Hi - I’ve been running Home-Assistant now for a few months. I have a network monitor of sorts (Akita) on my home network and it includes some external monitoring. I’ve had that for a few years and never a peep until recently. The customer service reached out and said there was an apparent virus coming from the IP address of my HaassOS.
We still see connections to malicious hosts from IoT Device: 20:16:d8:57:0d:40 / Liteon Technology Corporation / 192.168.1.222
Request to IP: 209.17.96.242, 128.14.152.45, 104.206.128.30
My installation is currently in a VirtualBox on Windows 10 as I prepare to move this to a NUC. I am on all current versions as of a couple days ago, which is Core-2021.2.2, Supervisor-2021.02.6, and Home Assistant OS 5.11, and HACS 1.10.1. My host machine is Windows 10 running version 6.1 of VirtualBox.
The MAC is my PC and the 222 IP is my HA. The 3 other IPs are apparently malicious hosts.
Nothing particularly bad seems to be happening, but it definitely has the Akita folks alarmed. I was able to capture a wireshark file against one of those IP addresses. I’ve blocked them in a firewall on this PC for now. It just captured a few packets in one exchange over a few days before I locked out the firewall.
Any suggestions as to what to look for?
I believe I have a pretty vanilla setup. It includes a Aeotec z-wave stick. I have a number of HACS and Add-Ons installed, but I don’t think anything unusual. Let me know if that configuration or my configuration.yaml helps to troubleshoot. I have many devices including many that work thru the cloud.
Thank you. The version of HassOS is 5.11, but maybe it was one version lower recently. HA is core-2021.2.3. I do have a firewall turned on to block these right now - but thanks for those links and validation.
What I don’t understand is the compromise appears to be within my HassOS instance. The 192.168.1.222 is the HA virtual machine. I could drop that machine, make a new one and start the config again, but wouldn’t that be exactly the same code?
I do have cameras included in my system. Two Ring cameras and 5 Amazon blink cameras.
Honestly I find it hard to believe that an exploit has been developed for home assistant (stranger things have happened though). I would suspect my off the shelf IoT devices first. However I am definitely no security expert.
Can you try switching off the cameras and see if the access attempts stop?
Thank you - I have removed the camera integrations, turned off the firewall rule on the PC, and turned wireshark back on. We’ll see if we get a hit or not in the next week. I did not turn off the cameras themselves, so they still exist and talk to the cloud, etc. Just not part of my HA.
Can you explain your theory a bit more? That is - I have 57 entites loaded in HA - most of them are some kind of commercial IoT thing. About half are z-wave, so are local to my home except for the HA portal and another half might run on their on wifi and could connect externally and be a threat.
But what I can’t piece together is if the camera (or any other IoT) was compromised, but the IP address above is the Home Assistant OS instance, isn’t it code on that instance that has a virus? How would one of my IoT that devices that are compromised pass thru HA?
AAA.BBB.CCC.DDD will the IP address of the DNS server it is using. If it doesn’t match your local network’s DNS server address, it means it is using its own choice of DNS server.
Inbound port was 34774 which the router forwarded to 8123 on my HA node.
As certain as I can be. The Wireshark IP addresses listed are 192.168.1.222 and port 8123, which is HA. On my home network, https://192.168.1.222:8123 takes me to my Lovelace interface.
Been a while I used Wireshark, but this looks like an incoming connection where the malicious IP is trying to connect to your HA instance on 8123. See the SYN -> SYN / ACK exchange order. Your HA is simply replying to the connection attempt with an ACK as part of the TCP handshake.
Thank you! That is very helpful. I will say that Akita initially found more suspicious activity and I then captured the probe after they first reported it to me. I’ll run as normal with the wireshark continuing to monitor these IPs. I’ll ignore them if they follow this pattern vs. being initiated on my side.
In addition to the above, if it were outbound connections, they would not originate from port 8123 on your side, as this is an open listening port. They would originate form a random ephemeral port, typically somewhere in the upper port range.
And if you’re directly exposing (rather than using a VPN), it could be beneficial to change your HA listening port to something a little more random. It won’t hold back someone who specifically targets you or does a full port scan (but that would be very suspicious), but it will work against opportunist drive-by probes like the one you had.