I got hacked

Installation Home Assistant OS
61

But still that would require all those people to either DMZ their home assistant instances, or forward the SMB port(s).

I mean, could be a typo 443/445 but sill…

@Dominic can you confirm, that only 443 and not 445 was forwarded to your home assistant installation?

62

Examples:

<IP removed>
Virgin Media
Added on 2018-05-25 07:36:12 GMT
United KingdomUnited Kingdom, Ashfield
Details MQTT Connection Code: 0

Topics:
bruh/sensornode1
bruh/sensornode2
bruh/upstairsnode
owntracks/pi/<name removed>
owntracks/pi/<name removed>
owntracks/pi/<name removed>
homeassistant/binary_sensor/vtsensor1-motion3/config
homeassistant/binary_sensor/VTSensor1-motion3/config


<IP removed>
Fastweb
Added on 2018-05-25 03:06:08 GMT
ItalyItaly, Rome
Details SMB Status
Authentication: disabled
SMB Version: 2
Capabilities: raw-mode

Shares
Name                 Type       Comments                                
------------------------------------------------------------------------
config               Disk                                               
addons               Disk                                               
share                Disk                                               
backup               Disk                                               
IPC$                 IPC        IPC Service (Samba HomeAssistant config share)

But there are a lot more…

63

Mine 404’s on that…

64

I am happy in the least that at least this has started a discourse and possible awareness in a larger realm than just my own.

2 Likes
65

Did you substitute <IP> in the URL for your actual internet IP.
If so, no idea why - works for my IP address…

66

Yes and on the first one, sarah is on xxx near the corner of yyyy.

She’s only got 13% left on battery life, so now is the time.

Seriously an open mqtt server is a security nightmare

67

There have also been threads in the past with a lot of good info.
It needs to be filtered for best practice by someone who knows their stuff, formatted for noobs and published here, on the HA website, etc etc

1 Like
68

Also there is a Tesla parked near 101 not far from Portland Oregon.

69

Yes I used my actual public IP address.

70

You can also use the search on shodan main page - paste in your IP and search…

71

No results found

72

Guys, lets please not get carried away about what other people have misconfigured. We have a concrete example and still nobody was able to figure out what has happened.

@Dominic would you give us some insight about your network? What exactly was configured and forwarded?

73

There’s no confusion about what happened. He said he had 443 forwarded and no password set. He incorrectly thought SSL would protect him and did not realise open ports can be searched with tools like Shodan.
Oops. Wrong thread it was the other one that did that.

74

See there is confusion and this thread is getting hard to follow.

In summary what i gathered:

  • Dominic found a file containing a warning about open SMB shares.
  • The home assistant installation had a password
  • The SMB server had guest access enabled (either by mistake or a bug in the plugin)
  • Ports exposed to the internet: 80, 443, 8123 and some steam ports

Question is: how was it possible to write a file locally?

75

I just realized my samba pwd has been erased too. Luckily I don´t expose anything to external - but still, the folders from the Pi are just accessable. Is that an issue with the latest HA builds?

76

If you have smb access you can write a file to the smb share.

77

Thank you captain obvious. You saved the day. :roll_eyes:

There was no external SMB access acording to Dominic

78

@TFA That’s not what he wrote

79

and a few posts later he wrote:

If thats correct, that would rule out public SMB access.

80

the only thing I can think of was nat port mapping