I have been Hacked

I use a little program on my tablet called Fing. https://www.fing.io/
The app will scan your network for all devices and also let you know if any new device connects via email if setup. Then if you find a device that is not yours I block that device in my router settings.

Also there is lots of free software for different platforms you can use. just google “Who is on my wifi”

And Home Assistant can track bad logins now that you have set your password.

this applies also to all other addons/dockers you installed,

every port you forward from router must be with password

Thanks for the advice Il check this stuff out. I must admit I think I had the port forwards in the router settings from back when I was trying to connect alexa before the cloud. I stoppped all port forward so should be ok now. I never really thought sombody would find it. Lucky he was a reasonble guy!

I can’t believe no ones told you to reinstall. Sure you can assume nice guy but as the adage goes, “Train for the worst, hope for the best”. You have no idea of any other compromise that may have been done. Assume the worst has happened and go from there.

4 Likes

^ Not to mention that this guy may not have been the first!

Total security review and rebuild is the only safe course of action here.

6 Likes

Maybe password should be added by default?
Force set password at first login

6 Likes

If you’ve exposed a service to the Internet then it’s just a matter of time before it’s found. At best, we’re talking a day or two, but potentially less than an hour.

3 Likes

The problem with that would be, that quite a few users don’t expose Home Assistant at all, and for them it would be less convenient. I myself did not expose most of the time. And not having to use a password for API stuff was really nice. Of course there’s generally nothing wrong with requiring a password. But if people don’t need one, they shouldn’t be forced.

1 Like

It would be nice though if access from a different subnet wasn’t permitted unless either a password was set, or some other flag to say “I understand the risks” as set.

2 Likes

This is why I have mine run through a reverse proxy and also password turned on and failed attempts set low. Even if they find it, the failed password attempts will lock out the IP so it’s harder to crack. And I only expose two ports to the world which are exposed anyway. (80 and 443)

Be aware that if you are using non secure zwave devices this can be done with a cheap ti dongle. no passwords required.

I have tried personally. easy

I thoroughly agree. We need to reinforce good practice. A slight inconvenience for newbies who might forget the password is not relevant. Any modern browser will save the password, so there is no inconvenience to enforcing a password.

1 Like

Lol,

its for sure a user that is present in this forum

I think password should be forced because HA can control home entrance, and even if you’re not exposed to internet, entering “secure” wifi is not hard

There’s app named Blynk for ESP devices, I liked their security approach, you must have token to communicate between app and server, token is sent to email which is the username, so users must choose their email as username to get the token and this way they also make password

It probably wouldn’t be a bad idea to implement time based 2FA tokens as well.

2 Likes

I agree that security is a good thing - no question!
But I would also like to make a point that it’s each user’s own responsibility to make sure their setup is secure.

Making it impossible to run HomeAssistant without a password/code should not be the goal; I don’t need it and I don’t want to be forced to use one every time I log into my GUI - and even if my browser can save it, it’s an additional step I don’t want to be forced to go through.

I’be be fine with e.g. the configuration file having the password option enabled by default, so that it explicitly needs to be disabled if somebody doesn’t think they want it or they need it.

I’m also fine with 2FA, even 3FA, or recommending users to use 24 character long passwords that need to be changed once a fortnight.

As long as I have the choice to turn it off: Okay with me!

Just because my neighbor likes to keep a spare key in a flower pot next to his front door doesn’t have to result in me not being allowed any flower pots at all. I can tell him that I think it’s not a good idea to leave a key there, but it’s his decision in the end.

3 Likes

Oh, and one more thing:

Thanks to @danielperna84 for the URLs :wink:

Just like almost 500 readers of this thread I found it very educational - or at least entertaining.

1 Like

The getting started guide and the top level of the install page now have a warning banner to nudge people towards securing their install.

The securing page now also points out that there’s no security through obscurity.

Hopefully those will make it less likely that people overlook securing their systems, and instead make it a deliberate choice (at which point, that’s your problem). Oh, and don’t forget that you can add trusted networks that are exempt from authentication, so you can require authentication from everything other than your home network.

3 Likes

I think this thematic might me anyway handled by the creator of HA as we speak.
He is creating a structure that will allow user creation in the future, to better handle different user role (admin, simple user, …).
This will certainly also require the creation of a root user by first start, or at least the modification of the default user password by first start.

And it seems 2 steps auth or support for other auth service will be supported too :slight_smile:

You can have a glimpse at the current work here:


6 Likes