How do I completely disable the entity search for hone Assistant it’s a serious security flaw. In and of itself. Anything is searchable… including unlock permissions stored as input booleans…
Simple: Enable multi-factor authentication and don’t share the log-on credentials with people you don’t trust.
That might be possibly the least helpful thing I’ve ever heard
Well if you are going to share your credentials with bad actors that’s entirely on you and there is nothing the HA devs can do about that.
If I make credentials that are not an administrative account, why on earth can that account still access literally everything. Why is there even an administrative account then? What exactly is the point? There are a bunch of posts about this going back as far as 2022.
Home Assistant is not currently set up for sharing with people you don’t trust.
Read the latest open home newsletter. It’s geared towards privacy but that goes hand in hand with security. In particular:
One thing to note is that this paper focuses on privacy between you and the outside world. It does not cover the critical issue of privacy between people living inside the smart home. As technology optimists, this can be a blind spot for us, since we assume everyone who creates a smart home has good intentions regarding the privacy of the people who live in it. Sadly, this is not always the case. We are actively researching this issue to find a solution. It will take time, but we’ll get there.
1 Like
Also:
1 Like
So I don’t think I’ve ever assumed that everybody inside my smart home is magically a perfect person. There’s always the possibility that someone accidentally searches for and turns on something or off something that has a catastrophic effect. This isn’t even about. intent. This is an ongoing security concern that has existed since at least 2022 has there are posts about it. It just seems like a very basic security issue that should have been addressed at some point in the last 3 years. Then again the voice controls on this are essentially non-functional still despite having year of the voice or whatever that was. I suppose it’s not surprising just disheartening.
The devs are aware, you just have to be patient. Or use something else for now.
e.g. One thing you could do is expose controls and entities via Homekit Bridge and only let imperfect persons access that way.
I don’t have a home kit because Apple is trash. I’m pretty sure that’s what you’re talking about. I’ve never even tried their environment. They’re computers are just a lockdown version of Unix. Using Ubuntu is way better. I can only imagine that Apple’s version of a smart home is just stealing something else as well just like their iPod was just stolen from another company too. Everything they have is a version of something that was stolen and copied and made worse. Also if I needed another smart home just to make this smart home work with other people that would sort of defeat the purpose of even having users.
I can imagine HomeKit is probably way overpriced as well if I had to guess
Locking this topic as you know the answer to your question (not possible) and you’re just here to rant. Feel free to add your polite support the the RBAC feature request linked above.
4 Likes