Home Assistant security concern

I mean you seem to use more security than the average user.

Assuing you use your pfsense-setup wisely, reverse proxy, let’s encrypt and IP Ban.

There is a little bit more you could do, like 2fa I explained in the post above and also use vlans/tighten your firewall for your IoT-devices.

But as I said in the beginning, your security is already above the average user. If you haven’t overlooked something this is a bit worrying. Especially if not one of your IoT-devices got hacked first, and there’s a flaw in hass security (let’s hope NOT.)

Again, I would advice you to throw all your IoT-devices in another vlan. The 2fa maybe more then needed.

I am doing something similar. Just a hass password is a low bar from security perspective. I use oauth2_proxy across everything I expose externally. That gives me all the protections I have setup with my Google account including 2fa. You can use Github with it as well if you prefer.

1 Like

I did use google 2fa, but that doesn’t play well with HA ios app. And I use the same 2fa-integration, recommended!

To those that got hacked, do you use hass.io? Looking at previously hacked users, they used hass.io and was using the SMB-plugin. If yes, what plugins do you use?

I’m seriously considering switching over to rasbian w. a regular ha-installation instead. Just that I can’t use fail2ban with hass.io is bugging me enough.

1 Like

HassIO and SMB seem to be a commonality so far. I truly hope this is where the vector ends too.

1 Like

Is it possible xiaomi is giving network access. I don’t use xiaomi but many these type iot device have poor security and many exploit available. Maybe another iot device that have WAN access and easy exploit.

Once on your network maybe easy sniff http traffic on local lan to get login or just have access direct to ha server/files.

Exaclty what I suspect may happened to him, that one of the devices got hacked and it sniffed the password over http.

Throw all damn IoT-devices in a garbage-vlan. Also I recommend not using the ”remote features” of your IoT-devices. Put them in a vlan, and apply a lot of firewall-rules so they can’t talk to the public. Jail them.

Let HA be your only way of communucating with your IoT-devices. And secure your HA secutiy as much as you can.

2 Likes

I use pfSense as well, but nothing xiaomi and no SMB. I also have a very limited # of IP/Networks that are allowed through the FW on HA port.

No issues here.

Most IOT devices use some source code copy/pasted from web with back door installed by code.writer for testing that manufacturer didn’t bother to remove after copying the guys code.

These things should NOT be allowed communication to outside web and caution on LAN communication.

Anyway, lots of speculation on this angle.

@lesonquan
Why you have 3 open port? Is one MQTT? If MQTT is it password+ https?

What would be the benefit of a separate vlan? I tend to simply fully disable internet access to any of the iot devices in my home. Isn’t that sufficient?

Putting them on a separate vlan allows you to control local traffic. It would prevent infected devices (computers/phones from friends and family) from accessing the iot vlan, and infected iot devices from accessing other devices on the network. Lots of attacks involve traversing the network horizontally.

And to think people downvoted and berated me for suggesting that HomeAssistant should have a user configurable base URL, user ID, and password. Hmm…

1 Like

I’m pretty security naive. After seeing this, I just closed my HA port (have always had a PW) and will now only be connecting with the VPN running on my router.
I would bet there are ways for someone to hack that too…

Hi guys. Please, calm down. The only security hole of HA is the samba addon.
I checked the instances in shodan and all of them are hassios with anonymous samba (guest) access enabled. I’m not using hassio but maybe the guest mode is enabled by default.
The problem is that some routers are opening the smb port automatically (upnp and others).
Because of this, someone can access your plain text secrets file simply by typing your IP in his file explorer and read your passwords in seconds!

With all due respect, do not trivialize this until theres proof you can do so. Your assessment is in fact, wrong. If you review the thread, you’ll see @jwelter has a pretty decent lock-down of his environment (NO SMB, not listed on shodan, only HTTPS via 8123), and he seems to have been compromised.

Agreed, unless more folks come forward, this may be a self-inflicted, corner-case issue, but until proven such, we should work to identify the nature of this.

@jwelter says nothing about SMB. Just now I saw the samba config of the first shodan IP.

{
  "workgroup": "****",
  "name": "hassio",
  "guest": true,
  "map": {
    "config": true,
    "addons": true,
    "ssl": false,
    "share": true,
    "backup": true
  },
  "username": "***",
  "password": "****",
  "interface": "wlan0"
}

As you can see the guest value is true.

Addon page has a warning about this:

I have my work cut out to understand many of these security concepts. Concerned that my home automation and ioT network is vulnerable I built and air-gap reed relay board which severs my Ethernet cable link to at least reduce the time opportunity for hacking. I control the air-gap board through HA for ease of control. Since I’m on a remote farm WiFi hacking is less of an issue for me. I’m still working to improve security while connected so this is an excellent discussion for me.

Yes, you’re confirming what I said. Theres NO Samba, and HE DID GET HACKED. Yes, I’m sure theres many HA SAMBA deployments that are insecure, but we have potential evidence that it’s not JUST a SAMBA issue…

I’m saying that he is not referring to samba at all.

lol yes, we both agree on that. But you said

Which insinuates this is only a SMB prob. I’m just saying, lets get more evidence and not down play this until we know for sure.