Home Assistant security concern

Today, I tried to turn light of Gateway Xiaomi on by HA, but it didn’t work. When I opened Mihome app to try to turn on the light, It can turn on and HA also got the status of Gateway light was on, but HA cannot controlled it.
I tried to play around to understand why HA cannot to turn the light on but it can get the status (include Door, light sensor status). When I tried to rename Gateway on HA the same as Mihome app, I found a sentence “Homeassistant security is crap. Stop using it” in name field. I so worried about the security of HA, I dont know whether anyone hacked into my HA or not? So far, I just found the problem related to Gateway Xiaomi.
Has anyone had experience like me? or any advice to improve the security of HA?

4 Likes

Yep you’ve been hacked

What ports have you opened up in your router

I opened port 8123, 443 and 1880. Currently, I’m using Duckdns, and I also set password for my HA.

I had similar. Yesterday suddenly I had several lights/fans turn on/off and weird things happen; to be followed by Sonos announcing “HomeAssistant security is crap. Stop using it.” – same message as you but spoken and not filled into a input text field.

I have only 8123 open inbound on my pfsense FW; using SSL; behind HAProxy as reverse proxy; with HA login tracking//blocking; and with a very complex password that is 3 days old. I have not see any alerts from HA over banning login attempts or bad login attempts.

In other words I am now suspecting their is a vulnerability in HomeAssistant that someone is using that we’ve not figured out yet.

http:
  api_password: XXXX-XXXX-XXXX/XXXX-XXXX-XXXX                      
  ip_ban_enabled: True
  login_attempts_threshold: 3
1 Like

put your external ip on this webpage and see whats listed

https://www.shodan.io/

to find out external ip, if you dont know how to

http://www.whatsmyip.org/

1 Like

One suggestion is to change domain names that include hass or homeassistant.
clearly they’re being targeted and they all appear in Shodan.

1 Like

Do you log the connections over your forwarded ports? It would be interesting to see which port they used to get in.

Shodan does discover a lot but doesn’t show everything. The Op could have his firewall wide open and not show up.

Many routers block these scans or cause them to return less useful information. I know I have been scanned by shodan on my current IP and open HA port and I don’t show up on their site.

Can you go to a coffee shop, work etc and see what is returned when you try each of those ports?

Also if you can, use a tool like NMAP to scan your IP and see what you actually have open.

If you are not framililiar with these tools shoot me a PM with your public IP and ill tell you what’s open.

Shodan shows nothing for my public IP.

Yes, it is logged. I can see their inbound connection to 8123 from what appears to be an IP in Romania. The rest of the 8123 connections are either Verizon or local to my network - which means our iPhone devices I suspect.

What’s odd is they either knew my password or had some sort of back-door as the IP ban stuff didn’t trip from an invalid password attempt 3 times; and no notification either of a bad login attempt.

Wonder if something outbound is leaking the password. I have ecobee, dark-sky, and yahoo-weather all being external cloud fetches, as well as the iOS app, Alexa, AWS Polly, Google travel tine, and HomeKit integration.

Are you encrypting your traffic? (Let’s encrypt is the common method for HA)

Yes. The only open port 8123 is using SSL (LetsEncrypt) terminated by HAProxy; which proxies HA. It is a wildcard cert.

Running several port scans confirms only 8123 is open; and Shodan doesn’t even show that open.

DNS is with AWS Route53. The DNS name does not contain home assistant or anything related.

Still digging but very odd.

In everyone’s case, which platform are you running HASS on (virtualenv, hass.io, etc)?

1 Like

My .02… Since you’re already compromised, at least get some value out of this for the greater good. Use your deployment as a honeypot so we can better identify/patch/mitigate/etc.

  1. I’d immediately disconnect EVERYTHING (except your HA instance) from your LAN until you can sanitize. Isolate everything off into an air-gapped network to perform cleanup.
  2. Change ALL your cloud/provider/email/etc pswd’s
  3. start a wireshark capture logging your HA endpoint. This data may prove valuable for everyone and will help identify the source.
  4. Bundle any and all logs up, and store on an external USB or something. Go back as far as you can as we may not know when the initial attack occurred
2 Likes

Does it make sense to turn off network discovery when honeypotd (daemon) is setup for the task? Maybe some dummy light switches/dimmers/thermostats or something or something? By “dummy,” I meant something “virtual” as in “not real.” Something fake.

I would certainly advocate for OpenVPN so that you can communicate with Home Assistant over a remote VPN connection.

And if you are going to set up a honeypot, I would put a honeypot machine in a different network subnet and assign a DMZ to it from a firewall.

–Grayson Peddie
CompTIA Certifications: A+, Network+

Do you have the logs for requests made from that IP in Romania? Knowing what requests they made should go a long way in figuring out the attack vector.

1 Like

A tip for people wanting to expose their hass to the public is to use 2fa-login. I’ve implemented on on my nginx-server and I need to login with my github account (that uses 2fa) before I can login with my hass-password (or communicate with hass at all).

I used to use openvpn before, but this way I feel confident not using VPN.