Hi,
Just checked Shodan.io and there is a lot of people with their HA connected to internet and not secured.
the folder config along with secrets.yaml is wide open.
the MQTT protocol also needs to be protected as I’ve checked and you can subscribe a topic and dump traffic …
Perhaps HA should alert users when connected in a non secure way !!
shodan sensor can be used to query for individual instance i believe.
anyone using that that can put up example?
Well, this happens only if people open ports on their router like with every other service. Also, we provide docs with detailed instructions about how to allow secured access.
I agree 100% but its the tradeoff of HA’s sucess
lots of people without the right knowledge is installing hass.io and is not taking the correct measures to secure their houses
you can run a search on shodan.io with hássio or homeassistant , and will see dozens of SMBs shares wide open for everyone.
but i have to agree that they are the ones opening their ports and also dozens arent thousands
I think one problem with the open SMBs is, that there are people around that suggest to edit config files via SMB. There are numerous alternatives around, but still people stick to using SMB + Notepadd++ and telling others to do so as well. Which generally is ok if you know what you’re doing. But a lot of people don’t. So I’d tend to say that especially the SMB-addon for hassio is a problem because those seem to be the less tech-savvy users. What’s even worse is, that the default configuration allows guest access and does not enforce credentials.
But nothing is open unless people open the ports on their router. AFAIK nothing in ha or hassio opens those ports.
Actually the problem tends to be people who do not read documentation and just want quick.
Reality is, this is not problem that has no solution. Just ongoing management and prevention where possible/convenient.
This remind me of Android rooting community where people download and install random apk from random source on internet. Or run command from random guy and wonder why phone suddenly brick.
User with no knowledge read for understanding and learn not to make error on their own. Info exist and many helpful resource to help them.
Another user just “do install” but not read and take no time to understand. When problem occur they scream, “I got hack” but not hack…no password, open smb or no update Apache for problem known long time (Experian).
We can scream until blue in face but problem remain. Even problem for Enterprise IT Admin making these mistake, not just consumer.
HA not responsible but post many doc to prevent this. At this point maybe subject is beating dead horse.
There is danger for HA take security role from user. This is happen many year with router where it made easy for consumer to use and never understand it danger(like helicopter parent). Now user being thrown to wild as internet grow and smart devices infiltrate home. Time for user to read and understand. If HA take this role it cannot be planned for every install and ever user need. Eventually will expose user to flaw by mistake or real hacker find way around security of large user base software (like avoid virus scan).
This is perfection seeking. If real problem maybe it need solution. Currently we have not quantified affected user or verified real problem. Just many reaction and judge, HA need better secure and need fix problem. Problem not exist yet really so maybe to early to make change and watch(see if many affected user) is best reaction to this
Hi Guys,
Found this thread when I was experimenting with shodan.io and discovered all the insecure HA installations with insecure SAMBA/MQTT setups and wanted to share with you guys. Initially, I thought I would leave a persistent notification on these installations to let them know that they are insecure! but a facebook member suggested otherwise as it may invite legal trouble.
Anyway, it seems most of these setups are using hass.io and is it possible for the hass.io SAMBA addon or Mosquitto addon to enforce username/passwords when setting them up. I know this will introduce inconvenience on the user part but at least we will be implementing some level of security policy.