I thought i was hacked. but ended up with a topic full of usefull information

I’ve run a nessus scan tonight against my server with HA on (not Hass.io)

The only medium issues it found was:

Web Server Expect Header XSS

Description
The remote web server fails to sanitize the contents of an ‘Expect’ request header before using it to generate dynamic web content. An unauthenticated, remote attacker may be able to leverage this issue to launch cross-site scripting attacks against the affected service, perhaps through specially crafted ShockWave (SWF) files.

on both HASS and AD

and

Web Application Potentially Vulnerable to Clickjacking

Description
The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy ‘frame-ancestors’ response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions.

X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors.

Content-Security-Policy (CSP) has been proposed by the W3C Web Application Security Working Group, with increasing support among all major browser vendors, as a way to mitigate clickjacking and other attacks. The ‘frame-ancestors’ policy directive restricts which sources can embed the protected resource.

Note that while the X-Frame-Options and Content-Security-Policy response headers are not the only mitigations for clickjacking, they are currently the most reliable methods that can be detected through automation. Therefore, this plugin may produce false positives if other mitigation strategies (e.g., frame-busting JavaScript) are deployed or if the page does not perform any security-sensitive transactions.

Solution
Return the X-Frame-Options or Content-Security-Policy (with the ‘frame-ancestors’ directive) HTTP header with the page’s response.
This prevents the page’s content from being rendered by another site when using the frame or iframe HTML tags.

on the AD server… I’m trying a few different scans now to see what else I can turn up :S

Should be even easier to get in persistance in the apps then, since appdaemon doesn’t restart with hass.
I’m just trying to get across that there’s things you can do to make restarting and upgrading a better process for you. But of course it takes time and effort to implement. And doesn’t cover the security issue.

I’m almost sure you also don’t have upnp enabled on your router… but…(thing for gamers )

that is only partially true.
you can tell AD not to reinitialise some apps when there is a reconnect to HA, but there is a lot that needs to be restarted anyway.

i appreciate you thinking along. and off course i am still working on minimizing the impact from a restart.
but the best way is to minimize the restarts

right and thats the main thing to think about now.
allthough for now i am pretty sure that i am safe again, but it would be nice to have a clue how they got by my password, because it might be the same way they used at others.

i feel like they only got by the password and did see and use the HA GUI.
if thats possible on my environment and they can do the same at others then they will see some HA GUI’s which have the complete configuration exposed. and that could explain the changes from the other “I got hacked” topics. so its possible that there were more ways used, but its also possible that its someone from this forum that found a leak somewhere, and also is dissapointed in HA.

i got a feeling that its no coinsidence that someone found my HA. there is nothing from HA seen from the outside, so they needed to get to my outside IP or duckdns (also no HA name) then they manually did go to that and changed settings.

@miguelromao yeah you are right i dont have that.
and even if i would have then i would get a mail from my router telling me a change in the settings.
every new port that is opened or closed and every new device that is connected is send to me in mail.

HI @teachingbirds,

please allow me this off topic question here: is this doing what restore_state is doing too? If so, why would we need that? If not, could you please explain what is the difference (if necessary in another topic…)
thx,
Marius

I’ve been reading the topics about this, and following along closely, and thought I would be ok as I used a random port to forward onto HA, only have that, my CCTV, and my Synology NAS port forwarded, get the odd email now and again about someone trying to get into my NAS, never had a problem with HA, but have switched off all port forwarding for now, as interested to find out how people are getting past the security. I never managed to get the VPN setting on my router working, but guess now it’s time to find out why and get it working, seems to the safest way to access HA from the outside world.

Thanks. A stupid question: how does the vpn provide more security in relation to HA?

Can we back to the basic, OP posted log claimed was hacker try to access and the first comment already clear up that it was coming from shodan.io

Did I missed anything? Is there any hard evidence OP actually got hacked?

OpenVPN (the basis of PiVPN), generated a certificate for authentication. Only devices with that cert can connect to my VPN server.

There is a lot of good information in this thread but all we can do is speculate is how it happened. Would need to know a network topology with applications and host OS info. You did not mention what smart they are and what protocol they are using. Many mention patching but that not only apply to the HA 2 week cadence but your base OS its running on like raspbian. How about your home router and wifi devices? Have been recent discovers of malware residing in router memory. Next is your HA strong and secure not something easily guess or would be found in a dictionary attack? DO you ever connect to your HA using http possible your password was captured that way if any rouge or compromised device is on your LAN. Should think about using software like fail 2 ban so you limit any brute force password attacks.As other mentioned using a trusted networks list to limit.

There are too many issues with this theme. Do not know why don’t you hear, that we need another way of remote control. HA is for geeks now and if you are not really deep in web secure - you get things like this. HA can get bogger audience just by making things less geeky.
Why don’t HA use cloud service for remote access like everybody do? I understand that it is not for free, it could be paid by them, who needs that.

already exists…

Please, read the first line of your link.
“The Home Assistant Cloud allows you to quickly integrate your local Home Assistant with various cloud services like Amazon Alexa.”
I am talking about remote access to the system

I haven’t tried it but I thought it ALSO did that.

Because the whole point of HA is to get away from cloud services except when really needed.

Read the manifesto!

I know that too. Sometimes, you have to rethink things. Especially, when things like this happen.
Every other service is going ok with clouds, all smart home systems, but not HA. No, it is not secure. But vpn or ddns are secure. As we see

Perhaps I’m being naive here, but were you using the same password for HA and for anything else? Maybe your password was leaked in one of the famous Adobe/Sony/Whatever case, and that’s how they got inside.

I wonder about this too. Unless I missed something there is no info about what actually happend.

But what and how? The log just shows a shodan server scanned the system but did somebody actually access the system? Why suspect remote access, maybe somebody got access through WiFi? So many conclusions based on very little information.

@jesjimher i have seperate passwords for everything. i dont even use the same pasword for discord, github and this forum. even my 4 cams have 4 different passwords. so i can rule that out.

@awarecan and @sjee
when i say thing start happening its lights going on on places where they shouldnt. and those light can only be turned on by the HA GUI. (or with a remote but then HA wouldnt notice that)
actually there were input_booleans turned on that turn on light groups.
and i am not talking about just 1 light, but light in my cellar, my TV, lights on the attic, beamerscreen coming down beamer turning on, etc.

those events started happening about 1 minute after the shodan scan, and the shodan scan was the last entry in my nginx logs.
i have been looking in all kind of logs, but i can nowhere find any log entry that shows who or what came in.
all things that are turned on are on 1 tab and it took about 10 secs from the moment it started untill i did shutdown nginx.

this is the part from my own log that shows what happened:

04-07-2018 10:32:14;kellerlichtaan;input_boolean.keller_lights;on
04-07-2018 10:32:15;kellerlichtaan;switch.br_aquarium;on
04-07-2018 10:32:15;woonkamerlichtaan;input_boolean.woonkamer_verlichting;on
04-07-2018 10:32:16;zolderlichtaan;input_boolean.zolder_verlichting;on
04-07-2018 10:32:16;ganglichtaan;input_boolean.gang_verlichting;on
04-07-2018 10:32:16;woonkamerlichtaan;switch.hboog;on
04-07-2018 10:32:17;kellerlichtaan;switch.br_bar;on
04-07-2018 10:32:17;beamer_on;input_boolean.keller_tv;on
04-07-2018 10:32:17;eetkamerlichtaan;input_boolean.eetkamer_verlichting;on
04-07-2018 10:32:18;zolderlichtaan;light.mancave_raam_links;on
04-07-2018 10:32:18;ganglichtaan;light.vitrine_in_de_gang;on
04-07-2018 10:32:18;kellerlichtaan;switch.br_geluid;on
04-07-2018 10:32:18;zolderlichtaan;light.mancave_wasbak;on
04-07-2018 10:32:18;woonkamer_tvaan;input_boolean.woonkamer_tv;on
04-07-2018 10:32:18;keukenlichtaan;input_boolean.keuken_verlichting;on
04-07-2018 10:32:19;woonkamer_tvaan;input_boolean.swr3;off
04-07-2018 10:32:20;beamer_on;switch.br_bar;off
04-07-2018 10:32:20;woonkamerlichtaan;switch.hbank;on
04-07-2018 10:32:21;eetkamerlichtaan;switch.eraamhoek;on
04-07-2018 10:32:21;beamer_on;switch.kelder_ledstrip_power;off
04-07-2018 10:32:21;keukenlichtaan;light.keuken_boven_vitrine;on
04-07-2018 10:32:21;keukenlichtaan;light.keuken_kookplaat;on
04-07-2018 10:32:21;keukenlichtaan;light.bijkeuken;on
04-07-2018 10:32:21;woonkamer_tvaan;switch.tv_woonkamer_power;on
04-07-2018 10:32:21;woonkamerlichtaan;switch.hrozenhoek;on
04-07-2018 10:32:21;eetkamerlichtaan;switch.ewandmeubel;on
04-07-2018 10:32:21;beamer_on;switch.beamer_power;on
04-07-2018 10:32:22;woonkamerlichtaan;switch.kachel_9_1;on
04-07-2018 10:32:22;beamer_on;switch.scherm_screendown;on
04-07-2018 10:32:22;eetkamerlichtaan;switch.epchoek;on
04-07-2018 10:32:22;woonkamer_tvaan;switch.satelliet_ontvanger_power;on

sorry that there is a lot of dutch there.

i am using HA for over 2 years and know my system and programming very well, and this behaviour is 100% sure done by someone on my system. if i had any doubt i wouldnt post it here.

@sjee even if someone got into my wifi they still needed to log on to my HA. and it isnt easy to get into my wifi because i have a changing 16 digit code.

I would be happy to make things more clear. if people want me to look at something or want me to test something or want more info, then i will gladly help.

my system is secure again, but i want to figure this out. mostly for the community so people can act on it.

looking at that log, they were quick, unless a few items are in groups/scenes.
look at times 10:32:18 there were 6 things turned on, same for 10:32:21 (9 items)

are these switches through mqtt, only reason i ask is i had some wierd issues when i first setup mqtt. Using the retain flag for certain things and when i restart ha, switches would turn back on without input

not saying this is the issue but something to consider