HA security, whose responsibility?

i’m gonna go out on a limb and probably be the lone person who essentially totally agrees with you – although i would’ve picked a different subject line. i think people are largely answering your “whose responsibility?” question when it’s not really your point. of course security is a user’s responsibility, but projects like home assistant need to be careful about how they sell themselves.

i think you’ve touched on a issue that plagues a huge number of open-source projects in particular: they amass a user base of power user/DIY types, and to expand, they put on a veneer of user-friendliness and make some efforts that could sometimes be called misguided.

to be fair, i don’t think home assistant literally says “user-friendly” or similar anywhere, and they spell out a lot of security warnings, etc in the docs. but i think projects like home assistant are reluctant to accept that an instruction like, “to turn on remote access, forward port blah to port blah” means that it will never be user-friendly. and perhaps some features (e.g. automation editor) or website selling points inadvertently attract users who might be safer with smartthings say (smartthings issues notwithstanding).

The new auth system is being worked upon actively (look out for a preview in 0.73) should be and should take care of most of the issues that have been highlighted. Folks have to be still be careful with how they set their network, but many of the concerns raised will be addressed soon.

7 Likes

The link above to the DNS rebinding exploit is interesting. The initial suggestion for developers to avoid the problem is

The first, and simplest to implement without side-effects to your existing system, is to add “Host” header validation to your HTTP server.

Do you know if this is being done as part of the new development? I had a scan through the code, and there doesn’t appear to be anything obvious doing that now.

I’ve been reading in the past weeks the several topics about security.
there are several threads talking about security and there is no real evidence about HA had been exploited besides the fact of SMB wide open by users = bad configuration.
i just searched on Shodan and there are several users with SMB with authentication disabled. :frowning:
Dont know if these are honey pots but at the end, needless to say that is not good…
maybe a change in SMB default to avoid guest activated would be something that could help.

1 Like

I agree with much of what has been said on this thread, ironically, even when they are apparently contradictory.

All developers, even hobbyists, who are writing code that they know will be used by other people have an obligation to code securely. They should use code validation tools to check for common errors and coding flaws. If developing web apps they should ensure they validate them against the owasp framework. To not take these steps is, in my opinion, simple negligence.

Providing a secure configuration out of the box (forcing the user to change default passwords on install, not having trivial passwords, r/w unauthenticated access, etc.) Is also the obligation of the developers.

Stopping a user from shooting themselves in the foot is NOT the developer’s responsibility. If an end user wants to open his samba to guest, delete the login password, access over http rather than https, port forward the system to the internet, or use it on an unsecure network, than that is not the dev’s problem.

Rob A.

2 Likes

so you say i should just keep my code to myself?
i have no clue about code validation tools and i dont even know what you mean whit owasp framework.
i think what you actually are saying is that 90% from github should be deleted, and HA should never have been developed.
almost every day there are people sharing their selfmade custom components, and thats how HA got developed. but when everyone has to comply to those rules, no custom component would be developed and HA would not exist.

I write code for MYSELF. and i share it so that others can do with it what they want. but its NEVER my responsibility if something goes wrong or if it is treated bad or used in some way. if you dont want the risk and you want to blame someone if it isnt coded right? then go and buy something. when you buy something you get some kind of garantee. HA comes with NO garantee.

2 Likes

And based on that, there should be a disclaimer on the front page stating that no warranties are expressed or implied, and that the developers/contributors don’t condone the use of the code in anything other than a secure environment or for testing only.

I’ve participated in and used a variety of open source projects, and most have some oversight or framework for code review, by tools or peers.

I appreciate the time and effort you put into the software, and the contributions you make to the community, I’m not discounting that or attempting to dissuade you.

I’m just saying that, in my opinion, if you are making code public then you have an obligation to ensure that code isn’t “dangerous” to people who want to use it.

It is the difference between building an unsafe deck in your backyard where only you can get hurt if it collapses, and giving away free plans of that unsafe deck on the internet. Even if you are giving something away free you have (again, my opinion) a moral obligation to ensure it is suited to its purpose and is “safe”.

I, personally, would not provide any of my code to the public as paid or free (speech or beer) software unless I knew I had taken due diligence to ensure it was not going to be damaging to so some who used it. And even then I’d still include the legal disclaimers under the licences terms… but that is the decision that anyone, whether writing code, posting Instructables, or posting up YouTube how to videos needs to make on their own.

-Rob A.

1 Like

I do think there should be some kind of disclaimer, both to the use of the software and to the advice given in the forums. For those familiar with flashing ROMs for phones or other devices, there is always a warning that using the replacement ROM may brick the devices, bla bla bla. It may not be a piece of legalese but it does get the point across that, you the user, are the sole person responsible for whatever the outcome. There is also lots of very questionable advice given especially for electrical work.

Grant you there are millions and millions of how-to YouTube videos that are downright lethal.

Oh, yes it is in the root folder of our source code:

1 Like

Thanks for pointing them out. I’m quite familiar with the Apache licences and while the disclaimer language of section 7 may legally recuse the project from litigation it does not (again, in my personal opinion) recuse them from their social accountability to strive to produce a product that is secure by default.

I also find it interesting that the contributor code of conduct does not contain anything on code quality or security, or even a style guide, though those may be located elsewhere.

I think my comment that this should be prominent on the web site stands, as I would think it is a very small minority of downloaders/users that would actually look at the source code and see these files.

Again, I am not criticizing the contributors. I just think that the potential risks should be more clearly communicated to individuals new to ha.

-Rob A.

Technically you are, since the entire project consists of contributors and would not exist without them.

If you have ideas for the website, you can edit the documentation to your heart’s desires…just use the link on the page you want changed.

2 Likes

Although HA has a very long list of contributors, it is still not far away from a personal project, @balloob is still the decision maker for almost every architect design, and contributed most of core code. So if you have concerns about HA code quality, my suggestion is please move away to use other project have more commercial support, such as SmartThings.

1 Like

My view is pretty simple about these things… I have to think very long and hard about anything that I choose to open up to the internet from my home network. Routers implement firewalls to stop things from outside from getting in - the minute you choose to punch a hole in that security with a port mapping you are opening yourself up to potential hurt. Thats not trying to absolve the folks who write the software that I run but in this day and age I think it is unreasonable to assume that any application is totally secure, new vulnerabilities are found almost every day.

I always try to think about “acceptable risk” opening up a port directly to the fileserver that serves all my files is too much risk opening an SSH port is moderate risk opening up a port to allow access to my VPN server less so.

I do most of my access over an OpenVPN server this allows me on to the local network with what I hope is the minimum level of exposure. I trust the OpenVPN Server code and I trust the certificates that I use to secure the access.

Not sure commercial products are any better or worse in this regard, I guess they have more to lose if they get things wrong.

if you find anything on github you should be aware that its not a proffesional program.
if you find anything free that is not claiming your personal data or dependant on advertisement, or any other kind of way to make you pay, you should be aware that its not proffesional.
if you DONT find an kind of garantee you should be aware that you use it completely on your own risk!

i can sell a broken device on the internet, without telling you its broken.
if you dont ask me if it is broken, or if it is working ok, then you are to blame, not me.

and yeah, it sucks that people do that and think that way, but that is live!
its everybodies own job, to know what they do and to know what they get. its time that people stop placing responsibiliy for everything with others.

if you open a mail its your job to make sure that you dont get hurt by that
if you install a program its your job to make sure you dont get hurt by it,
if YOU DO anything its your job to make sure that you adchieve what YOU WANT.

if anyone wants to install HA (or any other app, or program) they need to make sure that its safe, and if you dont find that out by reading the docs, or code then you ask if it is safe and how to keep it safe.
and not just blindly install and then blaim another if something happens.

I myself am 1 of the people that got hacked (or at least i am sure about that)
That is my fault in any case!

1 Like

Really?

That’s a pretty self-centered (aka crappy) way of thinking. I hope not everybody thinks like you. Unfortunately, a lot of people do. And that’s the problem with the world today.

I’m really confounded by the over-sensitivity that the people on this forum show to any criticism (no matter how minor…) to the people who do the coding.

Nothing that @RobAnt said was disrespectful or overly critical of anyone. I think the philosophy he puts forth is completely reasonable.

No one is saying that “caveat emptor” isn’t a sound policy when dealing with things in life. But just because it’s ultimately your own responsibility to make sure you’re safe, It’s also the responsibility of the other person in any transaction that they aren’t knowingly providing an unsafe product (free or otherwise). That also extends to the fact that a person who provides a product (free or otherwise) has the responsibility to have at least a minimally reasonable belief that the product is safe. Otherwise it’s called negligence.

Since we are doing analogies, if you give someone a car knowing that the wheels would fall off at 60 mph and it happens you will be held responsible. If you give someone a car and have a reasonably good suspicion that the wheels might fall off at 60 mph and it happens you will be held responsible. Not to mention the moral obligation you have as a member of society to not screw over your neighbor.

For another analogy, people like to throw out the idea of “if you leave your door unlocked and someone breaks in it isn’t the fault of the lock maker”. True. But if you think you have the door locked but through an oversight on the lock makers part the door ISN’T ACTUALLY LOCKED then it is the lock makers fault when all your stuff gets stolen.

People should be able to have the minimum confidence that if the product is used in the way it is portrayed to be intended to be used (in accordance with the makers instructions) then it should be safe. If the instructions aren’t clear or if they are misleading then that is the fault of the maker.

There is literally no way for someone to check and test EVERY piece of equipment or software they use to make sure it’s safe before they use it. No one would be able to live their life that way. They would be spending their entire lives product testing everything they acquire before they could use it!

As far as disclaimers go, why isn’t the disclaimer displayed loud and proud on the very first page of the home-assistant.io website? Why should someone have to dig into the source code to find that disclaimer? If the developers really wanted people to understand the risk that comes with using the software then that should be among the first things that people see when they first visit the welcome page of the site. But they don’t. They see a website that looks nice and professionally done. And I think most people wouldn’t think any further about security and just assume it’s been tested and safe to use. I mean, before the cloud, you HAD to open ports to get alexa or google to work. And saying that you can control your home from a mobile (phone) interface implies external remote usage. So, BY DESIGN, the system is portrayed to be made to be opened up to the internet ON THE HOME PAGE.

Sorry for the rant. Don’t misunderstand, I really like the software. It’s great that people are doing this. And community involvement is awesome. I shouldn’t have to, but I know I need to, clarify that I’m NOT saying that any of the developers (or anyone else here) is doing something improper.

2 Likes

dont worry, i dont think like that :wink:
but i know there are a lot out there that do, and people just should be aware of that and the fact that its thir own responsibility to check.

is there anyone that thinks that the devs know that HA is unsafe?
if they know about problems they take care of it.

but we are not talking about the fact that it is known that the wheels will fall of.
if i dont know that the wheels might fall of at 60 and they do, am i to blame that you didnt have the car checked before you started using it?
do i need to pay for a checkup on the car and make sure that its 100% safe before i give it to you?
no i can give it to you and say that you can use it on your own risk.

but thats what people actually expect. that i make sure its safe. and live just doesnt work that way.

1 Like

Sorry to jump on you like that. It just sounded…wrong…

Most of what I was responding to was the seemingly consensus idea that NOBODY is responsible for a failure besides the end user. Of course people have to do their due diligence but that includes the maker as well. but on the other hand, sometimes bad things happen no matter how careful you think you are being.

No I don’t think the devs know it’s unsafe. that’s why I specifically said they aren’t doing anything improper.

These are the kind of comments which cause a lot of confusion. What’s unsafe in your opinion?

Nothing as far as I know…

I never said anything like that in my post above the last one (my “rant”). ReneTode implied that I said that. His question was a strawman. I just contradicted the idea that the full responsibility for safety of the software falls on the user.

Sorry but I don’t think I could have been any more clear. Please read my post before last to see what I actually said.

but it always is the full responsibily from the user, UNLESS the provider gives some kind of statement about safety. in that case you might rely on his word.
for instance in the latest blog HA presents its new OS and tell that safety is a big thing for them. after that they have to stand for their word and they are at least partially responsible.