Home Assistant security concern

g17jimmy · June 27, 2018, 5:10pm

Securing webapps, presenting webapps to the internet, should only be done for apps that absolutely must have an internet presence. Home automation and IoT are things that need to be protected and should not have an internet presence. If you want access to that from remote locations set up a VPN. Even if HA has a major security flaw, and I’m not saying it does, it won’t matter if your infrastructure is implemented securely.

carlchan · June 27, 2018, 5:53pm

Your system is only ever as secure as you make it.

A lot of advice here tends to be stuff that “gets things working” (i.e. turn off your firewalls, open all ports, bind to all interfaces, install every damn docker image that someone mentions), but has no considerations for security other than a single phrase like “make sure you think about security!” without any actual advice as to how.

HASS is a great tool, but was clearly never designed to be secure in anyway. Do you really think protecting something that has full access to everything in your home with just one password is sufficient?

The internet is a dangerous place, unless you have absolute confidence in your ability to secure your installation, I suggest NOT making it public. Otherwise, yes you can get in, but most likely you’ve also just opened the door to let everyone else in.

barqers · June 27, 2018, 7:14pm

You have a port open for Node Red. Have you made sure to password protect node-red?

nickrout · June 27, 2018, 8:13pm

It goes against common sense to expose smb to the internet at large.

jwelter · June 27, 2018, 8:32pm

Certainly. I clearly stated only 8123 open. SAMBA not even installed…

toast · June 27, 2018, 9:48pm

@jwelter thing is with these kinda threads is that everyone has an opinion and then people want to share their experiences and then the thread becomes flooded with irreverent information.

what you should do is to pop on to the discord server and talk to tinkerer or arsaboo and share the logs with as much information as your comfortable giving away.

we have been discussing possible attack vectors in your case during today but logs would help.

hink · June 27, 2018, 9:53pm

This probably has something to do with it.

Home Assistant uses the aiohttp python library as its webserver. This was published yesterday.

https://nvd.nist.gov/vuln/detail/CVE-2018-1000519
https://vuldb.com/?id.119936

I’ll mess around with it this evening if I have time and see what I can do to reproduce.

Edit: In theory, a weak password would allow pretty easy work of a bruteforce as well.

balloob · June 27, 2018, 10:00pm

We do not use aiohttp-session

toast · June 27, 2018, 10:02pm

discussed in the discord channel today along with other libs, had the same question got the same answer

here are the libs it uses

github.com

home-assistant/core/blob/dev/requirements_all.txt

# Home Assistant core
aiohttp==3.6.1
astral==1.10.1
async_timeout==3.0.1
attrs==19.3.0
bcrypt==3.1.7
certifi>=2020.4.5.1
ciso8601==2.1.3
importlib-metadata==1.6.0
jinja2>=2.11.1
PyJWT==1.7.1
cryptography==2.9.2
pip>=8.0.3
python-slugify==4.0.0
pytz>=2020.1
pyyaml==5.3.1
requests==2.23.0
ruamel.yaml==0.15.100
voluptuous==0.11.7
voluptuous-serialize==2.3.0

This file has been truncated. show original

the only known lib to have a vunerability on that list is PyYaml that will be fixed in next version of HASS

https://bugzilla.redhat.com/show_bug.cgi?id=1595743

jbags81 · June 27, 2018, 11:07pm

was confirmed that no failed auth or like entries were logged, so it’s looking like it wasn’t brute forced.

bosbefok · June 27, 2018, 11:44pm

For those wanting to conceal their origin server ip whilst still allowing external access to their HA instance checkout Cloudflare Access. This will enable 2fa and use Cloudflare’s IP as a proxy.

robconnolly · June 27, 2018, 11:54pm

Has anyone who’s been hacked uploaded their config to a public git repository (e.g. Github)? You could have inadvertently leaked your credentials and public URL.

I’m using pfBlockerNg on my network as an alternative to PiHole, but one nice feature of it is blocking incoming traffic from known bad IPs via a real time block list (updated hourly in my case). This should prevent Shodan from being able to index your system and keep other bad guys out.

nickrout · June 27, 2018, 11:57pm

I have heard of people uploading their config to github, realising they have leaked their passwords, then fixing it by excluding secrets.yaml from the github. However github remembers everything (as it should, it is a version control system!)

So if you have EVER leaked your passwords to github, change them, all of them - api keys as well.

robconnolly · June 27, 2018, 11:59pm

Yes, and there are also bots that troll Github looking for leaked credentials. Maybe someone has added HASS credentials to the list of things they look for.

w1ll1am23 · June 28, 2018, 12:39am

Using the same thing, which block list are you using?

robconnolly · June 28, 2018, 12:44am

I’m using BinaryDefence, EmergingThreatsDShield and firehol3.

jwelter · June 28, 2018, 12:58am

Could you paste the url’s – also a PFB user and will add these. Right now just the easy lists as well as the GeoIP top spammers.

Balsman225 · June 28, 2018, 1:13am

The URLs that @robconnolly mentioned are listed on this site -
https://www.linuxincluded.com/using-pfblockerng-on-pfsense/

robconnolly · June 28, 2018, 1:15am

Yep, that was one of the guides I followed when setting it up.

carlchan · June 28, 2018, 1:50am

Also good to run a scan of your git repo and remove any files/credentials you accidentally uploaded.

https://help.github.com/articles/removing-sensitive-data-from-a-repository/