Over the past couple days home assistant has been acting up. Light turning on a and off in the evenings. I would go into the app and shutdown the processes then wake up and reboot the pi. But today when I started doing weird stuff I went into the app and saw this
The person seems pretty white hat since nothing much has changed. I suspect it was only doing strange stuff at night because thats when he’s awake, Im in Australia.
How could this happen, true my home assistant setup didnt have a password which was stupid, but, surliy they have to crack the wifi password and do it locally or hack into home assistant cloud and break my password there.
How can I prevent this in the furture and can I find the connected ip with the logs?
I will add this:
http:
api_password: YOUR_PASSWORD
to my config, but I dont belive my pi is exposed to the internet apart from HA cloud?
[I have signed out of HA Cloud and reset passwords]
I use a little program on my tablet called Fing. https://www.fing.io/
The app will scan your network for all devices and also let you know if any new device connects via email if setup. Then if you find a device that is not yours I block that device in my router settings.
Also there is lots of free software for different platforms you can use. just google “Who is on my wifi”
And Home Assistant can track bad logins now that you have set your password.
Thanks for the advice Il check this stuff out. I must admit I think I had the port forwards in the router settings from back when I was trying to connect alexa before the cloud. I stoppped all port forward so should be ok now. I never really thought sombody would find it. Lucky he was a reasonble guy!
I can’t believe no ones told you to reinstall. Sure you can assume nice guy but as the adage goes, “Train for the worst, hope for the best”. You have no idea of any other compromise that may have been done. Assume the worst has happened and go from there.
If you’ve exposed a service to the Internet then it’s just a matter of time before it’s found. At best, we’re talking a day or two, but potentially less than an hour.
The problem with that would be, that quite a few users don’t expose Home Assistant at all, and for them it would be less convenient. I myself did not expose most of the time. And not having to use a password for API stuff was really nice. Of course there’s generally nothing wrong with requiring a password. But if people don’t need one, they shouldn’t be forced.
It would be nice though if access from a different subnet wasn’t permitted unless either a password was set, or some other flag to say “I understand the risks” as set.
This is why I have mine run through a reverse proxy and also password turned on and failed attempts set low. Even if they find it, the failed password attempts will lock out the IP so it’s harder to crack. And I only expose two ports to the world which are exposed anyway. (80 and 443)
I thoroughly agree. We need to reinforce good practice. A slight inconvenience for newbies who might forget the password is not relevant. Any modern browser will save the password, so there is no inconvenience to enforcing a password.
I think password should be forced because HA can control home entrance, and even if you’re not exposed to internet, entering “secure” wifi is not hard
There’s app named Blynk for ESP devices, I liked their security approach, you must have token to communicate between app and server, token is sent to email which is the username, so users must choose their email as username to get the token and this way they also make password
I agree that security is a good thing - no question!
But I would also like to make a point that it’s each user’s own responsibility to make sure their setup is secure.
Making it impossible to run HomeAssistant without a password/code should not be the goal; I don’t need it and I don’t want to be forced to use one every time I log into my GUI - and even if my browser can save it, it’s an additional step I don’t want to be forced to go through.
I’be be fine with e.g. the configuration file having the password option enabled by default, so that it explicitly needs to be disabled if somebody doesn’t think they want it or they need it.
I’m also fine with 2FA, even 3FA, or recommending users to use 24 character long passwords that need to be changed once a fortnight.
As long as I have the choice to turn it off: Okay with me!
Just because my neighbor likes to keep a spare key in a flower pot next to his front door doesn’t have to result in me not being allowed any flower pots at all. I can tell him that I think it’s not a good idea to leave a key there, but it’s his decision in the end.
