I was looking at the description for Home Assistant Cloud and it appears that it’s a fairly straightforward proxy and doesn’t attempt to provide any additional attack protection. So I’m wondering what needs to be done before you even think about exposing your HA setup to the Internet, one step that seems likely is to set up an access key to the API between ESPHome and HA. In general how secure is HA considered to be out of the box assuming that good passwords are used?
I didn’t see a section that addresses the topic of security in the Documentation. I’m interested in anything I should do before using either Home Assistant Cloud or my own reverse proxy. Even if the answer is “probably nothing” (which would be awesome) it would be reassuring to see that somewhere so diligent users would know they’re reasonably covered.
Have there been previous exploits and how bad were they?
Looking at this again it seems the API I mentioned between HA and ESPHome is ESPHome’s API not HA’s, so it’s nothing that HA is exposing. Assuming that all your ESPHome devices are inside your own network it should be a security issue though it is optionally possible to provide an encryption key for it. Do I understand this correctly?
FWIW, last year’s security vulnerability permitted access to Internet-facing instances of Home Assistant (running Supervisor). Anything controllable by Home Assistant, like ESPhome devices, were externally accessible
It was a significant vulnerability. There were no reported incidents of anyone exploiting it. However, it was difficult to confirm an actual exploitation because it would have left no record of it (other than observing that one’s system was behaving strangely … because someone else was controlling it).
Unless I missed something Home Assistant Cloud only promises that when your device is up they will pass all traffic they get through that connection. They don’t promise that they do any kind of mod_proxy detection and blacklisting of bad actors, stop sending you the traffic when a Denial Of Service attack is detected, allow you to whitelist origin countries, or any other measures. Correct?
If you do not need to open ports for specific services, like Google Assistant or, Alexa, then go for a separate security product in front HA to add an extra layer of security.
HA have tailscale and wireguard as addons, which is fine enough, and they can also be run as standalone services. Some of the more decent routers also have VPN servers available, like a StrongSwan VPN server in Ubitiqui’s EdgeRouters, where I have found the EdgeRouter 4 to be particular suited for VPN and high bandwidth connections.
For these you could use Cloudflare to access your HA along with the cloudflared addon (or separately if not using HAOS). Cloudflare (according to them) protects you from DOS attacks, and allows country restrictions etc. I do get the occasional login attempt from overseas (1 or 2 a week maybe), but it’s not often enough to make me restrict it. I have restricted other sites to require logging into Cloudflare with a Google account that is checked against a list.
But then again … I thought I’d try setting mine up to restrict access to my country. As far as I can see so far, to restrict by country you also have to use at least one authentication method (assuming you don’t pay for Enterprise to get WAF). None of the authentication methods would would with the companion app.