[security] Disable ESPHome devices' ability to control the parent HA instance

mag1024 · June 24, 2023, 1:23am

Following up on the discussion in #95032 – it would be great to have an option in the ESPHome integration to treat some devices as “untrusted” and disable their ability to make arbitrary service calls into the connected HA instance via homeassistant.service.

The fact that there is currently no way to disable this functionality (devices triggering services back in HA) creates a security vulnerability where an ESPHome device in a location that is not physically secure (e.g. a sensor or switch located outside the house) can be used to effectively take over the parent HA instance, and open house locks, disable alarms, etc.

This situation is quite surprising (intuitively, communication with a sensor should be one way) and it undermines common security practices, like having strong HA passwords, and isolating untrusted devices to a vlan/subnet that is not able to initiate connections to the outside world.

paddy0174 · June 24, 2023, 2:45am

+1

Note: you should vote for your feature request yourself…

nickrout · June 24, 2023, 2:51am

But hold on, the device outside the house would need to be physically connected to a computer to be flashed, and someone would need your API key to connect it to your home assistant, not to mention needing access to the HA UI to connect it.

mag1024 · June 24, 2023, 4:28am

@nickrout, the attack works like this:

Attacker connects to the esp over usb, and dumps the existing firmware
Wifi ssid/password and API keys are easily extractable from the firmware image
Attacker flashes new exploit firmware with the extracted credentials filled in
Device connects back to the wifi, and HA reconnects back to it (remember it was already a registered device that HA knows about)
Exploit firmware instructs HA to execute lock.unlock(lock.frontdoor)

All the steps are automatable, and can likely be executed in under a minute using any portable Linux device and no interaction beyond plugging it in.

bdraco · June 24, 2023, 4:41am

github.com/home-assistant/core

Require newly configured esphome device to allow Home Assistant service calls

home-assistant:dev ← home-assistant:esphome_service_calls_turn_on

opened 07:11PM - 23 Jun 23 UTC

bdraco

+217 -30

## Breaking change  As a security hardening measure, the default for allowing ESPHome devices to make arbitrary calls has changed. If you want to permit the ESPHome device to make arbitrary service calls, it must be enabled in the options flow. - For existing devices, calling Home Assistant services continues to be allowed. - For newly configured devices, it must now be enabled in the options flow. <img width="571" alt="Screenshot 2023-06-23 at 2 42 03 PM" src="https://github.com/home-assistant/core/assets/663432/bfcf9f53-266e-4182-8845-b0d9b8c3e467"> <img width="444" alt="Screenshot 2023-06-23 at 2 42 33 PM" src="https://github.com/home-assistant/core/assets/663432/42350a3a-2691-4f8f-9a6a-7dc009f4cad6"> ## Type of change  - [ ] Dependency upgrade - [ ] Bugfix (non-breaking change which fixes an issue) - [ ] New integration (thank you!) - [ ] New feature (which adds functionality to an existing integration) - [ ] Deprecation (breaking change to happen in the future) - [x] Breaking change (fix/feature causing existing functionality to break) - [ ] Code quality improvements to existing code or addition of tests ## Additional information  - This PR fixes or closes issue: fixes # - This PR is related to issue: - Link to documentation pull request: ## Checklist  - [x] The code change is tested and works locally. - [ ] Local tests pass. **Your PR cannot be merged unless tests pass** - [ ] There is no commented out code in this PR. - [ ] I have followed the [development checklist][dev-checklist] - [ ] I have followed the [perfect PR recommendations][perfect-pr] - [ ] The code has been formatted using Black (`black --fast homeassistant tests`) - [x] Tests have been added to verify that the new code works. If user exposed functionality or configuration variables are added/changed: - [x] Documentation added/updated for [www.home-assistant.io][docs-repository] If the code communicates with devices, web services, or third-party tools: - [ ] The [manifest file][manifest-docs] has all fields filled out correctly. Updated and included derived files by running: `python3 -m script.hassfest`. - [ ] New or updated dependencies have been added to `requirements_all.txt`. Updated by running `python3 -m script.gen_requirements_all`. - [ ] For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description. - [ ] Untested files have been added to `.coveragerc`.  To help with the load of incoming pull requests: - [ ] I have reviewed two other [open pull requests][prs] in this repository. [prs]: https://github.com/home-assistant/core/pulls?q=is%3Aopen+is%3Apr+-author%3A%40me+-draft%3Atrue+-label%3Awaiting-for-upstream+sort%3Acreated-desc+review%3Anone+-status%3Afailure  [dev-checklist]: https://developers.home-assistant.io/docs/development_checklist/ [manifest-docs]: https://developers.home-assistant.io/docs/creating_integration_manifest/ [quality-scale]: https://developers.home-assistant.io/docs/integration_quality_scale_index/ [docs-repository]: https://github.com/home-assistant/home-assistant.io [perfect-pr]: https://developers.home-assistant.io/docs/review-process/#creating-the-perfect-pr

bdraco · June 24, 2023, 4:44am

If you want to go further, only use ESP32 chips, and burn the desired e-fuses after flashing to reduce the chance someone can access the device

https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/system/efuse.html

You could also remove the usb port if the device has one

nickrout · June 24, 2023, 5:27am

Is the encryption key extractable? (other than that I am with you).

bdraco · June 24, 2023, 10:25am

The encryption key is stored on the device.

It has to be or you would have to manually enter it every time the device starts up to get the api connection working.

Even if it was only stored in memory and you did have to enter it via a serial cable every time the device started, it could be extracted from memory when the device is running with the right tools.

paddy0174 · June 24, 2023, 1:10pm

Sounds great! Seems a neat feature to harden the security, and it’s not oversized to care about every possible, but unlikely, edge case. Thanks!

nickrout · June 24, 2023, 10:05pm

Makes sense (unlike me!)

mag1024 · June 25, 2023, 2:37am

Wow, that was fast! Many thanks, @bdraco!