Security advantages of using Nabu Casa

Hey all, long-time SmartThings user here starting to make the move to HA. I’ve got a question regarding security specifically related to using Nabu Casa cloud. Currently I’m handling external access by forwarding a port on my router to my instance of HA. (I also have SSL configured, and plan to add MFA shortly) However, what bothers me a little about this setup is that I’m exposing my instance of HA to the internet. Even if I’m doing everything else right, anyone hitting my IP address from anywhere in the world is now “inside my LAN”. And that means my security is now dependent upon there being no security holes in HA itself as well as whatever Python libraries it’s using.

However, if I were to use Nabu Casa for remote access, my (possibly wrong) assumption is that this method is inherently more secure because a potential bad guy is not inside my LAN until after they’ve authenticated. Or to put it differently, no one is hitting my instance of HA directly because we’re both going through a middleman. (Nabu Casa)

Is that correct assumption on my part, or am I off-base? I’m not a tinfoil-hat wearing paranoid type, but I do want to make sure I fully understand the pros/cons of the two different remote-access scenarios as it relates to security. Also, if there are any official write-ups on security best practices for HA I’d love to be directed to that too. Thanks for any info!

I also have this exact same question.

But a little more elaborated.

My nabucasa Subscription gives me a https://blabla.ui.nabu.casa url.

When I “hit” that url it just presents me with my INTERNAL (?) homeassistant interface.

This I believe is nothing different than presenting my homeassistant interface via port forwarding to the Internet.

In both occasions an attacker with a “good password guesser” (whatever that may mean :-)) would have access to my homeassistant instance?

Correct?!

So what’s the benefit of nabucasa in that perspective!?

Interesting, yeah I wonder too if the login page is getting served from your HA or if it’s served by Nabu Casa cloud. If it’s your instance of HA, then it’s hard to see how there would be any security advantage. (and to be clear, I’m not suggesting that Nabu Casa is selling itself as a security improvement - it’s clearly selling itself as a time and hassle saver)

I’m not worried so much about someone being able to guess my password and defeat MFA - the likelihood of both of those things happening is probably vanishingly remote. My concern, I guess, is giving the whole world free swings at my infrastructure with no authentication required. :slight_smile:

When you open a port you are opening that port to the entire world. You WILL see connections made. Scanners constantly look for open ports. Some scanners are for research and are not an issue. Others are for research to later come back and try to gain access.

With my understanding of Nabu Casa’s access method one would need to guess the URL given. I don’t know the exact parameters to build that string but one could create a program to randomly try those URLs and try to gain access. Im not sure if nabu casa has any rate limiting built in but this would be a long process.

The nabu casa link does go directly to your HA instance. Be sure you have a strong password and use 2FA.

Just a small security tip for those who are forwarding ports: you don’t need to accept connections from everywhere. The best thing to do is to only allow connections from places you trust.

A good firewall lets you restrict connections based on country for example. I only allow connections from the Netherlands. This reduces the attack surface significantly. It would be even better if I restricted it to a couple of IP addresses (for example: work, the neighbors, etc).

Maybe it’s a good idea for Nuba casa to provide the same functionality. Most opensource firewalls have this functionality.

If you open the IP in a browser you do not get HA by default.
Only if you forwarded port 80 and 443 (?) to 8123 of HA.

If I hit my IP I get to the login screen of my router. (which isn’t much better I guess)
But that is because I have a router from my ISP and I assume they want to be able to reach the routers if they need too.

You do if you use nabucasa! with https in front of url the browser forwards you to port 443 of nabucasa and that proxies you to your hass port 8123.

Geo-IP on nabucasa +1

Currently the Nabu Casa cloud connection doesn’t forward the source IP with the connection. It always shows as 127.0.0.1. So any blocking would have to be done on the cloud side of things.

To me using Nabu Casa negates the need for Geo-IP blocking. With an open port anyone can find you based an established list of IP addresses. That is 4 positions with 255 possibilities for each position that can be in the possible combination. There are long established programs to scan for this.

For naub casa, it seems to be a 32 character address (at least in my case). There are 26 capital letters, 26 lower case letters and 9 numbers possible to fill those 32 characters. That is significantly more combinations to test. Someone would have to have the knowledge of what URLs are possible and then write a script to try each combination.

It is not impossible to search through the possible nabu casa addresses, however, there are a huge number of possible combinations. Would be interesting to write a script and test how long before you get a live connection.

That is not how IP address work…

It’s a matter of time before the hash or names leak out and all url’s are guesable/public. And what if I were to leak it unintened myself?

Point is: when hte link is out there, anyone can acces it via https and thus has direct access to my instance (albeit via the nabucasa servers). But that would be the same interface as my local instance would present with port forwarding…

Correct, It provided an easy to understand comparison of the possible combinations without getting into how IP address work and the actual possible combinations. I should have added a note/disclaimer. What should be taken away from that is that there are significantly more combinations possible with the Nabu Casa URLs provided.

The method for determining nabu casa URLs is public (I beleive) as most of the Nabu Casa side of things is open source. However, with that knowledge, there are still a absolutely huge number of combinations to go though and try.

Yes, once someone has or guesses your URL they are connected to your instance and will be greeted with your log-in screen, just as if the port was open.

But you want to access it from outside, but then you don’t…
So what are you suggesting?
How is the technology going to work that should know when it’s you that is knocking on the door and not anyone else, but I assume you still want to be able to access from work, phone and anywhere you want?
How is that going to work?

You can still IP ban when a threshold is met on wrong passwords.

I am not suggesting anything, just observing and asking. and voting for Geo-IP blocking and rate-limiting on nabu casa. (via a user interface).

Ive implemented this before. I use sprint for a phone provider and found the IP address ranges that are used in my area. I then added common locations (work/family/etc.) and rarely ran into an issue.

This really just reduces noise in firewall logs (when looking at connections that actually made it through) and doesn’t increase security. A strong password and 2FA are still needed.

So…
Why not just say it’s 255^4?

That is not how I would want it to work.
I mean if you are in Holliday then you won’t get a notification that the flood sensor is triggered because that is outside of your IP range.

Man you are hung up on this.

Please provide a 100% correct explanation of how IP address work while being able to explain the order of magnitude higher possible combinations that the Nabu Casa URLs can provide. All while keeping it at a level that anyone on the forum can understand. I will replace my post with a link to yours.

Yes, when traveling you either need to add a rule to allow anything in or otherwise provide access.

From my standpoint, I think an ideal scenario would be that the cloud service (Nabu Casa) would be doing more of the heavy lifting. For example, my SmartThings app doesn’t require me to open any ports or expose my hub to the world. Presumably it’s cloud service is acting as a middle-man and handling the communication between my hub and a remote user.

No.
Why should I? You wrote something that is completely wrong, why should I go and clean up?
If you don’t know then just admit and move on.
There is no reason to dig yourself deeper now.