Security audits of Home Assistant

Summary: Home Assistant had two security audits done as part of our regular security assessments. You are safe. No authentication bypasses have been found. We did fix issues related to attackers potentially tricking users to take over their instance. All fixes are included in Home Assistant 2023.9 and the latest Home Assistant apps for iOS and Android. Please make sure you’re up-to-date.

Security is very important to us at Home Assistant and Nabu Casa. Being open source makes it easy to let anyone audit our code—and based on reported issues—people do. However, you also need to hire people to do an actual security audit to ensure that all the important code has been covered.

Subscribing to Home Assistant Cloud provides funding for the ongoing development and maintenance of Home Assistant, including external security audits. To ensure that our security is top-notch, Nabu Casa hired Cure53 to perform a security audit of critical parts of Home Assistant. Cure53 is a well-known cybersecurity firm that in the past found vulnerabilities in Mastodon and Ring products.

Cure53 found issues in Home Assistant, 3 of which were marked as “critical” severity. The critical issues would allow an attacker to trick users and steal login credentials. All reported issues have been addressed as part of Home Assistant 2023.9, released on September 6, 2023. No authentication bypass issues have been found. According to Cure53’s report:

The quality of the codebase was impressive on the whole, whilst the architecture and frameworks deployed in all relevant application areas resilient design paradigms in general. Frontend security in particular exhibited ample opportunities for hardening, as compounded by the Critical associated risks identified. Nonetheless, once these have been mitigated, an exemplary security posture will certainly be attainable.

In August, the GitHub Security Lab also audited Home Assistant. They found six non-critical issues across Home Assistant Core and our iOS and Android apps. Two of the issues overlapped with Cure53. All reported issues have been fixed and released.

We want to thank both teams for their audits, reported issues, and keeping our users safe 🙏

All found issues have been added to our security page. This page has been updated to include an ongoing timeline of reported issues, who disclosed it, and a link to the issue report on GitHub.

If you think you have found a security issue, check out our security page on how to report this to Home Assistant.


This is a companion discussion topic for the original entry at https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/
42 Likes

Good work Home Assistant, making us feel safe is very important.

3 Likes

Awesome! Thanks for taking the topic serious :slight_smile:

1 Like

It’s extremely refreshing to see a company be both proactive and transparent about this kind of thing!

1 Like

Amazing work and honesty! Wish other companies were as open as Nabu. It’s why you’re my only subscription service is have!!

1 Like

Good. Especially after the last catastrophic Supervisor vulnerability, having HA professionally pen tested was the right thing to do.

4 Likes

I don’t expect anything else than a strict and tight security maintenance. Good job Home Assistant Team!

1 Like

Good job guys.

As someone who has been through more than his fair share of security audits at work, I know how tough these can be and, indeed, how easy it is for defects to sneak through even the most careful processes. As such, this seems like a very impressive achievement, not least of which is in resolving the issues promptly.

Thank you for the transparency and for investing in all of our security. It’s appreciated.

Great job all, happy that my subscription helps run these audits.

Nice to know you do security audits.

Great to see things like this.

I still will not put my garbage disposal on a smart switch…I have seen too many horror movies.

So what’s the actual risk when running HA Core before 2023.9 - is it “freaking dangerous” (even if HA is not exposed to the internet) or what’s the actual attack vector?

Not exposed to the internet. Practically none. But it’s a remote code execution full Pown attack.

Read. Bad juju.

3 Likes

This is great work! Could we address the fact that we still can’t configure a console password for HAOS?

Great to see security is being taken seriously. Unlike many smart things vendors.
Good job, everyone involved!

1 Like

Is it just me that sees secret management as a big vulnerability??

Even if we substitute those out to a secrets.yaml file - there are still all my passwords in there in plain-text for anyone to try to get to, or for untrusted code to access. Surely that’s a bit of an issue?

Even if they were encrypted at least it would help with visibility of them?

Interested to hear other opinions on it! :slight_smile:

Another smaller point - I see voice control into HA as a bit of a security problem also. For example if you can say “Unlock all my doors” from the porch - although I appreciate that’s more of an implementation thing, but hopefully something users are thinking about? I think it would be helpful to call these simple things out to users though in documentation, for those not thinking about it.

This has been discussed many times. Do a forum search. There are reasons it is the way it is.

I just find it difficult to comprehend that a top security consultant (x2) haven’t highlighted this as part of a security audit.

I’ve not been able to find anything that points towards a conclusive answer on the WHY @tom_l - although there seems to be a lot of opinion on it. Do you have a link?

Just to check - you mean the secret management piece?

2 Likes

Thanks @tom_l - that’s the thread I found again (and digested from before) on the subject. There are a lot of opinions on it, and while some of them will have an improvement on the project, there doesn’t seem to be an obvious position on it from a project point of view.

All government (US/EU/UK) guidance on cyber-security calls out encrypting secrets and monitoring access to them. Appreciate this isn’t meant to be a government/military-grade system. I’m just surprised that leading security consultants aren’t calling out these gaps in their audit. Calling out those gaps is useful in an open-source setting as it helps us contribute to features that fulfil them.