Home Assistant Blue - can't access web UI, suspicion of hacking

neonfox · February 19, 2023, 5:37pm

I have a Home Assistant Blue that I think may have been hacked, as I get around 30-40 attempted logins / scans on it, according to my Ubiquiti threat info page. I can’t access the login page anymore, though I can strangely access my homebridge installation on port 8080 at the same IP. I tried to SSH but getting permission denied (wrong password).

What are my options? I’m ok to do a hard reset / fresh install if it comes to it. I can’t find any manual for Home Assistant Blue, though I took a look at the ODroid N2+ install guide. Is there a simpler way to do a hard reset on the Blue without opening up the case and trying to get it into USB drive mode so I can wipe the eMMC?

mwav3 · February 19, 2023, 6:04pm

How have you configured remote access? Are you using a reverse proxy or did you just port forward 8123?

The first thing I would do is disable remote access, disable any port forwarding in your router, and then try to get in again on your local network.

Once you get access, I would setup remote access with additional layers of security. You can follow the tips in this guide.

odwide · February 19, 2023, 6:16pm

If you suspect hacking, quarantine the device immediately. Disconnected it from the network and login locally to examine it.

neonfox · February 19, 2023, 10:04pm

I quarantined it to a separate VLAN, removed all port forwarding and deleted my DNS entry on duckdns. No luck connecting to it on the local LAN.

mwav3 · February 20, 2023, 12:11am

You should be able to reinstall home assistant from scratch by following these directions under odroid, then restore a backup.

The only thing I’d worry about is that restoring your backup could reintroduce the problem. You want to make sure you restore a backup done before the suspected hack happened

Then make sure you secure it better before exposing it again

finity · February 20, 2023, 6:02am

If you aren’t sure that you’ve been hacked then maybe step back and think if it’s more simply a config change caused HA to error.

Have you made any recent config changes?

Do you have access to the HA config directory? If you do you can look at the homeassistant.log file located there to see if there are errors that are keeping HA from running.

Protoncek · February 20, 2023, 10:53am

Did you try to ssh into HA’s local IP? If you manage to get in then check config/ip_bans.yaml if there are any IP’s in there, delete them and restart HA.

neonfox · February 20, 2023, 7:35pm

I did try to ssh into it, but none of my passwords work. I haven’t made any config changes, it just stopped responding to any attempt to access the web page. It doesn’t display the login at all, just shows unreachable, but I know it’s still running because of the homebridge install that’s running on docker does allow me to access it on 8080. I think I’m resigned to doing a fresh install on it and then beefing up the security considerably going forward.

mwav3 · February 20, 2023, 9:31pm

Does the console/command line come up when you hookup a monitor and keyboard? If so you should be able to reset the password from the command line

If you truly suspect a hack totally reseting with a fresh install is probably your safest bet though.

neonfox · February 21, 2023, 6:27pm

I hooked up a monitor but I get a message from my monitor, “The current input timing is not supported by the monitor display. Please change your input timing to 3840x2160, 60Hz or any other monitor listed timing as per the monitor specifications.” I’m using a Dell G3223Q 4k display. I’m guessing the Blue doesn’t automatically output to 4K but would have to be manually changed to do so?

mwav3 · February 21, 2023, 6:58pm

HAOS is a very stripped down version of linux and is also very locked down. There are limited config options which can be done by inserting a USB drive as described here.

github.com

home-assistant/operating-system/blob/74ccbb8953230d670a8a6af9734221d22a942712/Documentation/configuration.md

# Configuration

## Automatic

You can use an USB drive with HassOS to configure network options, SSH access to the host and to install updates.
Format a USB stick with FAT32/EXT4/NTFS and name it `CONFIG` (in all capitals). Alternative you can create a `CONFIG` folder inside the `boot` partition. Use the following directory structure within the USB drive:

```text
network/
modules/
modprobe/
udev/
authorized_keys
timesyncd.conf
hassos-xy.raucb
```

- The `network` folder can contain any kind of NetworkManager connection files. For more information see [Network][network.md].
- The `modules` folder is for modules-load configuration files.
- The `modprobe` folder is for modules configuration files (/etc/modprobe.d)

This file has been truncated. show original

The only thing I can think of is to somehow use a UDEV rule to change the resolution, but that’s beyond anything I’ve tried. Also, without being able to see the screen you really can’t do much else, like run commands.

I also am not too familiar with Odroid, is there some sort of bios menu that can be accessed to set resolution? Hopefully someone more familiar can help out. It might just be easier to find another compatible monitor.

Another possibility is that you are dealing with some sort of hardware failure at this point. Hopefully, this isn’t the case.

neonfox · May 26, 2023, 2:14am

Alright, so it works now, and I’m not exactly sure what happened, but I did the following:

Formatted USB drive per the link by placing authorized_keys in the root folder after generating a public key using PuTTYgen. Had to make sure the ssh-agent was running in windows services, then used ssh-add to add the key there. Put the USB drive in, booted, powered off, removed USB, powered on, and I was able to SSH into HA.

At this point I just tried to access the web GUI for HA and it worked - I was able to get back into my system and everything worked as it had before.

I don’t think any of the SSH stuff I was doing had any relation to being able to access HA once again, but in any case, I’m happy now that it works and have put in stronger security measures this time.