Maybe in your network or how you interpret the diagram but HA is the last item in the chain. There are lots of tools that can do each slice of cheese.
yes
not that I am aware of, I do not even have port forwarding
I mean access from Internet, which I am using HA Cloud or Nabuscasa. Iāll see whether that is worthwhile to keep my monthly subscription, if not, then I just cut off remote access from Internet all together
Spent some time exploring yesterday. What VPN do you use? I tried Tailscale and Wireguard, both open just a different port in the router. Tailscale seems to do this automatically but itās still opening something. When you use VPN, are you just using HTTP for all URLS or are you somehow issuing a cert on the LAN?
When using VPN, I think I would also loose google home capabilities. Pretty sure this needed an internet facing access. I have since put nginx proxy manager in front of HA which is giving me a bit more visibility into access logs. My thought process was to keep an eye out here for suspicious IPs that get successful web page loads passed logins. Iām in search of a tool that may do this for me. It would seem any attack would need to originate here, am I misunderstanding? There would have to be some vulnerability on 443 that would allow an attacker the initial compromise. cross side scripting, sql injection, non web based exposure, ect.
I use StrongSwan VPN.
It is a commercial VPN, but it is included in my router firmware and it is handle at the router.
I do not know about Google, since I avoid using cloud based services, so it is Rhasspy for me as Voice Assistant.
The advantage of VPN is that is a separate piece of code from HA which only does encryption and authentication, so it is so much easier to harden both for the developers and for you as an user.
And if the VPN is penetrated, then you still have HAās authentication as a layer, provided you did not use the same credentials. 
It is likely it will be a standard attack and probably also automated by one of the many penetration kits available you will experience.
The problem is that many of the security holes, like lacking input validation/buffer overflow, SQL injection and so on do circumvent the normal login process so you might not get any warnings in logs.
Maybe an unpopular opinion, but:
Exposing HA can be more secure than setting up access via VPN in certain cases.
If the used VPN solution exposes a whole subnet (providing direct access to any host within the network), then a vulnerability in the software would be a pretty bad thing. And itās not like there never are vulnerabilities discovered in VPN software. Especially considering that VPNs are popular for Organizations, which is a great incentive to make some money using ransomware. Hence, make the hunt for vulnerabilities more interesting.
HA on the other hand typically is used by individuals, so thereās not much profit to be made usually. Therefore finding a bug to bypass authentication is way lower. And more importantly: even if the attacker has access to the API, Dashboard etc., he may not get far beyond that. One of the most insecure things in this regard would be the access to the secrets.yaml if thatās present. But thatās also becoming less with more integrations storing their secrets in .storage, which (at least by default) isnāt accessible via File Editor or similar.
To summarize:
- Hacked VPN: āGimme money to get the Key to decrypt the important backups on your NASā
- Hacked HA: āGimme money or Iāll turn on the light while youāre sleepingā
Yes, Iām oversimplifying here. I just want to raise awareness for the fact, that even though initially a VPN is more secure, the result of a successful hack can be a lot worse than compromised login-credentials (assuming thereās no way to get a root-shell, which is pretty hard with interpreted languages like Python). And at least in my opinion I think itās more likely, that there are more IPsec, OpenVPN and whatever exploits floating around the darknet than HA exploits.
So from that point of view I would argue, that not exposing any ports - VPN has to be exposed as well obviously - is the best solution in terms of security. Therefore the Nabu Casa Cloud should provide the least risk in comparison.
4 Likes
Its pretty easy within the HA GUI to access that folder. Simply install a file editor in insecure mode and you can browse the entire file system including accessing any container. Just level setting and to be fair you still need the password. Most people install that addon though. If someone has gained admin access to HA, they likely have access to everything. And HA doesnāt do role security well (yet) to differentiate users/admins.
I would quantify the risk of HA and VPN compromise as the same risk. One you gain access to the network. THe other you gain access to the host with credentials for everything else on your network and possibly beyond.
I donāt really disagree with this assuming you trust Nabu Casa. I prefer using cloudflare with Access and other safeguards to secure my environment and allow external access but using Nabu should be the primary way people āsecureā HA without opening ports IMO unless youāre qualified to do it yourself in other ways.
A HA installation might not provide profit, but it provide an always on server that might not be monitored or have checked logs.
It is a perfect member for a botnet, that provide income for the hackers.
If they are in your HA installation then samba share is easy to set up, if it is not already running on your HA installation, so your NAS is not more secure.
If your VPN is hacked, then your devices have their own security layers to fall back on and provide an extra layer for the hackers.
If your HA installation is hacked, then they have access to a lot of devices and probably also a lot of account information from secret.yaml and the like.
A hacked VPN is only on par with a hacked HA in terms of impact, but the attack surface of a VPN setup is much smaller than that of HA and the hardening by the developers is so much better, so the chances of a hacked VPN is way smaller than the chances of a hacked HA installation.
Thanks for sharing this side, a very healthy debate 
. I keep coming back to this approach as itās just the path of least resistance for my use cases (obviously this will differ by person). VPN does add some complexity to my setup for other users in my family. Also, I start to think about wanting to access internal URLs via HTTPs. I just want more monitoring and alerting on it! This looks interesting: GitHub - allinurl/goaccess: GoAccess is a real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.
What do you think is worth monitoring? What IOCs would you look for in either situation?
I took a look at Cloudflare which does seem like a very valuable layer to put on top:
Cloudflare ā Port Forwarding ā HA Server ā Nginx Proxy Monitor ā HA / Nodered / anything that runs on the same port ā User Shell (HA OS)? ā> Root Shell ā Lateral Movementā¦
Edit: Just found this and it looks very promising
It depends on your system.
Logging is keep a list/database of events, while monitoring is keep a list of states.
With monitoring you look at what is not normal, but also what is normal and that should happen both internally on the system, but also externally from another system.
There isnāt a best practice really. Everyoneās comfort with respect to level of risk and inconvenience is different.
- Do you feel the login interface to HASS is vulnerable or will become vulnerable?
- Do you feel like someone will be able to guess your username and password?
- Are you uncomfortable with exposing your ports to the internet?
I could go on forever with statements like that, but I think you get the idea.
Say someone tells you VPN is the best practice vs exposing the login page to the internet with username/password.
- What is the probability someone will guess your login?
- What is the probability someone will obtain the login?
- What is the probability someone will find a vulnerability to bypass the login?
- Say they get logged into your home assistant, does it even matter?
Which do you choose?
There is a best practice, but you are some right.
When dealing with security there are 4 actions towards security risks.
- Mitigation
- Accept
- Insurance
- Ignore
But in order to be able to take decisions on these you need to figure out your risks.
You need to look critically on your setup and try to guess every possible thing that can go wrong, that is your risks.
Then you need to figure out the probability of it going wrong and also the impact if it goes wrong.
Your risk value for each risk can then be said to be probability x impact.
When you have your risks and its risk value, then you can take decisions on what to do.
Some you might want mitigate or even prevent (complete mitigation) by not using the feature.
Some will have to be accepted as is.
Some might be insured. As a private person this one is harder, but there is insurances against identity theft and other smaller things.
The last one is ignore actually means you ignored either thinking of the possible risk, ignored trying to guesstimate its probability or didnāt bother to figure out its possible impact. This one is the big NO-NO and maybe the one many fall in under. Many do not really take a critical look at their HA setup and try to figure out the risks. They rely on the HA developers to do this, but HA is a combination of code packages running on a huge variety of hardware, so there is really very few setup that are the same and therefore no real option for the developers to secure it properly.
1 Like