HA security, whose responsibility?

@gpbenton correct, HA is not hass.io and hass.io is not HA. And samba is an easy way to access your config files and isn’t HA either.
And to add to that whole samba discussion, the add-on page clearly states that forwarding that port could do some harm.

If you think that a guest account is not a good idea, open an issue on GitHub or even better fix it and submit a PR.

If you buy a new door lock but don’t bother cutting a new key, or better yet you just never actually lock your door…who’s responsible for security? The guy who sold you the lock? the company that made the lock?

No, ultimately it’s you who is responsible. If you don’t understand it enough to install and use it securely, have a professional do it, or ask for help.

It’s no different than someone who tries to install their own electrical outlet and starts a fire by accident. You can read all the howtos and but if you missed something or didn’t do something right, it’s still your own fault.

HA can publish all the security recommendations in the world but if the installer/configurer/user doesn’t utilize the security abilities, or sets them up incorrectly, well it’s not going to be secure.

1 Like

My point is, if you follow the ‘Get Started’ on this site, you end up with an inherently insecure HA installation that is only protected because it is on a ‘safe’ home network.

I am not sure why that statement is meeting as much resistance it is or why some seem to think that is OK.

Samba is something I know a little about so I can comment on, but other elements of HA I know less about. My concern is, these other elements may have the similar holes. I think that this shouldn’t be the case.

I agree, and even started with the fact the security is ultimately the users responsibility, but the default configs/settings/code should at least start with no obvious holes.

I agree that the Get Started is rather bare, but I don’t think it’s purposely describing an inherently insecure setup. All it does is explain that the service is served from port 8123, there are no instructions there to forward this port or set up external services, and in fact a bare install like that would leave you with really nothing other than a demo since it’s not connected to anything yet.

The first step in “Configuring” is setting a password.

I don’t see anything about forwarding ports, and HA doesn’t support UPnP to forward automatically, and if you’re installing on a computer that’s got a direct public IP but hasn’t been secured to no automatically allow new services to be exposed then you’ve got more problems than just HA.

So I don’t see how it’s the current docs are any less secure than the multitude of other web application installation instructions out there? Not that I generally think these kinds of instructions are sufficient from a security perspective, but it’s common to most web application instructions out there, and anyone who’s set up a web app should know that the priority of the developers usually isn’t to secure your particular install, it’s to just get it working, so security is up to you to define what is acceptable.

Look, no one on here has made one single invalid point. You are all right to some extent but my real point seems to be being ignored.

If HA, or hassio, (I accept the distinction is very real, but I didn’t know that until recently because it is NOT made clear), was available via a techy, geeky, niche, call it what you will, portal like for example GitHub I’d have nothing to say on this subject. But it is not. It is marketed from a fairly nice looking webpage that looks very consumer orientated. It hooks casual, naïve, inexperienced, again, call them what you will, users and then to some extent leaves them to find out that there are security issues with it.

And I cannot accept the oft repeated ‘if you don’t know then you shouldn’t…’ argument. What if you don’t know that you don’t know?

Getting Started doesn’t open any ports, but it does open up your machine. The hole that is introduced is not a helpful feature, the user knows the username and password as they just set it. Granted that hole may not be directly exploitable at that point (unless your Wifi or VPN get broken into), but it leaves the machine in an insecure state (unbeknownst to some/most users), for no good reason.

Again, this is one specific example that is apparent. There is nothing to say there isn’t other examples.

Well what exactly is the alternative? If you don’t serve HA out of that one port, you’re not running HA at all lol

i.e. “here’s how you install a door, step one you cut a hole in the wall, then you put in the door” and you’re complaining about step one? The alternative is to not do it at all, which isn’t conducive to “how to get started”. This isn’t a hole, this is step one.

If there are other examples, the neat thing about open-source apps like this is that you can suggest and make edits to help improve it. What you’re describing isn’t one of those examples though.

This is a sore point for me, as I submitted a PR to try and make it more clear, as well as a rather nice (imho) guide to finding the correct installation type for a user. It was rejected out of hand, because the powers that be didn’t want to ‘confuse’ new users, who should just install hassio. The best I got was this sentence on the getting started guide

The FAQ explains more about the differences.

But as regards your other point, I think your term marketed is incorrect. HA isn’t selling anything. Its a program to help you automate your house, which you can choose to run in many configurations. The web page seems accurate:

Home Assistant is an open-source home automation platform running on Python 3. Track and control all devices at home and automate control. Perfect to run on a Raspberry Pi.

Get started View demo Browse code on GitHub

This seems to explain exactly what HA is, and Python 3 and Raspeberry Pi and github sound geeky enough to indicate what it is.

How do you respond to “What if you don’t know what you don’t know?” with regards to say basic car maintenance? Home maintenance? Health? Finances?

There are resources out there for all of it, but a lot of people don’t know to look, or think they know enough already and don’t look at all. What do you do about that?

HA has made at least SOME effort at saying “hey make sure you secure your install!”, it’s part of the first couple steps of “getting started”, what more do you think they should do?

Let’s agree on that samba situation, it is less than ideal to have it wide open to anonymous login without any security mechanism, the installation of that plugin should enforce, or at least recommend setting up user and password and at the minimum explain that an anonymous/guest login exposes the whole config to everyone on the network.

But, again, this is not HA we are talking about, but hass.io. And hass.io is a operating system + virtualisation platform + all sorts of plugins. Which components of that platform open the system up in one way or the other, I don’t know as I don’t know hass.io particularly well.

So, saying that HA opens up a machine for no good reason is unfair and a password is suggested, although not necessary. In the future there will be a much more sophisticated authentication and authorisation in place (parts of it come with the next release). But it is still up to the user to make use of that.
I personally don’t use a password for HA as I can only access it from my LAN and the only people in our home on the network are my wife and me. She knows how to handle it and I do, so I can safely live without a password. To access HA from outside our network I use either VPN, which is just as safe as being at home, or I use SSH with pre-shared key only. No password, no nothing.

This is safe enough for the average user, be it with samba guest or without. And to be honest, I don’t know if there are much use cases where you’d actually need to open up that port. And if I’d do that, then only with TLS client certificates for authentication agains the exposed web server.

@gpbenton post explained the difference between Hassio and HA. Which is a little clearer to me that has cleared up some of my concern (as I directly installed HA). But still feel they need to tighten that config (and possibly others).

TOR TOR TOR. NO OPEN PORTS. Stealth mode makes it all but invisible. 15-minute setup. Hassio addon available. Clients available for almost every platform imaginable.

Just to point out HA is not the only product to say watch and monitor from anywhere. Many of the IP camera vendors do the same have upnp support so the port forwarding is done automatically but people leave default passwords or outdated firmware cause compromises. Then you have products like nest or cloud based ones who store your data in their cloud who know when the day comes they have a breach and your compromised that way. You take a risk no matter what you do online or digitally. The only thing one can do is be educated and have all safe guards in place. Asany have said if you have the smarts and time to lean all the ins and outs of HA then you have time and knowledge to learn a bit about networking and security. If you want secure access from anywhere then use a VPN like openvpn that is free to run and can even run on your Pi. All of the tools and info are out there just take the time to set it up or ask for help or even hire a professional service for help if you don’t want to do any of the work. Don’t point out that HA makes claims that are unsafe or misleading the information is there on how to secure and warings about things not to do so do your due diligence to lean and secure or move on to another soultion.

1 Like

It is not an open hole, unless of course you have untrustworthy people on your LAN.

All work very well as long as you don’t want to use Google Assistant or Alexa components. I know you can use the cloud instead but that doesn’t suit most people.

Klogg - you keep harping on about this but at the end of the day you have to be comfortable with your decision. A lot of what I’m seeing on the multitude of threads is just hysteria. HA is useless if it isn’t also functional.

I would consider my installation to be secure and practical. 1 port forwarded for my reverse proxy (Caddy) as well as port 80 which it needs to renew the SSL. Only exposing 1 high port so it’s not going to be discovered casually - as Tinkerer (?) I think said - hiding the door and you don’t get people knocking. I have full control remotely and Google Assistant works. I also use user names and passwords (complex ones) for everything with a password manager. I’m comfortable with that.

No it is important to understand, it is an open hole, that is mitigated by not having untrustworthy people on your LAN.

If it is raining but you go in side to avoid getting wet, does not mean it is has stop raining. You are stuck in side until it does stop raining and going outside before it stops will get you wet.

What makes this worst is people don’t even know it is raining until they get wet/they don’t know there is a hole until it is abused.

1 Like

Yes I do :neutral_face:, I’m not sure if I should apologise or if it is an important enough subject that I don’t need to.
Anyway, I think I’ve finished now :zipper_mouth_face:. My port is closed with only local access to HA until I learn something to make me change that.

Thanks to everyone who has responded to any of my posts, even we haven’t agreed it is always good to get an alternative opinion and I have definitely learned a few things.

Not at all. Just pointing out it comes down to what you are comfortable with.

Comfortable is not the same as security. Someone can be comfortable opening port 80 and not having a password. So, understanding the risks and understanding how to apply security and closely monitoring whatever has been applied is crucial. Constant re-evaluation and updating of whatever you have implemented is also crucial. None of this is hysteria. If I remember, it is something like 45 seconds between opening a port and it being discovered. If you have misconfigured something or left maintenance undone anyone can easily be impacted.
I do agree using a port above 32K provides some anonymity and a reverse proxy is better than not having one but there are lots of other things I would add before I was comfortable.

To anyone who thinks HA is secure without a password because it’s only on the local network:

Unless you’re a network guru and create VLANs or change your router’s DNS settings or something, the default HA installation is inherently insecure because it doesn’t require a password to access the API. Even if you lock down all your ports, if you don’t have a password (or have a weak password), someone could still control your devices simply by you clicking a malicious link or having a malicious ad load on your personal computer.

1 Like