Nabu Casa - disable possibility to turn on "remote UI" remotly

Hey,
It would be nice to allow user to disable possibility of turning on “remote UI” from Nabu Casa webpage and leave just local service to enable access.

Currently any person with access to Nabu Casa account page, can open yours installation to internet.

I know that potential attacker would need to know a few things like:

• that you are using Nabu Casa
• Credentials to Nabu Casa
• Credentials to Home Assistant

But if we add just simple configuration switch forbid_remote_ui_from_cloud would be great.
This should be implemented on HA side, not cloud.

If an attacker has this information you have other problems…

You assuming that Nabu Casa will never be hacked and that HA dosent have any security issues which allow bypass login process.

And those 2 statements are false.

This feature can be treated just as additional security layer.

Even when NC is hacked, attacker will not be able to do any harm to yours HA instalation.

No, I don’t assume this.

But your suggestion will be totally useless when someone has your HA credentials, he then can just enable remote access from HA anyway…

And you can also disable remote UI from HA already.

And in addition you can’t simply open Nabu Casa and enable remote access, the account needs to be linked to an instance first.

Good idea!

I have already submitted another similar approach: Different user access to HA…

In my opinion it would be very useful if the access from outside could be restricted or disabled.

@Burningstone
My instalation is not exposed to internet in any way (except of webhooks for some integrations - but those can be disabled).

So even if attacker knows my HA credentials or HA have any security issue - my setup is secure. As there is no remote access.

But if in same time NC will be compromised, remote access can be enabled thru cloud. And this is case i want to mitigate.

FYI: im talking about case when NC is connected yours HA but you dont plan to use Remote UI. Or plan to use Remote UI and enable/disable it on demand from HA.

But only if the nabu casa cloud has been linked to your HA instance and why would you link them if you don’t want remote access? I have a Nabu Casa account as well (for supporting) but it’s not linked to my HA instance, because I use a reverse proxy for remote access.

You can do this already, there’s an input_boolean created in HA when you link it to Nabu Casa, which can turn on/off remote access.

this is probably true. still, it would make sense to be able to react quickly.
An attacker may not have direct access to the home network at this time.

However, this can be done very easily with home assistant, I mean it is an open Linux machine in the network.

NC can be used to multiple things, not only Remote UI. Ex. im using that to have internet available webhooks. But i know that i will implement remote access on my own, without 3rd party cloud/service. So i would like to forbid possibility to enable access from NC.

Regarding turning on/off Remote UI its correct, you can do this locally from HA and this is great!

But in the same time, you can on/off Remote UI from cloud. And i want to block that.

So you can have disabled Remote UI localy, and potential attacker is able to turn in on - without access to yours installation. Just thru NC cloud.

Really? I didn’t know that, have you tested it? If this is true, then you have a valid case for this feature request. The attacker still would need to know your Nabu Casa and HA credentials, but your feature request would decrease the risk a bit.

Yes, i tested that. When NC is linked to HA, you can on/off Remote UI thru NC webpage without any interaction with local HA.

Yeah, so we agree This will not bring 100% security to HA installation, but will make attacker life little harder

But if remote UI is disabled on HA side, does enabling Remote UI from Nabu Casa overwrite this?

Yes, thats correct.

yes, i have uploaded a video here:

as I said I have already mentioned this in July… (I see that this was only discussed in the Disrcord, not here in the forum. )

This is among other things the reason why I am not willing to activate Remote Access for HomeAssistant.
If it should be possible to grant access only to a “simple” user I could see over that. But this way you could, at least in theory, compromise my home network.

yes, maybe I am a bit paranoid, but I don’t want anyone to get access to my data/house.

Of course I have technically separated everything V-LAN, but HomeAssistant needs quite a lot of access to some areas in my house… (cameras, front door, garage, location…) It would not be nice if this would be the free ticket for criminals.

Agree that user ACL would be great, but i believe that its not that easy to implement. Especially if software was not designed for that from beggining. And adding just single switch to forbid remote access, its probably 1 day of work.

Probably in free time i will try to add this and push to upstream. But im afraid that without discussion it not be merged.

I see, thanks for the video. I don’t use Nabu Casa at all to be honest, only paying for support. I have other things such as my own nextcloud etc. that I need remote access for, so Nabu Casa woulf anyway not be enough for my needs.

Funny coincidence, yesterday i prepared change - after 1h debuging why i cant connect to NC, i was sure that my endpoint was blocked by cloud because of suspicion of malicious activity. I removed all changes and revert back to vanilla HA.

After that i discover AWS downtime and NC problems Great waste of time

I found this searching for how to disable the remote enabling of remote control which is still there.

Given the recent horrible security hole here in March 2023 this is a must. I will need to unsubscribe Nabucasa if this does not get implemented in near future. If disable remote control then I want it locked down 100 %

Totally agree with you. Thinking about just removing my NC account from my instance.