Security tips

Take care of samba shares https://blog.avast.com/mqtt-vulnerabilities-hacking-smart-homes

How can I suggest a feature? Encryption of secrets.yaml

This has been discussed here and the issue with samba shares was addressed.

1 Like

Thanks . I had not seen.
Anyway a bit more protection for the secrets.yaml would be welcome

Home-Assistant needs the passwords in clear text so they can be used in other services. If your encrypting the secrets file then home-assistant will be storing the decryption key somewhere. Then you’re back to asking for your secrets decryption key to be encrypted and so on.

Regarding the article. Storing sensitive data in an insecure system is bad. :rofl: All MQTT connections should require a username and password plus it should never be made publicly accessible.

2 Likes

“there’s no secure system” however something better than plain text file was thought already by caesar

That’s just security by obscurity. And In case of a popular software an attacker would know where to find the required key. That’s only an additional 2 seconds for an attacker.

I’ll try to explain the problem. Let’s say you want your Home Assistant to connect to some cloud service. Let’s say your e-mail account to send e-mails. To do this, Home Assistant has to pretend to be you. Hence it requires the username and password required to login into your e-mail account. In plaintext, because your e-mail provider wouldn’t recognize the encrypted password. And if it would, the encrypted password would just be as insecure as the plaintext variant because both could be used to login.

So the obvious solution would be to encrypt the password with a predefined key. Home Assistant would need to know that key to be able to decrypt the password. And where does it know the key from? From it’s own configuration. The same configuration an attacker with filesystem access already is able to read. So if this would be implemented, the attacker would just have to lookup the key and use it to decrypt the password.

There is one solution though you might not be aware of: keyring. With this your secrets are saved within the keyring (encrypted). The password required to access the keyring then has to be entered as soon as the Home Assistant service starts. So the downside of this solution is, that such a system won’t come back online if the system crashes / reboots as long as you don’t enter the password required for keyring access.

1 Like

I think you are looking at the wrong problem. If you have made the configuration directory of your home automation system directly available on the public internet then you are exposing yourself to much already I would say.
I’m not sure there is much that can be done to make it more secure. I would assume the default smb sharing plugin for Hassio requires you to set a password.
It also comes from simple examples on the internet never starting with securing you mqtt server as that makes the example too hard to follow so everybody assumes that’s how you do it.
Using the homeassistant cloud service does seem to be the way to go. So you don’t expose any of homeassistant on the public internet but you can still access the parts you need or upload location data.