is for inside and has even a lock on it.
then you go to your outside door (your router) and you are going to open that without knowledge.
that is never the responsibility from the one giving you the room with the inside lock on the door.

HA cant know what steps you take to make your network insecure. you can run HA on a windows PC where you also do your online banking and you can open that PC up to the world if you like. is it up to HA to tell you that isnt wise??

HA tells you that IF you want to expose your server to the world that it is wise to take precautions.
they can NEVER tell you what you can and cannot do, all they can do is give you guidelines.

o yeah, not long ago there we never heard about a hack.
probably because HA gets more exposure, a lot more people are using it and also a lot that dont know what they do.
it seems that some other people find it funny to target people with HA. maybe someone who was dissapointed, or someone that wants people to leave HA for another system.

and when there are known breaches, the discussion increases automaticly.

1 Like

I don’t think samba allowing guest accounts can be considered secure, even on a private network.

My point is, the defaults should offer at least a basic level of protection when exposed to the outside world (which is the intended use case for this software).

The user should then take it upon themselves to improve the security, and the docs offer guidance on doing this. But there shouldn’t be any glaring holes.

Your analogy isn’t correct. Ha is an inside door that is designed to be used in conjunction with an outside door that is intentionally unlocked.

HA, based on its own front page, is intended to be Internet facing. Therefore should come with the appropriate “locks” in place.

This is hass.io you are talking about. I can’t comment on that as I don’t use it nor do I have experience with it.

But still, allowing anyone on the local network is just as secure as you allow other people into your home. What I’d consider exceptionally insecure is opening the samba port to the wild. That would be just stupid, but I heard that it has happened. Again, those usually are people who don’t know what they are doing. I don’t open the hood of my car and mess around with the electronics or mechanics as I don’t have the knowledge to do so. If I don’t know what it means to open a port on my router I shouldn’t do it. And I am sure most routers out there give you a hint that what you are doing might cause issues.

Where on the front page does HA state that it is intended to be internet facing?

Hassio samba add on has a default config that is open to guests. That is a setting that the devs wrote that has an open hole. This is what I am taking about.

samba is not HA

it is terrible that people think that hassio is the same as home assistant.
the security from a hassio addon belongs to the maker from the hassio addon, but it has nothing to do with home assistant.

no it isnt. the use for HA is for automating inside your house. the choice to open your outside door is yours. but HA is still as valuable without you opening it up to the world.

how so, because it is webbased?


@ReneTode, @cgtobi

Just because it is not explicitly stated, I think it is a little disingenuous to suggest that:

‘Control all your devices from a single, mobile-friendly, interface.’

does not imply internet facing.


The ha samba add on config is written by the ha devs

I hate to be pedantic, but I think its important to use the correct terms to avoid talking at cross purposes.

HA does not have addons, they are something created for and used only by hassio. If there is a security flaw in an addon it doesn’t really affect HA.

1 Like