In light of all the recent big open source vulnerabilities (log4j being the last big one) I am just wondering how secure is ESPHome and home assistant in general.
All my devices have static IP addresses and they are all blocked on the router from accessing internet.
I use strong passwords and 2FA for Home Assistant. All my passwords and sensitive info is in secrets.yaml file(s).
Securing Home Assistant page doesn’t have much on it.
How do you guys make sure your installation is secure?
Just assume anything reachable through Internet is at risk. Passwords and MFA are only good as long as the software doesn’t have holes allowing to bypass them.
You can also assume your average Chinese/Russian hacker doesn’t care about your HA installation as long as there is no money to be made out of you.
Complacency is the enemy of security. I’m not that naive to think that only Russian and Chinese are the main hackers of the world (although that’s exactly what all the western governments want you to think).
I’m more concerned about script kiddies wrecking all my hard work.
Good set of guidelines how to secure various home assistant components would be great and I find that is currently missing.
Sorry if I offended you. Those were only examples.
Do backups. Worst case scenario, you rebuild HA from your backups in a matter of minute.
But I stand in my opinion that exposing HA to internet is looking for troubles. Nobody will be able to tell you if HA is vulnerable until a vulnerability is found, as perfectly shown by the Log4J affair.
Use a VPN if you actually need to access HA out of your LAN and if you are concerned with security.
Sorry if I offended you. Those were only examples.
no offense taken - Russians and Chinese are getting blamed for everything these days but our (western) governments are no better then them
What I am trying to say I would like to see more guidelines and stress on security in the HA project.
This part here makes no difference.
The secrets file is just as readable as any text file.
Even the passwords that is saved in the “core” is easily obtained in the JSON file(s).
If someone does get in to your Home Assistant then consider all passwords as they are “used”.
As far as I know there is nothing in HA can make it safer.
I don’t go sleepless over this though.
I don’t believe anyone would target my instance of HA.
If I was a hacker then I would target Nabu casa to try and get data from them, but one individual account seems like too much work for nothing.
But even Nabu casa is probably too small for many, I don’t know how many accounts there is but if you want to take the risk to hack something then there has to be a larger reward than the risk.
Securing communications between devices on the LAN is generally a good idea but beyond a certain limit its like putting a bolted lock on each cabinet inside the house which can be time and resource prohibitive so there are better ways to mitigate.
If any of the following items from list below is true then you have bigger problems at hand than 2FA for HA or encrypting traffic between an IoT and ESPHome server:
- Do not have IoTs isolated on a VLAN (subnets based firewall rules without VLANs are not as secure as most people think)
- Do not monitor an active firewall on the home LAN
- Forwarding port for accessing an application on home LAN from outside
- Access home LAN from outside but without the use of VPN
Hope this helps.
1 Like