I thought i was hacked. but ended up with a topic full of usefull information

Awesome, anyway to drop the persistent notification / make it optional? Ill test this tonight!

I think you should start a new thread with this.

Google Foscam remote execute
Lots if possibility…I have Foscam and they connect even start LAN connection let alone have WAN access

https://www.bitdefender.com/box/blog/iot-news/vulnerabilities-foscam-ip-cameras-enable-root-remote-control/

EDIT
I don’t think this is cause of your trouble but I just think you have more vulnerability than you think

It will ONLY show the first time it detectes a new IP.
Like the ban filter.

But if you like to turn it off, I can add a config option for that.

Ok, thanks, let me see how it works, hoping to test tonight.

1 Like

my foscams dont have internet access. i cant access them from outside, only through HA.

its good possible that foscam has some weeknesses, and i know a few, but not in my case.
you can use PPPoE, DDNS, UPnP, mail, peer to peer, wifi but those are ALL disabled.

my cams are hardwired and have high portnumbers that are not routed to the internet.
the original foscam app cant reach them unless i am connected to my LAN.

they save their pics to a local FTP server that also is not exposed and is pw protected.

all cams have long high secure and different passwords.

edit: by the way the weaknesses that you point to were already mentioned here on the forum over a mont ago and there were already patches for the cams from foscam, which i updated manually.

You look at nginx config?

It means you have SSH available to internet. Not an issue per se, unless you severely misconfigured SSH. Most distribution do a decent job securing SSH out of the box, but still confirm:

  • SSH is not allowing root logins
  • preferably disable password authentication and use key authentication only
    The above may require reading some documentation and familiarity with command line.

Thank you!

Exactly (well mostly…:grinning:) what I was looking for!

I think I’ve given up on most of the commonly accepted “best practices” for securing HA. It seems every one of them has vulnerabilities of some kind. I’ve settled on PiVPN as my method of external access. From everything I’ve read I think that is the best safest option for remote access. At least until we see how the new extra authentication process works. And PiVPN is pretty drop-dead simple to set up, too.

Are you running pivpn on the same machine as HA?

FWIW - I have used HA since the release of version 18 with my instance accessible through reverse proxy. The ONLY ports I have available in are 80 and 443 with 80 forcing redirect to HTTPS. UPNP is fully disabled on my network as well. I run various other web applications on my network as well for a small business. These have been the parameters of almost any network I’ve created for the past 10 years or so. I have NEVER had my Home-Assistant instance compromised (knock on wood).

I setup an instance for a buddy of mine with similar network parameters, no UPNP, reverse proxy setup, only 80/443 ect. He had foscam camera’s as well and all but 1 became compromised. His router was setup to firewall all traffic sent outside of the network from those cameras on all ports. So how could this be done. I found out it was through a rogue camera that had been previously compromised and the use of a router by his ISP. Most ISP issued routers leave open ports and/or even create a “hidden” wifi network to allow technicians and technical support a backdoor access to and through these devices using these ports and network no matter what the end consumer does to close them. The compromised camera portscanned the router and and used these opened ports to phone home for the payload request. The router’s firmware was not up to date, and the fault of my buddies for not updating the software. It was honestly terrifyingly impressive. Bottom line, I set him up with an ASUS router with updated firmware and the foscam camera’s were destroyed. I never recommended them anyway and never would knowing what I know about the ways they’ve been used to compromise networks. I also had him purchase a personal domain instead of using a service like duckdns.

Every instance of my home is integrated with over 100 different components and services combined together through home-assistant. I update my HA instance every time there’s a new release and have had issues with breaking changes only TWICE, those of which were quickly resolved and were noted through the blog. Because so much of my home is integrated, it is imperative that I do keep all my devices and software systems up to date and apply any suggestion that’s given by the creators of those systems (they know them better than I do for sure). My family and my home are far to important to me.

I’d suggest that you are sure to evaluate all your conditions surrounding your compromised instance, and I can almost guarantee that you’ll find some form of user error involved, especially with Home-Assistant as there are tons of developers working on this project and any vulnerabilities or issues are promptly dealt with and quickly released. Not keeping your instance up to date definitely falls under this category, especially with its explicitly stated in many places throughout the KB, in fact keeping all your systems up to date is suggested period! I would also suggest next time not blasting that you were hacked on a community blog forum until you know 100% that its a software vulnerability and not user error or better yet reaching out to developers through other proper channels…

6 Likes

I’m using a smart plug connected to my father oxygen machine and home assistant in order to notify my phone that the machine is working. Should I worry?

thank you! nice and useful tool indeed!

working just fine, and I have (not been hacked…yet) but seen interesting ip info, I wasn’t aware of before :wink:

would it be possible to have some sort of reverse ip/dns lookup? maybe even for the internal ip-traffic that now is disclosed?

also, would there be any harm in it , if i’d change the output file into a regular file ip_authenticated.txt (why the .yaml now?) which can then be shown in the frontend? (platform: file would be able to do this or even the notifications.file)?

small typo maybe?: sensor.last_succesful_authentication

no. i set up a spare Pi

Does the smartplug have on/off capabilities, or is it just reporting energy usage?

If it’s a life supporting device I def wouldn’t have on /off capabilites in an exposed hass.

I can tweek most of it, the reason for yaml, is that its in use by the ban filter and I wanted to keep them similar.

There are probebly more info i can add both to yaml file and the sensor, can you open an issue in that repo with sugestions?

Typo is corrected, thanks :slight_smile:

I 100% agree with @teachingbirds. Unless it’s a type of on/off reporting device certified for use with life supporting or sustaining devices, I would NOT use it. If the device simply reports energy usage, I wouldn’t see an issue using it. You can get one of the cheap $20 1st generation Aeotec Energy Meters and just 1 of the clamps around the power cord to report the energy usage.

1 Like

If you had cameras on internet more than a few minutes they likely compromised. This is almost any cam including those like Axis and definitely cheaper sub $100 cams.

This is why they should be completely blocked from all devices and not allowed to start any connection. Same with the wifi switches. They will still function fine.

I think you would need to split the power cord, if you have both (or all three) lines in there a clamp style meter won’t work properly. You need to isolate the live line.