Improve default security settings

This is not as much a feature request as it is a plea for increased security (and awareness).

After the recent security bulletin* I became aware of improvements i could do to my setup. I’ve enabled multi factor auth for all accounts and enabled the IP ban feature to block brute force attempts.

What surprised me somewhat, is that these settings are not the default. Therefore; my plea in the form of this feature request:

Please improve the default security settings for new installations.

Low-hanging fruit:

  • enable the IP ban feature by default
  • more strongly advise/force the use of 2FA before certain features are accessible (i.e. remote access)

Additional ideas:

  • force the use of the secrets.yaml file (e.g. require a !secrets reference for all password/username fields)
  • add an auto-update feature (opt-in! In combination with the Check Config addon, to check for compatibility beforehand)
  • more ideas?

*which all the great people of Home Assistant (community + Nabu Casa) responded to fantastically. My compliments!

You are going to get a lot of pushback on that one considering this feature request:

2 Likes

The secrets.yaml file, which is just a text file unencrypted and was exactly one of the things that an attacker could get access to with the recent security issue that was announced?

Advise yes, force no.

1 Like

An auto-update feature should always be opt-in.

Absolutely not!

Read the breaking changes (and all other parts) before you update anything.

Regarding the secrets.yaml.
Very few actually have any use of that. If you screenshare and/or make youtube videos then I can see that as useful, but I don’t share my config that way.
And it actually makes little change. It’s still no encryption or protection.

Yes, and if an attacker gets access to your files your screwed. But having all your secrets in a single file at least prevents leaking them accidentally when pieces of your config are shared.

Not if the files are encrypted or protected in any way and you have a backup (but backups are a must, otherwise you are not taking it seriously anyway).

1 Like

I agree, and this is therfore probably not something that should be enabled by default. Having the option there, is what I’m after.
If my parents -or any other non-power-user- were using Home Assistant, I’d rather have their setup configured in such a way that an update breaks something, than having them stay on an insecure version of the platform with the risk of a major security issue.

TLDR; auto-update should always be opt-in, and is not suitable for power-users.

Good luck and have fun when your friends/family call you angry at 2 o’clock in the morning because “the god damn smart home crap you installed is not working, the heater turned off and it’s freaking cold in here”.
Personally I would not enable remote access for them, unless you secured the system and remote connection sufficiently.

2 Likes