I am quite new to Home Assistant, but I do have a first setup running. I can even remotely access my HA instance through VPN (OpenVPN server running on a synology NAS). On my mobile device I can use the HA app, just like when I am at home.
Recently, I was thinking about what happens when I lose my mobile phone, or when this device gets stolen. A person that obtains my device, can easily enable the VPN connection on my phone and then enter my HA instance. Obviously this is an undesired situation and I am wondering how others make sure this cannot happen? I am very interested in how I can secure my HA from unwanted visitors.
I have looked on the forum, but couldn’t find something related to this. Any suggestions would be much appreciated.
If they steel your phone and can get access to it then you might have a lot more to worry about than HA. Its why phones have access security such as finger print sensors.
In addition to Arh’s very valid point, you can login on PC, click on your user icon on the bottom left & delete the refresh token for your android device.
Unless whoever steals your phone also knows your login credentials for HA, there’s no way they’ll be able to get in
Presumably you want the HA app on your phone to create the various sensors. You might consider how much you really need them and whether there are alternatives. I have a credit card sized BLE tag in my phone cover which does the home/away stuff. I confess I have the HA app as well, but the only sensors I really use are battery level, is charging and wi-fi connection - none essential. Without the app you could use a browser to access HA and log in/out every time.
Otherwise it comes down to basic phone security: lock screen, pin-protected apps and a security system which will allow you to brick it remotely. How would you protect your banking app?
If you’re using openvpn, you had to create a cert that was loaded on your phone with the VPN configuration. You can get on the openvpn sever and revoke the certificate, thus stopping the new owner of the phone from accessing anything on your home network. While you’re trying to figure out how to revoke the certificate you can stop the VPN server, stopping all authorized users from accessing your network.
