Security - serious question (not trolling)

  1. I am hoping for some reasoned answers / opinions here. I have no axe to grind and nor do I distrust Nabu Casa or the HA dev team. I am not trolling anyone.
  2. I am an ex-IT professional who is well versed in security issues albeit at a high level as that is not my field. I am no expert in this area.
  3. I am also well versed in the obvious (and fair) answers which will turn the answer back to me and my perception, aversity and exposure to risk. That is not the point of my question and nor am I looking for advice.

Soā€¦

Given that bad actors are prone to be attracted to bigger targets, should we be concerned that as HA and hence Nabu Casa grow that it might start to appear on their radar as a target worth probing?

ā€˜The bigger the target the bigger prizeā€™.

Reasoned answers only please, I know this can be a sensitive subject, Iā€™m not trying to ruffle any feathers or wind anyone up.

Yes butā€¦

Nabu casa is separate and optional to each HA install

If open your HA instance to remote access beware.

If access to HA server and my light switches is all they get who cares. Hoping for no remote execution that jumps outside docker but thatā€™s a lot of hoops to jump and why a good backup/restore should be the end plan as you may already know

Itā€™s a valid concern. Although , as mentioned, itā€™s not limited to access though Nabu Casa but through whatever other means one might be employing to expose Home Assistant to external access.

Whereas amateurs might be interested in the cheap amusement of fooling around with your automated devices and cameras (and what the cameras see), the pros are probably more interested in gaining access to the machine itself so they can leverage it to become part of a botnet and/or to gain access to other computers on your network (like for ransom purposes).

FWIW depending on which installation type you chose, it runs with root privileges (a practice generally frowned upon) which, if compromised, provides full access to the host machine.

1 Like

Yes, true and it was my fault for not being more specific.

The thrust of my ā€˜concernā€™ was access via Nabu Casa because it is, for want of a better phrase, ā€˜a complete black box consumer orientated serviceā€™ (please donā€™t nit-pick my choice of words, hopefully you get what I mean).

If you decide to take the ā€˜diyā€™ approach to opening up your network then thisā€¦

ā€¦is especially relevant:

Iā€™m not sure if I understand you correctly, but the code is available on GitHub ā†’ Nabu Casa, Inc. Ā· GitHub
so itā€™s no blackbox.

Yes, bad choice of wordsā€¦ I mean it is ā€˜a boxā€™ i.e. no need for the average ā€˜consumerā€™ to do anything other than follow the instructions. And being a ā€˜serviceā€™ no one should be expected to and nor could 99% of users read the code and do any serious checks. That is a niche area of expertise that even the experts canā€™t always get right.

Being on GitHub is no indicator of the impenetrability (or quality, or of anything really. Except that I can read and change the code if I want).

Ok, then I agree :slight_smile: blackbox for me sounds like you canā€™t find out whatā€™s ā€œinsideā€ because the owner keeps it proprietary.

Totally agree, however it has been shown that generally open source security code tends to be less vulnerable than proprietary code.

Yes

Pragmatically though, Nabu Casaā€™s user base is still pretty small. Thereā€™s many more interesting targets out there (like Mosquitto, or your modem/router, or ā€¦).

Thatā€™s not to say somebody wonā€™t take the code apart and find something, or one of the upstream libraries used wonā€™t have a security issue that doesnā€™t impact it.

Itā€™s a risk, sure. But so is using something like Tuyaā€™s cloud services, or Xiaomiā€™s, or ā€¦ Thereā€™s nothing special about Nabu Casa here.

1 Like

If bad actors get hold of my nabu casa account (or other secured HA access) then it is not so much the ā€œin the cheap amusement of fooling around with your automated devices and cameras (and what the cameras see)ā€ (as @123 ably put it) nor is it really being botnetted (although that is bad), but probably access to my passwords and to my locks/garage doors and physical security shit like that.

But yes, of course nabu casa is a target for someone. Arenā€™t we all?

1 Like

Nabu Casa is probably the most secure way to expose HA to the internet.

Imho, the biggest risk is for the people opening up via the nginx / duckdns addon without really knowing what they do nor the risksā€¦

1 Like

OK, Iā€™ll hold my hand up, thatā€™s me. :roll_eyes:

I have the duckdns addon, in configuration.yaml I have:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

ā€¦even though it makes it difficult to use the HA app, and I have two-factor authentication enabled. What else should I be doing?

Assuming youā€™ve worked through this, then thereā€™s only a few other easy things to do:

  1. Use a reverse proxy server for SSL. Using a proxy server allows you to do filtering there, rewrite requests, limit access, and more. You can take this up another level by using one with WAF (web application firewall) capabilities.
  2. Donā€™t use port 443 or 8123, or another common port. No, this isnā€™t security, but if you pick a random high numbered port it cuts down on the number of people that will find it. Itā€™s hard to pick a lock you canā€™t find.
  3. Deploy the likes of fail2ban on your proxy server
  4. Consider only permitting remote access to the bits you need - I use my proxy server to only allow remote access to webhooks. If I want remote access to the UI Iā€™ll just use my VPN, which brings me toā€¦
  5. Use a VPN for remote access to the UI
  6. Keep an eye on the proxy logs for signs anybody has found your server and is attempting to compromise it
4 Likes

On it, thanks. :grinning:

Similarly, I have also configured my remote proxy to only forward a specific FQDN to HA.

How did you configure your proxy server to only permit access to your webhooks? Id love to restrict remote access to the HA location tracker API with my Nginx Proxy Manager.

For NGINX itā€™s a default deny, with only some things permitted.

/api/webhook
/api/websocket
	location /api/webhook {
		allow all;
		include conf.d/proxy.conf;
		proxy_pass http://127.0.0.1:8123;
		proxy_set_header Host $host;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_ignore_client_abort on;
	}

	location /api/websocket {
		allow all;
		include conf.d/proxy.conf;
		proxy_pass http://127.0.0.1:8123;
		proxy_set_header Host $host;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_ignore_client_abort on;
	}

	location / {
		satisfy any;
		deny all;
	}
1 Like

Found this thread because of the security vulnerability thread which has a link to this.

Unfortunately this does not cover everything when I look on my iOS app. Does this really work for you?

/api/webhook
/api/websocket
/api/ios/config
/?external_auth=1
/manifest.json
/local
/api/hassio

The problem I now facing in is that /?external_auth=1 is the path / basicly. Any idea how to cover this?

I donā€™t use the iOS app, canā€™t talk about what that needs, or doesnā€™t need.

I also donā€™t use anything Supervised.

I also donā€™t use the UI remotely.

Just the two I listed are enough for the Android app to report to HA for me.

1 Like

Are you planning on using the UI of the iOS app outside of your home? Tinkererā€™s approach is to use a VPN in that case.

Or do you only want to send location / sensor updates through your reverse proxy back to HA? In that case, Iā€™ve seen that /auth/token should also be added as a location to keep the connection alive. On my Android phone /api/webhook and /api/websocket seem to be enough. However, on my wifeā€™s iPhone somehow the app tries to refresh the token after about 30 minutes after leaving the house (which fails with auth/token blocked). Then the app logs here out and she needs to logging again.

I donā€™t see any calls to /auth/token from my Android app, except when I try to use the UI.

1 Like