I got hacked

bucksbass · June 28, 2018, 8:34pm

Yes UPnP opened the port but that would not have been a problem if guest wasn’t enabled. This is the out of the box config:

{
“workgroup”: “WORKGROUP”,
“name”: “hassio”,
“guest”: true,
“map”: {
“config”: true,
“addons”: true,
“ssl”: false,
“share”: true,
“backup”: true
},
“username”: “”,
“password”: “”,
“interface”: “”,
“allow_hosts”: [
“10.0.0.0/8”,
“172.16.0.0/12”,
“192.168.0.0/16”
]
}

Hassio is bound to be installed in a lot of home environments and a lot of home environments have UPnP enabled routers. If too many installs get hacked because of this flaw, HA will get a reputation as an insecure system.

bucksbass · June 28, 2018, 8:35pm

FYI

Hi @cogneato,

It seems you haven’t yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

Robbrad · June 28, 2018, 8:52pm

Personally, WAF and complexity are not an issue when it comes to security. If my wife stopped using something because it was to complex vs our network being secure - then I accept that and I’d need to decide what is an acceptable risk to balance the usability factor accordingly - But I don’t run many external facing services.

If I wanted to run the HASS image - I would be checking which ports/services are listening on that device - I do the same for all devices running on my LAN -how do I know my SKY box isn’t running something? - I run a regular NMAP scan of my own network from my HA server to check open ports and devices on my LAN - alerting me to something I don’t recognise is there, or a service that I don’t want.

Command to do this
nmap -oX output.xml -T4 -A 192.168.0.1-254
xsltproc output.xml -o network.html

Network.html is a report for my network

I’d also recommend running Shields Up to assess your network - https://www.grc.com/x/ne.dll?bh0bkyd2

I would not trust SAMBA/Home Assistant/a third party service to manage how people interact with my network.

I’d trust (a little more) a service which was designed to securely connect to my LAN

OpenVPN or a Reverse proxy might be initially complex to setup but once running are more secure than port forwarding to a service which its primary focus isn’t networking security - running 2FA is belts and braces, but not a necessity.

tmjpugh · June 28, 2018, 9:12pm

My point was covering basics is best.

Turn off UPnP is scream from rafters and nobody do this so telling same person setup 2fa maybe too much too soon for person who not do basics

It may actually lead to new problem when they misconfigured webserver cause they don’t read docs or understand current network state

amattas · June 28, 2018, 10:38pm

I think two things need to happen

Set secure security defaults wherever possible.
In places where users can shoot themselves in the foot, make it super clear (the page on port forwarding, is really easy to glance over the dangers here)

nickrout · June 29, 2018, 7:24am

IMHO this should be in docs rather than the forum. Forum posts tend to get swamped by replies, or lost amongst the dross.

Again IMHO you should write it in markdown and put it on github, then perhaps post a link to the howto in the forum and let people ask questions in the forum.

PS happy to help with proof reading etc.

Robbrad · June 29, 2018, 8:25am

What I have done is pretty weak to be honest Guide : OpenVPN Access to Home Assistant

I found myself just copying the Digital Ocean guide (which was the one I followed) - then stopping and just linking to it in the end - but to be honest was more than adequate and well written.

I was wondering if people wanted to have a go at setting it up using those guides and I’d be happy to answer questions / support any issues people might run into as best I can.

Quatuor · June 29, 2018, 1:02pm

Both should be treated equally bad. It is not a good security practice to allow guest access to sensitive information and your HA configuration files is a sensitive information. Even if the passwords are hashed (which they currently not) even access to those should be minimized and definitely not allowed for guest level access.

tmjpugh · June 29, 2018, 1:14pm

I leave my car doors unlocked and keys nearby.
Not issue cause parked in private garage. Maybe not best because kids or someone may take car without ask. No big deal to me.

UPNP is someone I don’t know and did not authorize randomly open garage and wave flag saying come in and have a look to strangers. This is serious security problem.

HA should move to better default states, but problems currently caused by poor Network setups. I feel this more important(from User perspective) because not only affect HA user but even if not use HA and have other service or just surf web

EDIT
My focus is educate user so they prevent own problem.
HA can never stop all, but educated user will have best chance. Reading AND UNDERSTAND component doc would have prevent this vs I found this guide and set it up or I found code online and ran on my computer but now I hacked

Ambidexter · October 13, 2019, 6:43am

Hi,

It occurs to me that one way to help with hackers is to limit the attack surface. Use “http://whatsmyip.org” to find out your “outside” IP from home, from work, from your Mom’s house, etc. Do the same from your phone from various places.

You can limit these addresses to get to your outside firewall / router. That will cut down on most all of your issues. But, if you want to use your cell phone, from anywhere in the country, or even Europe, for example. You can check what IPs you’ll get in that country with your ISP of choice. Or, Google around, there are numerous (many automated) lists of blacklisted sites or countries.

You want to block any Chinese site from getting to your kit. Then you can do it. You may also consider a honey-pot…get a cheap Raspberry Pi. with no access to your network and put some junk on it, and leave it “outside” your firewall. Don’t mention Hass at all, just leave a few generic pictures, fake emails, etc.

The log from this pi could be viewed to see what IPs are attacking you. Then make sure you block those from your real Hass or firewall.

You might even be really sneaky…vary the port you use for Hass. every day it’s 8123 + the numeric day of the week. Although I use the duckdns method, and that’s a great, free certificate, no unencrpted stuff leaves my Hassio pi now!

-Ambi

firstof9 · October 13, 2019, 2:36pm

This would be ok but the whitelist would be as long as the blacklist and just as hard to maintain since providers like to swap their IPs around.

This is mostly solid advice, you’ll likely want to block any of your IP Cameras from accessing the internet as well, if possible.

ReneTode · October 13, 2019, 3:55pm

and how do i recoqnise a chinese site? or a korean, or a russian, or …?

Mutt · October 13, 2019, 4:18pm

Well you see … hackers NEVER spoof an IP, or route through a VPN, or anything like that.
What do you think they are ??? Criminals ?

Ambidexter · October 13, 2019, 5:23pm

No. I think that IP spoofing is useful to an attacker as a means for amplification of a DDoS attack. My little Pi’s not going to help them much.

I think that layers of defense and limiting the attack surface are useful. When I park downtown, I know to take my cell phone with me. I know where to park to limit my exposure.

That’s why I subscribe to a service from my hardware firewall’s vendor for antivirus, antispam, content filtering, web filtering, etc. It limits my exposure. I limit access to HA from only a few IP addresses. I know the networks my phone will use and allow those. I don’t use Wi-Fi at Starbucks to get to my HA.

The only exposure I have “on the internet” is my HA on a RPi with 256-bit encrypted SSL. And I don’t even use port 443. I even rate limit the incoming SSL traffic, to dissuade brute force attacks. And I keep an eye on my HA logs for interesting inbound logins.

I’ve got a friend who lives in one of the highest crime neighborhoods around, and he leaves the windows on his car open at night. On purpose. He’s telling everyone who wants to get something for nothing that he doesn’t have anything in the car they’d want. And yes, the car’s a 15-year-old Honda. The thieves pass his car and break the windows on the new BMW or Tesla with the $1,900 iPad on the seat. Or they go to the one with the windows open and the keys in it and drive away.

As a public service, I log into people’s little Belkin or Netgear Wi-Fi routers I find around and set the SSID to “PLEASE HACK ME” when they use the default (or no) login password.

So, for me, if someone wants to get into my HA setup, they’d need to be one of the several IPs I allow through my firewall. If they happened to be at my sister in-law’s house, they’d need to know the destination and port of my HA’s SSL service, and they’d need to be able to guess the user and password, as I generate 24-byte random passwords and store them in a password management service.

And even if they did that and were able to open my garage door, I’d get an alert on my phone, and would have live video of the cameras in and around the house. I’d push the panic button on my alarm system via HA, and the police would come.

When you work in network security, and you visit a friend’s house you always think “how would I break into his network? I wonder if he has any fun stuff in the garage!” It’s an occupational hazard!

Regards,

-Ambi

Ambidexter · October 13, 2019, 5:31pm

Sure you’re right. But there are whitelist services you can subscribe to. I usually do this for companies and the services tend to be at least some amount of money. They’re also available for particular firewall companies…perhaps most. Cisco, Juniper, Fortinet, Barracuda, Palo Alto, etc., etc.

I’d also suggest a separate firewall and Wi-Fi router in your house. Putting routing, firewall, and Wi-Fi in a single box is useful. But if attackers get into your setup, you’re totally hosed.

-Ambi

firstof9 · October 13, 2019, 5:53pm

ARIN database

firstof9 · October 13, 2019, 5:55pm

FYI this is something they can arrest you for and even toss some prison time on you for. You should stop doing this.

MithrasPan · October 13, 2019, 8:41pm

Without getting too much into the details- One of my previous projects was the target of a pretty legit DDoS attack and from that experience… this view isn’t exactly correct… all you need is a processor capable of making IP connection requests. It’s not the power, it’s the quantity.

Keep in mind- one of the largest botnets discovered thus far was running as a background process in a couple million IP cameras with… weak… firmware and no way to ‘push’ a firmware update.

Any ONE device\connection can be discovered, blocked, somehow mitigated… but when the attacks are coming… you can’t block a geographic region when they’re coming in globally.

(In my case, I got lucky… the ‘hacker’ (disgruntled ‘competitor’) got sloppy/greedy and used a large number of devices they had personal access to (university computer labs) which allowed me to leverage… in the end… I was able to take it up with the school directly…)

Point being… when it comes to DDoS… a device is a device is a device… you’re not after the processing power, you’re after the connection…

Ambidexter · October 14, 2019, 2:12am

Perhaps. And perhaps this is an apocryphal telling of composite characters. Who’s to say?

But thank you for your advice, I shall keep it in mind!

AndrewJ · October 18, 2019, 10:03am

Another here in favour of a guide, yes please!!