Security through obscurity isn't a good strategy on the Internet

Inspired by this recent post in the openHAB community forum:

Thousands of OH installations accessible from everywhere

I used shodan.io to determine how many instances of Home Assistant are publicly visible.

The answer is nearly 80 thousand.

Unsurprisingly, it includes instances of Home Assistant exposed via an unencrypted connection directly to port 8123. In other words, the user just opened a port on their router and forwarded it to their Home Assistant server … and assumed “no one will find this”.

The concern raised in the openHAB community is that a few hacked systems will be reported as an inherent flaw in the product and attract negative press. It’s a valid concern and they’re formulating a response to inform their users.

Seeing that some Home Assistant users have adopted the same risky practice, perhaps our community should also (officially) raise awareness. It might also be an opportunity to boost subscribers to Nabu Casa’s service, maybe even offer a reduced introductory price (or a reduced-rate annual plan) to entice people away from just opening their router ports.

At a minimum, there’s this:

Does Nabu Casa actually increase security significantly?
Not sure, because as I understand the service, it still is a tunnel wide-open to your HA instance.

Sure, having the connection encrypted is a plus (a must, actually), but you still have your HA open to billions to “test” the security of HA itself.

IMHO, 90% of HA users open it to internet just to be able to reach it through their phone.
For this sole use-case, a no-hassle, point-to-point VPN like tailscale is the actual safe solution, and should likely be mentioned in the post you refer to.

1 Like

?

I suggest you review the How it works section in Nabu Casa’s documentation. The source code is also available.

Yes, it’s mentioned in the linked openHAB thread along with other methods. However, there’s very little discussion about it in our community forum (9 posts so far).

Unfortunately i don’t think its changed over the years. Far to many exposed ones

Home Assistant security concern - Home Assistant OS - Home Assistant Community (home-assistant.io)

Well, doesn’t the “How it works” mean that anybody in the world can connect to https://abcdef.ui.nabu.casa and reach the login page of your HA instance? That’s what I meant.
From there on, we can just pray that HA doesn’t have vulnerabilities…

The addresses are a bit more obscured as there aren’t tools built to scan the nabu casa addresses (that we know of) like there are for IP addresses. However, it is not very hard to get a list of nabu casa connections to prod at.

I used to think it would be a guessing game but another user informed me google publishes the list.

https://transparencyreport.google.com/https/certificates?hl=en&cert_search_auth=&cert_search_cert=&cert_search=include_subdomains:true;domain:ui.nabu.casa&lu=cert_search

1 Like

Interesting :sweat:
Glad I use wildcard certificates for my domains…

The issue isn’t that one’s instance is not invisible. The issue is that there’s a mistaken belief that invisibility will help to protect an otherwise minimally secured system.

Agreed, but just adding SSL doesn’t make HA more secure by itself, that’s my point.
It definitely prevents sniffing, but it’s not something really useful for your average remote hacker with no infrastructure access.

In that regard, Nabu Casa is not more (but not less) safe than duckdns + letsencrypt, or just enabling SSL in HA itself and, to quote your OP, none of those prevent your instance to be “accessible from anywhere”, which is the actual issue, outlined in the openHAB post.

But easier to implement for users whose expertise amounts to forwarding a port.

Never said it would. In fact, nor do the replies in the openHAB thread. If you read rlkoshak’s detailed response, which lists several ways to improve security, none specifically address visibility. There are methods to locate instances of openHAB and Home Assistant, be they secured or not. The moral of the story is to be one of the secured instances.

There’s “a few” threads that cover this ground already. I also remember back when authentication was optional :joy:

To be honest, I think you’re thinking too much of people. Most who did that didn’t think that far.

Beyond that, there’s not a lot more that can be done - maybe advising MFA in the securing docs? I certainly see no reason you (or somebody else) can’t add a section on VPN use for HA - maybe I should add details of how I do it, with a combo of proxy server (limiting access to webhooks) and VPN (for remote UI access) :man_shrugging:

Ultimately, you can’t force people to make good choices beyond what’s built into the system for them.

I’m giving them the benefit of a doubt that they understood the implications of port forwarding (but I agree with you that some probably didn’t).

:scream:

That’s pretty bad. I just watched this last night on the Tailscale VPN addon and can’t think of an easier way for people to secure the network, with no port forwarding needed.

I remember the posts of “My HA was hacked!” or “Was my HA install just hacked?” and it turned out to be people willingly (though possibly unknowingly) opening SMB to the internet…

I forward 3 ports from my internal network. My SSH rejects password authentication and requires public/private key pairs otherwise the server immediately closes and refuses the connection. The other ports have SSL and will not respond to unsecure HTTP connections (not even an invalid certificate warning). Combine that with a few non-standard ports and 2FA logins. It’s not the most secure by any means, but it’s a start. True security is a closed network that has no in or out access. Unfortunately that breaks functionality. The next best thing is combining multiple security methods such as a little bit of obscurity, encryption, two-factor auth, port knocking just to name a few.

Am I missing something but how does Tailscale secure the connection any differently than something like Nabu Casa.

It looks like you are still storing credentials on an external third party commercial software platform that handles the connection security for you.

Sure it may be easy (but so is NC) but I don’t think it’s anymore secure.

Other VPN’s such as OpenVPN and Wireguard require you to set up a Secure Key on the client and if it doesn’t exist you can’t connect.

With Tailscale if the credentials are compromised/hacked from that public facing business what protects you from the hackers getting access?

At least with NC if things get hacked the most they can gain access to would be you HA instance (bad enough) but they couldn’t get access to your entire network like they could with a hacked third-party hosted VPN.

1 Like

I agree storing the credentials isn’t the best, and that’s why I use Wireguard since the credentials aren’t stored in the cloud anywhere. But I definitely think Tailscale is better then just port forwarding 8123 with no encryption.

Inspired by this post I started a community guide on securing HA.

For those looking for guidance on security or for those with the expertise please see the link below and provide any feedback you have.

2 Likes

From what I read, Tailscale doesn’t identify you using their own authentication system. You authenticate via an existing service you may already have (they currently support Google, Microsoft, and Okta). For example, if you already use two-factor authentication with your Google account, that’s what you will also use to access your Home Assistant system (via Tailscale).

Tailscale’s free tier is limited to one account. Multiple accounts are provided in their first paid tier at US$5/month. At the risk of sounding like a shill for Nabu Casa, in terms of ‘bang per buck’ Nabu Casa offers more services for the same money (but no free tier). If someone doesn’t need the extra services and is just one user requiring remote access then Tailscale is an inexpensive and secure option.

Note
I have no idea if you can use multiple free Tailscale accounts (one per family member) to access the same system. I’ll take a guess and say “probably not” otherwise why would anyone go with their paid tier.

Do you recall which post? I skimmed through that lengthy thread and recall that was suggested as a possible cause but the hacked user insisted their Samba instance wasn’t facing the Internet.

I remember a few that were that for sure. Lots were people exposing MQTT to the Internet, with no authentication.