Malicious hosts interacting with HassOS

Hi - I’ve been running Home-Assistant now for a few months. I have a network monitor of sorts (Akita) on my home network and it includes some external monitoring. I’ve had that for a few years and never a peep until recently. The customer service reached out and said there was an apparent virus coming from the IP address of my HaassOS.

We still see connections to malicious hosts from IoT Device: 20:16:d8:57:0d:40 / Liteon Technology Corporation / 192.168.1.222
Request to IP: 209.17.96.242, 128.14.152.45, 104.206.128.30

My installation is currently in a VirtualBox on Windows 10 as I prepare to move this to a NUC. I am on all current versions as of a couple days ago, which is Core-2021.2.2, Supervisor-2021.02.6, and Home Assistant OS 5.11, and HACS 1.10.1. My host machine is Windows 10 running version 6.1 of VirtualBox.

The MAC is my PC and the 222 IP is my HA. The 3 other IPs are apparently malicious hosts.

Nothing particularly bad seems to be happening, but it definitely has the Akita folks alarmed. I was able to capture a wireshark file against one of those IP addresses. I’ve blocked them in a firewall on this PC for now. It just captured a few packets in one exchange over a few days before I locked out the firewall.

Any suggestions as to what to look for?

I believe I have a pretty vanilla setup. It includes a Aeotec z-wave stick. I have a number of HACS and Add-Ons installed, but I don’t think anything unusual. Let me know if that configuration or my configuration.yaml helps to troubleshoot. I have many devices including many that work thru the cloud.

Thanks,
Rick

They are definitelly suspect IP addresses.

https://www.abuseipdb.com/check/209.17.96.242

https://www.abuseipdb.com/check/128.14.152.45

https://www.abuseipdb.com/check/104.206.128.30

The fact that your monitoring indicates that the traffic is originating at your address 192.168.1.222 means you have very likely been compromised.

Start by blocking all traffic to and from these external IP addresses in your firewall.

Do you have security cameras?

They are particularly known as easy targets for inclusion in bot nets.

What version of home assistant are you running?

1 Like

Thank you. The version of HassOS is 5.11, but maybe it was one version lower recently. HA is core-2021.2.3. I do have a firewall turned on to block these right now - but thanks for those links and validation.

What I don’t understand is the compromise appears to be within my HassOS instance. The 192.168.1.222 is the HA virtual machine. I could drop that machine, make a new one and start the config again, but wouldn’t that be exactly the same code?

I do have cameras included in my system. Two Ring cameras and 5 Amazon blink cameras.

Rick

That’s good.

Honestly I find it hard to believe that an exploit has been developed for home assistant (stranger things have happened though). I would suspect my off the shelf IoT devices first. However I am definitely no security expert.

Can you try switching off the cameras and see if the access attempts stop?

Thank you - I have removed the camera integrations, turned off the firewall rule on the PC, and turned wireshark back on. We’ll see if we get a hit or not in the next week. I did not turn off the cameras themselves, so they still exist and talk to the cloud, etc. Just not part of my HA.

Can you explain your theory a bit more? That is - I have 57 entites loaded in HA - most of them are some kind of commercial IoT thing. About half are z-wave, so are local to my home except for the HA portal and another half might run on their on wifi and could connect externally and be a threat.

But what I can’t piece together is if the camera (or any other IoT) was compromised, but the IP address above is the Home Assistant OS instance, isn’t it code on that instance that has a virus? How would one of my IoT that devices that are compromised pass thru HA?

I’m really just guessing at the most common attack vectors.

Are you using HA for DNS resolution on your network? no addons like Adguard or Pi Hole etc?

I do not have a DNS Server on my Hass OS host. DNS is just done via my router, plus the Duck DNS thing. But not name resolution.

My Add-Ons:

  • AppDaemon 4 [not yet using this]
  • Duck DNS
  • Let’s Encrypt
  • Samba share
  • Check Home Assistant configuration
  • File editor
  • NGINX Home Assistant SSL proxy [exploring this - not using it yet]

For HACS:

  • WeatherFlow Smart Weather

And you are absolutely sure it is outward traffic from Home Assistant?

What was the destination port you captured in the pcap against the IPs?

If you are using Home Assistant OS or Home Assistant Supervised, log in via SSH and run the following command:

ha dns info

It will report something like this:

host: 172.30.32.3
locals:
- dns://AAA.BBB.CCC.DDD
servers: []
update_available: false
version: 2021.01.0
version_latest: 2021.01.0

AAA.BBB.CCC.DDD will the IP address of the DNS server it is using. If it doesn’t match your local network’s DNS server address, it means it is using its own choice of DNS server.

Thanks for the reply and help! Below is the results from that command.

# ha dns info
host: 172.30.32.3
locals:
- dns://192.168.1.1
servers: []
update_available: false
version: 2021.01.0
version_latest: 2021.01.0

The 192.168.1.1 address is my local router.

Inbound port was 34774 which the router forwarded to 8123 on my HA node.

As certain as I can be. The Wireshark IP addresses listed are 192.168.1.222 and port 8123, which is HA. On my home network, https://192.168.1.222:8123 takes me to my Lovelace interface.

Destination port

209.17.96.242:port
128.14.152.45:port
104.206.128.30:port

Here is the header portion of the wireshark results:

The offending IP/Port catured was
128.14.152.45:34774

Been a while I used Wireshark, but this looks like an incoming connection where the malicious IP is trying to connect to your HA instance on 8123. See the SYN -> SYN / ACK exchange order. Your HA is simply replying to the connection attempt with an ACK as part of the TCP handshake.

Could be a probe.

Yes, that is a probe, the connection was initiated remotely, not from your HA host, so does not look like any sort of malware on your HA host.

Thank you! That is very helpful. I will say that Akita initially found more suspicious activity and I then captured the probe after they first reported it to me. I’ll run as normal with the wireshark continuing to monitor these IPs. I’ll ignore them if they follow this pattern vs. being initiated on my side.

Thanks again for all of your help.

Rick

In addition to the above, if it were outbound connections, they would not originate from port 8123 on your side, as this is an open listening port. They would originate form a random ephemeral port, typically somewhere in the upper port range.

And if you’re directly exposing (rather than using a VPN), it could be beneficial to change your HA listening port to something a little more random. It won’t hold back someone who specifically targets you or does a full port scan (but that would be very suspicious), but it will work against opportunist drive-by probes like the one you had.

1 Like