Security vulnerabilities

TonyDams · August 23, 2018, 2:53pm

I strongly encourage home assistant developers (but also users) to read this article based on an avast report that present major security vulnerabilities found in home assistant (but not only) !

Avast : Are smart homes vulnerable to hacking?

For French users (like me) here is a summary : Almost 900 houses with home assistant security issues

lolouk44 · August 23, 2018, 3:01pm

interesting read, merci

cgtobi · August 23, 2018, 3:17pm

I am sorry, but to say that “major security vulnerabilities” have been found in home assistant is simply not true. What they report are for example publicly open SMB shares which is totally out of the hands of the home assistant developers, because if a user decides to expose that to the open world it is totally his own fault. If I leave my front door open and later complain about things being stolen I can make the door manufacturer responsible for that.

If users follow the guidelines to secure their installation less systems out there would be vulnerable to those obvious and simple to fix attack vectors mentioned in that article.

silvrr · August 23, 2018, 4:28pm

Home Assistant does not by default expose your MQTT server or SMB shares to the world. This is either done by the user or exposed by something like UPNP. There have been a number of threads about hacks and none have been the result of a issue in the home assistant code. The devs seem pretty responsive to security issues, changes have been made as a result of security issues that come up, these are usually covered in a blog post or release notes.

If you don’t explicity know what you are doing opening a port, do some research or ask for help on the implications.

Regardless, test and test often.

https://www.grc.com/x/ne.dll?rh1dkyd2

First, GRC shields up test can scan your network for open ports. There should be none unless you opened it and know why its open. Open the link above and run the different tests (yellow box for UPNP test or grey bars for testing for open ports)

Second, from a remote IP (coffee shops are great for this) try to access your network. See how a stranger sees your IP. NMAP on a linux machine is a great tool for scanning your network and reporting the status. If you don’t have a portable linux machine put ubuntu or mint on a flash drive and boot from it, you can run off the flash drive.

Third, use shodan. Scan for your IP using their search tool. Also search for ‘Home Assistant’ and ‘Homeassistant’. You will likely get a lot of results for the last two searches. Narrow the results using the filters for “TOP ORGANIZATIONS” (internet providers) and “TOP COUNTRIES” on the left hand side of the results page. You should be able to narrow the results quickly and see if your IP is listed.

Finally, you can look into a router with more advanced capabilities. I had a PFsense router in the past that would detect scans and block those IPs completely. The logging in PFsense is great also as you can see everything that is happening. I run a ubiquiti USG now and even with ports open they are limited to certain IPs so they don’t show as open in nmap scans, shodan scans or the GRC tool above unless ran from an IP I alllow.

In short, know what you are doing exposing your local network to the internet and check for gaps in your security and check often.

klogg · August 23, 2018, 5:16pm

I want to say that these two responses and especially that from @silvrr are two of the best, most measured and constructive reponses to any of the many security ‘scare’ posts that I have seen in the relatively short time I have been here.

And as someone who has been involved in some of those previous discussions, I agree entirely with everything you have written.

Remember I said that

I do though still have two points I’d like to make again. Firstly, it is in my opinion a little disingenuous to give advice that basically says ‘if you don’t understand the risks then don’t do it’. If you don’t understand the risks it is very likely that you don’t even know that there are risks. I know neither the devs nor anyone else intends it this way but reading the HA forums does give the impression that opening a port is kind of required to reap the full benefit of HA. And installing Samba even more so.

Secondly it isn’t the devs responsibility given that they do offer some advice in the docs, to hold anyone’s hand or to be responsible for how people open up thier systems. But I still maintain that that really shouldn’t be used as a defence. The more people put off HA because of what they read, accurate or not, the worse it will be. Conversely the more people who are happy with HA the better it will become and surely that is to some extent the devs responsibility? It is certainly their desire else they wouldn’t be constantly trying to make it better.

I am not ranting or complaining, I just think there is less of a clear line between who is and who isn’t responsible for the security of a system, because it plays into much more than whether an individual gets hacked.

silvrr · August 23, 2018, 5:49pm

Two more tools I forgot about.

First, HA by default (on any recent release) gives a persistent notification of a failed login attempt. I rarely use the frontend of my HA so I setup an automation to get an immediate notification when this happens.

github.com

SilvrrGIT/HomeAssistant/blob/master/automation/pc_security.yaml#L22


      from: 'off'
      to: 'on'
    condition:
        condition: template
        value_template: "{{ states('person.adam') != 'home' }}"
    action:
      service: notify.home_assistant
      data:
        title: "Desktop PC turned on"
        message: "Desktop PC was turned on and Adam is not home"

#########################################################
#                                                       #
#                 FAILED LOGIN ATTEMPTS                 #
#                                                       #
#########################################################

  - alias: "Send notification upon failed login attempt"
    initial_state: true
    trigger:
      - platform: state

The second tool comes from @leedus who has a custom component to log successful logins. I setup an automation to notify me of these also.

github.com

SilvrrGIT/HomeAssistant/blob/master/automation/pc_security.yaml#L41


    trigger:
      - platform: state
        entity_id: persistent_notification.http_login
    condition:
      - condition: template
        value_template: "{{ trigger.to_state.state != 'None' }}"
    action:
      - service: notify.home_assistant
        data_template:
          title: "{{ states.persistent_notification.http_login.attributes.message }}"
          message: 'url: https://whatismyipaddress.com/ip/{{ states.persistent_notification.http_login.attributes.message.split ("from ") [1]}}'
      - service: persistent_notification.dismiss
        data:
          notification_id: 'http_login'

#########################################################
#                                                       #
#            END OF CONFIGURATION FILE                  #
#                                                       #
#########################################################

A few notes on the above.
1 there will be some white noise for a bit, initial logins from any device will give a notification, this should quiet down after you get your regular IPs logged.
2 internal access may show up from your router IP sometimes depending on how your network works. 3 3 you need a basic understanding of IPs and what private and public IP looks like. Knowing your internal subnet(s) and the commonly used IPs of your cell provider is helpful to avoid false alarms.

google is good at getting your IP https://www.google.com/search?q=whats+my+ip If google doesn’t provide it the first 2 or 3 results of the search are usually reliable.

cgtobi · August 23, 2018, 6:38pm

Some use cases actually might require you to open a port and that is why it is always recommended to protect your UI with a password. But it makes absolutely no sense to SMB to the outside of your network. There is simply no need for it. If, and only if you actually need Samba for example to edit your config filed, do that, but only do it on your own network and preferably restrict access to it. I heard that by default hass.io allows anonymous access to the share, so it is even more important to not open that port to the WAN.

Home assistant isn’t any different to using any other computer. If you open up a port to the outside world bad things might happen. There is nothing any developer in the world can do about but to point out the possible dangers.

The bottom of the line is, if you don’t know what you are doing, don’t do it and ask for help.
If you don’t know how to fix the breaks on your car it might not be the best idea to do so if you want to drive safely, right? Computers aren’t much different. Except that the likelihood of killing you isn’t as big.

silvrr · August 23, 2018, 6:49pm

This was changed, but I still agree that you shouldn’t expose these types of things.

github.com/home-assistant/addons

Disable guest access for Samba by default

home-assistant:master ← home-assistant:disable-samba-guest-default

opened 03:29AM - 30 May 18 UTC

balloob

+1 -1

By default, the Samba add-on is too open. Guest access + write access to config …and other add-ons means that it's easy to take control of the system. Let's disable guest access by default (users could still enable it) so that we try to steer users to add username/password. Also wondering if we can limit Samba by default to the local subnets?

cgtobi · August 23, 2018, 6:52pm

Thanks for pointing that out. I am not a hass.io user, so I only read about it.

awarecan · August 24, 2018, 12:22am

Nothing new, those topics had been discussed in the forum.

JZhass · August 30, 2018, 3:28am

I’d say that folks need to know their desire, extent of technical ability, and equipment. Why would your HA server be in the DMZ in any way? I’m even concerned for folks that are opening port 8123 — even with a password or certs, etc. I highly recommend understanding what you’re doing and probing your public ports before throwing a server out to the WAN for all to hack away. Please have a look at VPNs as your alternative solution. Buying a capable router with built-in VPN or using DD-WRT firmware, etc. on some older router should enable you to connect to your home and access any INTERNAL server.

danielperna84 · August 30, 2018, 10:41am

Some components just require that external access is available. Like Google Assistant or probably IFTTT.

louis-lau · August 30, 2018, 11:30pm

On most consumer routers DMZ just opens all ports of a device to the internet. For Google Asisstant or IFTTT you only need port 8123.

JZhass · August 31, 2018, 8:48am

Ports 80 or 443 with the obvious 8123 being open should be sufficient for all call-back API’s… not sure what you’re running into but DMZ and no firewall for HASS is not the norm.

danielperna84 · August 31, 2018, 1:24pm

@louis-lau & @JZhass
I think our understanding of what a DMZ is is different. To me a DMZ does not mean there is no firewall. It’s just a (usually dedicated) subnet where hosts reside that are both accessible internally and externally. Forwarding / allowing traffic to the destination still has to be taken care of.

petro · August 31, 2018, 1:27pm

Why does this thread appear every few weeks? This topic has been beaten to death at this point and it always ends with a miss configuration on the users side.

louis-lau · August 31, 2018, 1:37pm

Yeah, that’s what DMZ actually is. The way it’s implemented in a lot of consumer routers though = all ports forwarded. That’s just my experience.

JZhass · September 18, 2018, 3:03am

I get what you’re saying… the DMZ can be protected as well. Either way, I’m not a big fan of throwing my HA site on the WAN unless I’m whitelisting external IP’s. I wouldn’t do reverse proxy to the HA box, etc. Just not worth it… VPN at home is much more secure.