Receiving from an SMS Service can be as simple as setting up an endpoint on your home assistance instance which you could do with a webhook.
Still, this has the disadvantage that if your internet connexion is down, then you do not have access to the service.
I mentioned the Android App SMS to URL forwarder a few posts up. It can in fact also work when there is an absence of the internet.
The Android phone can be connected to the local network and therefore still deliver the payload using WiFi. It might be an easier and also economical method because you do not have to setup the modem in HA, and you can use an old phone you have on the shelve. To send an SMS, the Android App does not propose an interface for that. Maybe another application that could run without the internet exists or the Android App could be extended to propose an interface for that (http socket).
Thanks for the reply but I actually kill all internet access to the HA servers except for connecting to the SMS gateway, and then occasionally when I want to do updates. So wouldn’t adding the Android to the mix actually be another entry point into the network? Or does that solution actually give me access to SMS only? GSM is all but gone in our area as 4G and now 5G has replaced it all.
The bottom line is I want to get status updates on demand without exposing the servers to the inet more than necessary.
I do have a hidden MQTT server on the internet and might set up a listener on one of the internal servers that could then trigger script and send the requested information, but there again, now I am opening up another hole. Yes, I am a security freak. I worked in IT and network security for 40 years.
Thanks for any ideas you or anyone else can provide.
If your phone can only connect to WiFi and you block your phone from the internet (through the WiFi network), your phone would not have access to the internet. You can just disable the data option on your phone as a first step, to go further you can set the data limit to 0, and change and force the APN to something that does not exist (if the APN is wrong, the phone can’t connect to the internet).
I hear you about security (risk of intrusion) - have almost 1000 different logins and passwords and firewall for instance.
Are you sure? Where are you located? Some countries just decided that GSM (“2G”) will be around for another decade (UK it was?)
As to my knowledge nether 3G, 4G or 5G (often only 4G+ relabeled) is capable of native calls and messages - that’s only possible with 2G/GSM. That’s often phones are actually connected to GSM and LTE in parallel for example. Also I read ones many (automated) emergency calls in cars rely only on 2G which probably is reason enough for many countries to just don’t phase it just out rapidly.
Maybe you mend 3G is phased out in favor of 4G/4G+? That sounds more realistic and is actually the case already in some countries.
In my area of NW Arkansas, T-Mobile was the only carrier still using GSM. That system has been turned off and now they offer 5G. Unfortunately I do not have adequate service to utilize T-Mobile. Plus, I don’t need another $20-$40 monthly bill. I bought a cellular based dog tracking collar but that test failed miserably. It only worked when we were in town.
In my bubble snake oil is a well known synonym for anti virus software. It’s actually a nice one as it doesn’t directly points out the harm this kind of software actually can cause. It runs with privileged rights and can often cause more danger to user than this snake oil “helps”. A proper ad-blocker and up2date browser is more convincing for most it professionals than running a “antiv virus”
That’s actually very abstract. The bigger risk today is exfiltration or simply a device you have in your network already which can get rogue. Every simple consumer router does by default block all connections from outside and for most common people a extra firewall appliance (because technically speaking every router has a firewall included) doesn’t make much sense. On the other hand network segregation via VLAN can indeed mitigate risks to a certain level.
That’s crazy. I got myself some (almost world wide working) sim cards for $10 which are valid for 10 years and include something like 500MB and 500 SMS - nothing for binge sending of messages but certainly a good value for money and if after 3 years for example the messages are empty I can just drop in the next sim card The vendor is 1nce.com (by the looks of it the offer changed a bit now and only 250 SMS are included now).
“Exfiltration” is in my view preceded by an infiltration (a trojan horse added to your network) and my firewall will block outgoing connexions from devices by default.
Most people will not know they already have some kind of firewall. And if they do, you still need to manage it (or have it managed). You can’t rely on your internet equipement - one of my peers says most internet boxes have known security issues.
My firewall’s DHCP will by default deny device access to the outside world until I authorize it (restricted to certain services after analysing what it tried to connect to). All DNS requests (requests to port 53) are redirected to the the firewall’s DNS, secure dns is blocked. That is where I do “ad blocking” for instance using selected DNS Blacklists.
VLAN adds security on top of that (but I do not have the proper switch yet).
The antivirus is also useful as it protects from other threats - including “snake-oil”.
There is such things as 4G Calling (also known as VoLTE) and Voice over NR(VoNR) for 5G. The device has to support it, but I suppose that most devices do.
Well that’s often only theory. If you look how even big enterprise companies (with all the firewall and snake oil installed) get compromised it’s mostly due to human failures. So the thread mostly is already inside and not outside. Using windows, exchange and other “common” stuff is mostly enough that one wrong click of a employee and a 0-day exploit to compromise whole networks.
That’s a common misunderstanding but obviously something the industry (snake oil sellers) want you to believe. Sadly they are (still) somewhat successful and even technical people fall for that trap.
Every program running on a machine with escalated privileges (like “anti virus” software) makes the surface for attacks greater. Thinking that these complex anti virus is free from bugs or even backdoors probably also thinks santa claus exists
Often system can be infected because they have “anti virus” installed
Moshen Dragon’s TTPs involve the abuse of legitimate antivirus software belonging to BitDefender, Kaspersky, McAfee, Symantec, and Trend Micro to sideload ShadowPad and Talisman on compromised systems by means of a technique called DLL search order hijacking.
A simple bug in a snake oil software often is a severe vulnerability because of the escalated privileges it has.
A DNS based ad blocker can’t substitute a “proper” browser based one like u-bock origin as it is limited to DNS level blocking.
You don’t need a extra switch/hardware for VLAN. Even my 10 year old router (obviously running openwrt) is capable of VLANs (I payed $10 used for that thingy).
Indeed, and that’s not native to my knowledge but requires a data connection as the call is (s)ip based
Still, that still an infiltration first - the malicious URL/programme made it through the defenses. My antivirus/internet protection inspects emails and web data (including https) to try and block them - or at least alert.
I almost added that you need to select the SW carefully. Any priveledged SW is open for DLL attacks. My antivirus (not in your list) notified me daily about an unsigned installer (Microsoft!!!) being used - turns out this was for updating some Bêta version of Edge - the procedure to uninstall it was “uncommon”.
True, but a browser based one can be snake-oil. The DNS list works instantly for all devices even when you can’t control the browser or hidden OS communications, including for Home Assistant that was using cloudflare.
I can assure you that the DNSBL is very effective for ads - I regularly have a site indicating that I should deactivate my adblock software - and then I think : I am not using adblock software ;-).
Yess, but you installed SW in your router - as far as I understand it you need a managed switch to use VLANs
Sure, when you’re connecte on LTE (not IoT-NB), you have IMHO a data connection. And I would separate the “IP” for making phone calls from the “IP” for the user. A cellular phone has multiple processors and the sub-system handling the communication is well separated from processor(s) handling the user applications and GPU.
Hoping that the snake oil tries to block or at least alerts you
The thing is you try to filter, (deep package) inspect and do what not and spending hours on black/grey/white lists. In the end you never will be able to achieve a 100% success rate (which would be needed to “succeed”) but just spending a hell lot of time to achieve actually very little (compared what a proper browser based ad blocker could do for you )
Very much sounds like a false-positive actually And it’s so very poor actually your snake oil hops on that “unsigned” train. Obviously all (proper) mal/random/whatever-ware are signing their stuff.
On the other hand your own crafted home made software will be most likely be not signed and will trigger your snake oil telling you the code you just wrote is dangerous.
Btw. your anti virus is not “in my list” (as I don’t have any particular snake oil list) but it was not mentioned in the link I posted. You can be certain (you could do some google-fu) that your snake oil had (and probably has) bugs and that it is raising the possible attack vector on your system
That’s wrong. You need no (extra) hardware for VLAN as the V stands for virtual
There you have it. It’s very limited and can’t circumvent the detection of domains/IP’s blocked. On the other hand with a (non snake oil) ad blocker like ublock origin you can easily extend the functions of blocking all that nasty stuff like ad block detection, cookie banners and all the other annoyances.
Beside DNS based blocking can be easily circumvented (rendered useless) by CNAME Cloaking (DNS Delegation or DNS Aliasing). You probably know that as you will still see ads when trying to rely only on the limited DNS based blocking. Also false-positives are a nasty and annoying - in all this technique is (imho) not only incomplete but also painful to maintain (manually white list stuff for example to unbreak sites). On the other hand deploying ublock origin ones on your browser (and enable all available block lists) is a fire and forget and just works
The only people I know who still make use of DNS based blocking (with pihole for example) are the ones who don’t have full control and ownership over there devices like the crew for example.
Yes, but it also notifies about unapproved signed software . if it’s signed by Microsoft or another certificate you’ve already approved, it’s not alerting.
I’ve used ad blockers - my current setup is more satisfying.
An ad blocker only tries to protect your web experience. The adblocker may actually be using the same lists, and time is saved by not having to configure every computer… . And it’s harder for kids to bypass. (Believe me: they are smart when motivated - one once bypassed the security by connecting directly to the internet box - i literally cut his internet connection with scissors - he never did it again and learned how to put another connector on the cable too).
You have something that works for you, and I have something that works for me - we’re both good. I also delete cookies automatically with software specific for that.
The DNSBL also works for VMs, containers, that you do not install an adblocking software for each time.
Sure, my entreprise oriented anti-virus has “bugs”. I’ve reported a few false negatives and positives but it’s been a while.
A platform certificate is the application signing certificate used to sign the “android” application on the system image. The “android” application runs with a highly privileged user id - android.uid.system - and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.
[…] correctly signed malware using the platform certificate […]
Yes, they use the same signing keys as manufactures (samsung, etc.) so the signed malware is 100% “legit” and will most likely pass all snake oil tests
Btw. you often don’t need to approve any certificates as there is a huge tree of (auto magically) trusted ones already shipped with your OS. These are the ones (“good”) malware is signed with as it tells your snake oil directly it’s legit The bad thing with this trust chain is there is still no (good) way revoking breached certs. Beside most “lost” keys (unlike samsung ones) are probably never made public because they are just very valuable
Just take pegasus for an example which was used to exfiltrate data from (afaik) up2date -phones and androids which are by design already much more hardened than your Redmond OS.
In 2020, a secret source leaked a list to your team of investigative journalists in Paris that contained 50,000 phone numbers that NSO Group’s clients wanted to spy on. Among the names on the list were French president Emmanuel Macron
It’s somewhat “interesting” that people using closed source operating systems and snake oil think that they are “protected”. While as of the nature of the software the only thing they actually can do is “trust” and “hope” which will not be sufficient if targeted by a professional attacker.
What actually protects you and me is that we are simply not a valuable target
That might be the main reason for your setup - limiting and censoring the internet access for kids? While it should be still easy to bypass it…even for children
This could be circumvented by using VLAN btw.
PS.: Snake oil can make it possible that every web site you visit can run code on your computer (RCE) which is something it should protects you from ironically.
Conclusions
It’s generally preferable that antivirus vendors stay away from encrypted connections as much as possible. Messing with server responses tends to cause issues even when executed carefully, which is why I consider browser extensions the preferable way of implementing online protection.
When trusted certificates leak, there’s not much we can do about it, except hope that this is detected as fast as possible and actions taken. But much easier, you can get a Code Signing Certificate and use that - I had one for several years. I had to prove who I was (i.e., my company), but that does tell anything about trustworthyness. Still, it was not implicitally trusted - just enough by Windows, and a bit less by my antivirus (that requested approval).
When a private key is lost, you do not need to publish the private key, but you need to publish the revocation for that key. However doing so for a major player is also acknowledging that you were not able to protect the key.
There’s been “worse” than a key: XcodeGhost - the compiler added the malware to the software. CCleaner has been infected itself at some point.
As individuals or small companies we’re not protecting from the motivated “qualified” attacker that targets us specifically. And while we try tro protect with SW - there is still a “hard” way - many years back I was in a company where they observed that several people with company secrets had their work computer stolen at home. Individually they looked as random thefts, but taken together they certainly were not random.
And web sites are not preventing that enough - I’ve had a user complaining that a web application did not work for him - turned out he had an infected browser. “Content-Security-Policy” helps avoid that.
The problem of trust and security goes well beyond our computer systems. A bank employee (confirmed) recently that they had customers receiving calls from the bank’s phone number, so the customer trusted the caller as they had registered the bank’s number in their contacts list - only issue: it wasn’t the bank that was calling - so some customers were in serious trouble.
When I tell the police that you can’t trust that the phone number shown on on your phone is the correct one, they don’t believe me…
Anyway, it seems that we are keeping our eyes and minds open. Maybe some readers will be more alert too.
Another option is to use Twilio to receive SMS messages. You can also send them using Twilio as well. There is a Twilio node for Node-RED. You can also make your own curl command that HA had execute to do anything that Twilio’s REST API supports. The default Twilio usage is to set up a webhook that Twilio contacts when it has an SMS for you, but you can also programatically call out to Twilio base on events or a scheduled timer in Node-RED, assuming you’ve installed Node-RED in HA. I created a Node-RED flow that periodically asks Twilio for the latest SMS and compares its SID with the most-recent saved SID. If the new one is different, then the flow processes the body of the SMS accordingly. I used it to retrieve images from my security cameras when I want to, without having to use or have access to mobile data or WiFi. Yes, there is a charge, but it’s not much (assuming you’re not sending/receiving hundreds of SMS messages every month).
Here is the example from Twilio’s documention on receiving SMS messages during a certain time frame:
curl -X GET “https://api.twilio.com/2010-04-01/Accounts/$TWILIO_ACCOUNT_SID /Messages.json?DateSent%3E=2021-01-15T01%3A23%3A45Z&DateSent%3C=2021-01-17T01%3A23%3A45Z&PageSize=20” \
Thanks, I’m a Twilio user also. I had always wanted to receive SMS responses but didn’t want to create the webhook. So this is nice, I can poll for messages. Thank you.
Yeah, it’s nice they give you $15. I had an alert configured with a 0 repeat, figuring that meant never, when that alert fired HASS infinite looped sending text messages. Took about 3 hours for my phone to clear them……burned right through that 15. I fixed that bug as my first contribution to the code base.