I am hoping for some reasoned answers / opinions here. I have no axe to grind and nor do I distrust Nabu Casa or the HA dev team. I am not trolling anyone.
I am an ex-IT professional who is well versed in security issues albeit at a high level as that is not my field. I am no expert in this area.
I am also well versed in the obvious (and fair) answers which will turn the answer back to me and my perception, aversity and exposure to risk. That is not the point of my question and nor am I looking for advice.
So…
Given that bad actors are prone to be attracted to bigger targets, should we be concerned that as HA and hence Nabu Casa grow that it might start to appear on their radar as a target worth probing?
‘The bigger the target the bigger prize’.
Reasoned answers only please, I know this can be a sensitive subject, I’m not trying to ruffle any feathers or wind anyone up.
Nabu casa is separate and optional to each HA install
If open your HA instance to remote access beware.
If access to HA server and my light switches is all they get who cares. Hoping for no remote execution that jumps outside docker but that’s a lot of hoops to jump and why a good backup/restore should be the end plan as you may already know
It’s a valid concern. Although , as mentioned, it’s not limited to access though Nabu Casa but through whatever other means one might be employing to expose Home Assistant to external access.
Whereas amateurs might be interested in the cheap amusement of fooling around with your automated devices and cameras (and what the cameras see), the pros are probably more interested in gaining access to the machine itself so they can leverage it to become part of a botnet and/or to gain access to other computers on your network (like for ransom purposes).
FWIW depending on which installation type you chose, it runs with root privileges (a practice generally frowned upon) which, if compromised, provides full access to the host machine.
Yes, true and it was my fault for not being more specific.
The thrust of my ‘concern’ was access via Nabu Casa because it is, for want of a better phrase, ‘a complete black box consumer orientated service’ (please don’t nit-pick my choice of words, hopefully you get what I mean).
If you decide to take the ‘diy’ approach to opening up your network then this…
Yes, bad choice of words… I mean it is ‘a box’ i.e. no need for the average ‘consumer’ to do anything other than follow the instructions. And being a ‘service’ no one should be expected to and nor could 99% of users read the code and do any serious checks. That is a niche area of expertise that even the experts can’t always get right.
Being on GitHub is no indicator of the impenetrability (or quality, or of anything really. Except that I can read and change the code if I want).
Pragmatically though, Nabu Casa’s user base is still pretty small. There’s many more interesting targets out there (like Mosquitto, or your modem/router, or …).
That’s not to say somebody won’t take the code apart and find something, or one of the upstream libraries used won’t have a security issue that doesn’t impact it.
It’s a risk, sure. But so is using something like Tuya’s cloud services, or Xiaomi’s, or … There’s nothing special about Nabu Casa here.
If bad actors get hold of my nabu casa account (or other secured HA access) then it is not so much the “in the cheap amusement of fooling around with your automated devices and cameras (and what the cameras see)” (as @123 ably put it) nor is it really being botnetted (although that is bad), but probably access to my passwords and to my locks/garage doors and physical security shit like that.
But yes, of course nabu casa is a target for someone. Aren’t we all?
Assuming you’ve worked through this, then there’s only a few other easy things to do:
Use a reverse proxy server for SSL. Using a proxy server allows you to do filtering there, rewrite requests, limit access, and more. You can take this up another level by using one with WAF (web application firewall) capabilities.
Don’t use port 443 or 8123, or another common port. No, this isn’t security, but if you pick a random high numbered port it cuts down on the number of people that will find it. It’s hard to pick a lock you can’t find.
Consider only permitting remote access to the bits you need - I use my proxy server to only allow remote access to webhooks. If I want remote access to the UI I’ll just use my VPN, which brings me to…
Use a VPN for remote access to the UI
Keep an eye on the proxy logs for signs anybody has found your server and is attempting to compromise it
How did you configure your proxy server to only permit access to your webhooks? Id love to restrict remote access to the HA location tracker API with my Nginx Proxy Manager.
Are you planning on using the UI of the iOS app outside of your home? Tinkerer’s approach is to use a VPN in that case.
Or do you only want to send location / sensor updates through your reverse proxy back to HA? In that case, I’ve seen that /auth/token should also be added as a location to keep the connection alive. On my Android phone /api/webhook and /api/websocket seem to be enough. However, on my wife’s iPhone somehow the app tries to refresh the token after about 30 minutes after leaving the house (which fails with auth/token blocked). Then the app logs here out and she needs to logging again.
I don’t see any calls to /auth/token from my Android app, except when I try to use the UI.