I thought i was hacked. but ended up with a topic full of usefull information

about the same scenario as by me.
and only HA open (allthough i had nginx in front of it)
do you have any kind of network logging, or any other log that could be interesting?
maybe router logs?

I used to have tasker on my phone and they were to send a msg to it via

  • platform: command_line
    switches:
    tasker_say:
    command_on: python3 “/config/python_scripts/SayOn.py”
    command_off: python3 “/config/python_scripts/SayOff.py”

The above won’t work as it was copied back over from HASSIO to my Win 10 PC which is why it has the wrong paths :slight_smile:

I have duckdns but no letsencrypt or ssl or proxy or reverse proxy, so I knew it was only a question of time given that HA seems to be a focus atm :frowning:

so, you run HTTP over 443 port?

So, realistically, someone could have just sniffed your password since you were not encrypting the connection.

Only if I was connected externally and I haven’t been in months. Hmm except for Zanzito but that was only connected to my Chip running Mosquitto.

Only if I want to connect externally, which I very seldom do.

which is more than likely not secured either and you are probably passing credentials in plaintext over that protocol…

Yes, if @keithh666 running Mosquitto on 1833 (that means just HTTP, not HTTPS), then the username/password is clear text in MQTT package. And also @keithh666 probably saved password in Zanzito, which reported by other users are lack of maintenance in recent months, don’t know what happens in their end.

I think what’s happened is that when my PI crashed and I lost pretty much all my config files I started again and forgot to setup the api password (which I’ve now done), so there was no password at all on HA, Big note to myself - remember to re-setup the password after new setup :frowning:

1 Like

Wow. That’s definitely bad.

Yep it’s what comes of having too many versions of HA running all of which you think are setup and finding that one isn’t :frowning:

I had added a warning in 0.73 to reminder you didn’t setup password:)

5 Likes

oke, so you didnt get hacked :frowning:
to bad i hoped to get more clues :wink:

but it shows that people still have to be aware.

Aware of? Set a password on web app. Exposed to world?

aware of the fact that there are people out there targeting home assistant users.

No. Target is people who leave web app unsecured.
HA is just another web app

EDIT
please be aware: if you leave door open on shark cage, sharks may enter!!

I’m just wondering, what are the arguments against HA forcing a password?

Suggesting is OK but force is too much.

I have some HA instance that are 100% local only. I use passwod but may not at some point.

Anyway my choice to lock door or not.
I suffer consequences and do not complain about mistake. HA on web no password is silly

mine wasnt insecured.
and in all cases the hacker(s) did change lights and used sound when possible.
and in the other cases there was a text spoken “HA sucks” so there is a clear case that HA is targetted. (and off course they try to use weaknesses for that)

unless it is out of the water or in a swimming pool or a river or …

i can create 100 web pages right now without a pw, and the sharks probably not even look at it.
there are sharks out there with a taste for HA. and that taste is just recently developed.

1 Like