in the end “the hack” was alexa and emulated hue and a forgotten echo.
if you are interested in safety from your HA and want to expose your HA to the internet, it can be usefull to read this long topic.
10:31 this morning (berlin time) i sit by my PC and all of a sudden i notice that things start to happen.
beside my pc i have a monitor for my HA system telling me what is going on in the house and all of a sudden devices turn on all around the house.
i got no automations that can do that at this point, so i can say that its not a glich or error in the system.
because i am aware of the possibility i took action immediatly and did shut down my proxy server (nginx)
then i started to look if i could find if any trace was left.
in my nginx log file i find this:
could i get more trouble?
probably not now that i closed everything up.
my system:
ubuntu 17.10
HA 69.1 with set pasword
nginx forwarding port 433 to HA
no samba, or anything else opened.
just a thought of me:
if i would have the option to configure HA from my frontend setup, then the hacker would have been able to change my settings. and i think thats maybe what happened to others that got hacked.
i think somehow there is a way around the HA pasword. so i keep my nginx down for now, mostly because i dont use HA outside my house a lot anyway.
and i am going to lookup how to set the pasword on NGINX instead of in HA.
all that shodan saw on my outside address is nginx.
so how does anybody know that i have HA running and how did they get through my HA pasword?
i know i get scanned a lot, i can see that from my nginx logs.
i just looked at other logs and there is a small timeframe from 1 minute between that part in the NGINX log and the moment the lights got turned on.
there is no record from any of that action in the nginx log, that was the last entry.
i really need to learn more about nginx before i will start it up again.
well lets start with the basic maintaining your installation your running and older version off home assistant that in its turn has older libs that has known vulnerabilities its not that hard if you know what your looking for and if your running on 8123 its pretty easy to guess whats running there.
i truly dont see the mystery here its all plain and simple.
I’ve nothing to say about the actual subject but I think you forgot to put this post in a category which I also think means it then doesn’t show up on lists of new or latest posts.
I could be wrong but if I’m right, categorizing it will mean it reaches a wider audience
i just noticed that also.
i didnt categorise it because there is no category that it belongs to, but ill change the category.
@toast yeah i use a little older version from HA, because i think it bullshit to update HA every 2 weeks.
there has been no report in the blogs that i have seen that HA did update libs because of known vulnerabilties (or anything concerning security problems at all in the past that i know of)
8123 is not exposed to the world, so noone knows that it exists.
the only way to know that i run HA at all is to go to my duckdns and take a look at it.
and then still the question remains how they did bypass the password.
probly some older lib that there is a “known” exploit for and that itself is being used against if you got deeper logs pop into the discord channel and share it with the devs if you feel comfy with that
if there is a known security issue that has been solved by an update then that should be mentioned somewhere. but there has never been any of that kind of issues mentioned (or at least i havnt seen any)
i am not even sure if anyone takes a look if there are known security issues with the libs that HA uses.
that said we also absolutly cannot be sure that the latest version from HA has the latest versions from libs that have been updated because of known issues.
so updating HA every 2 weeks with all the breaking changes they have does not provide any more garantee that it is save. (and i dont want to update every 2 weeks and have my automations down for some time every 2 weeks, but if there was a security update at some point i would update, because that is neccesary)
i am on discord and i have been on the HA channels several times asked questions there but never got a decent response. and i dont find that strange because on the times that there is more going on there, everyone is talking and thats like try to have a serious conversation in a loaded bar.
so no i am not comfortable taking this to an open chatroom
consider all updates security updates these days cause nothing is secure and sure if your not comfy sharing logs even if they are redacted all your passwords and ip and api keys then you shouldnt be complain about getting hacked consider doing updates instead.
i am comy sharing logs, just not comfy with shouting in a general room in the hope that someone responses.
i really dont like the way you talk to me!
i dont complain at all!
it is stupid to do updates every 2 weeks and taking down automations if it doesnt give a clear advantage.
HA adds stuff every update, so i could also say that every update creates possible security issues.
if there are known security issues with some libs then that should be mentioned and i can update those manually. i dont need to update HA for that.
There are ways around your update problems. Just about the only downtime I get when I update hass is the time it takes to restart. When you DO update you will have a hell of a time reading through all of the breaking changes to see what if anything affects your setup.
Bickering aside to update or not, my system is exactly like yours and I guess it’s time to disable port forwarding and use just vpn to access Hass from outside.
its the fact that there are always breaking changes that prevent me from update regular.
i have a big running automation system, that i want to disrupt as little as possible.
i want to restart HA as little as possible. it should normally run for months without me taking action, and off course if there is any known security issue i would take care of that, but its senceless to just blindly update a program every 2 weeks if there is no security reason for it.
@anilet yeah ill look into that also again. i did try to use VPN in the past without success, but i now think why it didnt work back then.
no i have not used trusted network.
the reason why i did expose HA was to be able to get to my devices at home when i am on vacation.
i would be on a network that i dont know before i get there.
but i could only get to HA from my proxyserver anyway. (unless i am on my own network then i can just use the IP address.)
Aside from the breaking changes there’s a lot of other changes to a lot of things. All breaking changes should not affect you either since you wouldn’t have all of the components involved. One minute of downtime should not affect the system that much either? It’s always recommended to keep up to date in all things, regardless of security issues.
I think we have a pretty similar use case. I don’t expose HA’s port to the WAN. I only use it via a VPN connection or through a SSH tunnel with pre shared keys, which I’d consider reasonably secure and convenient. Give your Fritz!Box VPN another go. And if you have an iPhone, there is a trick to let it automatically use the VPN whenever you’re connecting to HA. It works perfectly fine (for me at least).
