Why Do I Need To Secure My Home Assistant Instance?
This should be obvious, however, anyone with a connection to your instance can control your lights (low risk/annoyance) or change your Heating/Cooling settings (higher risk) or depending on your setup, unlock doors or open a garage door (high risk). Furthermore, with some of the addons and the option to use Ingress someone could have access to your HA configuration files or shell access and therefore access to your entire network. Given that HA requires storing of a number of passwords or other security keys to interface with other services, you could easily expose a number of your passwords very quickly.
Besides the obvious risk of freezing your house or opening a door, the access to information is likely more valuable to someone with bad intent and not in your local area. If you don’t practice good Password Hygene getting access to the passwords/secrets on your HA instance could allow a bad actor access to a number of accounts and allow them to take over access to important accounts. Furthermore, with full network access deploying ransomware would be a breeze and your information could be locked up until you pay up to unlock it.
How Would Anyone Ever Find My Instance?
Your HA instance, when exposed to the greater internet is one of billions of web pages, how would someone find it? There are services that crawl the web to see what is out there. Some of these are for research purposes and are for all intents and purposes ‘good guys’. There are also a lot of bad guys out there, anyone with an internet connection can scan the entire web.
I currently use Nabu Casa’s Remote UI and don’t have any ports open. However, if I review my firewall logs, I see constant attempts at different ports on my network. Its constant, 24/7/365 and completely normal. Some of these attempted connections are the aforementioned services which crawl the web looking for what is currently ‘out there’. Your instance exposed to the internet is not hidden in any way and will be found.
One of the better known services is Shodan. Shodan has a fleet of scanners that collect data about what is ‘out there’ and provides a search engine to allow anyone to search their database of what is ‘out there’ on the internet. Run a search for Home Assistant and as of writing this you will have the information needed to connect to over 80,000 HA instances.
Even if you use Nabu Casa’s Remote UI, your not as hidden as one might think. If a vulnerability was discovered in HA, a bad actor could easily retrieve a list of each Nabu Casa Connection and each instance is a click away.