I’m a bit of a privacy nerd and am drawn to HASS due to the control you can have. I’m curious if there’s a list of devices that have the ability to function without communicating back with the manufacturer? Could we potentially add some sort of flag or tag to the components list? My intended setup will include security system & thermostats FWIW. Thanks all
I think anything that isn’t WiFi would be your best bet. Zwave and ZigBee devices only talk via their specified protocol so if you use Home Assistant as your hub to speak with them you control what goes out to the world. Which by default would be nothing.
Here’s a few that I use:
- Insteon devices. They talk to each other directly and the PLM modem plugged in via USB. I use dimmers, on/off modules, smoke bridge (which talks to my first alert smoke detectors), and motion sensors.
- Radio thermostat WIFI version. Blocked at the router so it can’t talk to it’s servers. They’re slow but they do provide a local REST API that works fine with local control.
- Acurite remote temperature sensors (true of any of the many 433 MHz sensors). Read with a receiver, software defined radio, or an Acurite bridge (which I redirect to a local server so it never leaves the LAN).
- Honeywell alarm (Ademco) system using AlarmDecoder.
Is it not as simple as anything that uses WiFi and is controlled by an app will phone home by definition.
Just block anything that can be controlled locally by home assistant from the outside world with your router.
1 Like
This is a good reason to throw pihole into the mix.
Assume everything is phoning home regardless.
Long before I started to use HomeAssistant, I’ve isolated my ‘IoT’ devices in a dedicated VLAN with strict in/out rules. What led me to that : I had a Wanscam camera that kept on opening an UDP port to “somewhere”, and I wanted to prevent that. Works as well without !
Since I try to find native WiFi component (to avoid gateways as much as possible), I’m using TPLink Plug, BroadLink devices (RM, SP) that can work with HomeAssistant without internet access. All the functions are there, except the “native” application control via cloud dialog.
Firewall is opened only to the Server VLAN (where HA is, also a FTP server for images upload from cameras, Plex…), and only the server VLAN can access this VLAN.
The notable exceptions : Cameras still have SMTPs access to outside to notify for their internal motion detection, and all devices have NTP access.
As we have an internal automation system that does lots more than any native application from a manufacturer (let devices from different brand interact to begin with !), I think there’s nothing lost in that approach.
Now I’m looking for motion detection and door/window sensors that are WiFi native…
Haven’t found one so far and I may end with Xiaomi or TPLink gateway.
1 Like
If component setup ask for user/pass for server or service that is not local LAN, it phones home.
Some wifi devices are OK but as others have said, create vlan and block their access to Internet. Same with wired LAN devices
Use of external service does not mean insecure. You can take this as case by case as some vendor do follow good security practice.
Actually a proper firewall with proper outbound rules to explicitly allow only what you want is the only real way… block everything except what you explicitly want to allow.
Well that goes without saying… but then again, how many HA users actually login to a Linux shell? Or even yet, have access to the ability to manipulate iptables or even any firewall?
1 Like
I just set parental control to 24/7 at the same time as setting reserved ip 
Well, they should. If you leave your house (and the ones living in it !) in the “hands” of an automation, you’d better take full precautions that it won’t go out of control !
I’ve come to the conclusion that 80% of my cameras are weak, and I cannot do anything about it (won’t rewrite a firmware from scratch !). So the only way is to protect them from the outside world. Just an example.
Ok, I’m an ‘advanced’ user as tech is my work, but I guess if someone is interested in the automation, then he is either educated too, or has friends that are. And they can help (I do…).
Anyway, Home Assistant needs also an advanced user to make it work, so people here must have enough knowledge to configure a firewall too.
Thanks for the replies, everyone. It sounds like there are a few ways to do it
- Buy components that don’t have wifi capability and therefore do not send data home by default
- Create a VLAN to isolate wifi devices
- Use router firewall
I’d rate my tech savviness 4/10 compared to most of you so I have some reasearch to do!
Pi-Hole doesn’t make you safe. It just is a local dns that does some filtering.
Most real nasty malware uses hard coded IP as connection points - that Pi-hole will never see.
A simple firewall rule to log all dns traffic will also show you many many devices are hard coded to us google DNS or private dns servers. My lg tv’s all ignore my local dns and hit google. Sonos hits google. Netflix even does this to get around local proxies and such.
It makes me frustrated to see everyone pushing pi-hole as security when it’s extremely limiting in providing security.
1 Like
no body claims pi-hole is security.
Do you read before you post? It’s clearly stated above to install pi-hole if worried about security.
This is the type of very poor advice that turns your toaster and doorbell into a bot!
Yeah, it says if you’re worried about security. It’s poorly worded but do people really think pi-hole is a security option? Anyone running any iot product should, and I use that lightly, have some sort of clue what’s going on once they install it in their home and put the app on their phone. Most don’t people don’t know, or don’t care because they just want to know when the dog needs water or whether or not the laundry is done.