[SOLVED] New Installation of Home Assistant sends data to internet without consent

There doesn’t seem to be a category that can accommodate security and privacy (I couldn’t even find a tag relating to those topics) so I’ll post it as “Uncategorized”.

OS: DietPi v6.14 ARMv8 Stretch
Platform: OdroidC2
Application: Home Assistant 0.91.4 on Python 3.6.3

On a clean installation of DietPi on an Odroid C2, the operating system’s startup configuration utility offers to install software. One of the optional items it can install is Home Assistant.

After updating and upgrading the OS and rebooting, I continued configuring basic OS settings like a static IP address for the ethernet connection, the time zone, and the system language. I opted to install Home Assistant using the dietpi-software utility along with MQTT.

Immediately after rebooting, I noticed traffic from the device being sent over port 443 to the IP address 157.249.177.128 at intervals of about every 20 minutes or so. When I stop the home-assistant service, that communication stops until the service is restarted.

Upon starting home-assistant, the service first appears to check internet connectivity by querying connectivity-check.ubuntu.com. Then a DNS query is made to resolve aa015h6buqvih86i1.api.met.no, which is chased to os-157-249-177-128.ares.met.no, which resolves, of course, to 157.249.177.128.

That address resolves to a block belonging to the met.no domain. While this suggests that it could have something to do with weather reporting, I did not ask Home Assistant to communicate outside of my local network. It doesn’t even know what locale it should query for weather reports.

If I want someone to know the location of my devices, I will specifically allow it. In the case of my home automation controller, I do not want that. I also do not want it communicating with the outside world without my permission.

The DietPi utility uses apt to install Home Assistant. The only repositories registered are at debian.org for stretch, but they include stretch-backports. As far as I can tell, an official version was installed.

1. For what purpose is Home Assistant calling connectivity-check.ubuntu.com?

2. For what purpose is Home Assistant calling aa015h6buqvih86i1.api.met.no?

3. Why does Home Assistant require /any/ internet connectivity unless I specifically connect it to an internet service?

4. How can I secure it so as to maintain my privacy and not accidentally leak private information without my knowledge?

Right now, I am blocking access to that IP address at my firewall (I use pfSense on my test network). However, I would like to disable whatever services within Home Assistant are accessing the internet without my consent. While I expect it to operate on the LAN and within the IP block to which it’s address belongs, other communications should be opt-in rather than opt-out.

I’ll be grateful for any information that anyone can provide.

UPDATE:
gpbenton provided the solution. It involves editing the file configuration.yaml. It’s default location on DietPi is /home/homeassistant/.homeassistant. Then it is necessary to edit the Home UI on the web front end to remove the weather icon. Otherwise, an error is shown. I’m grateful to gpbenton for the information.

I believe the default configuration for HA includes a weather service hosted in Norway, which is probably the traffic you are seeing. Just remove that from your configuration.yaml and the traffic should stop.

@gpbenton Thanks! I found [sensor.yr_symbol] on the filters page of the web interface that contains the reference to met.no, but I couldn’t figure out how to remove it. I’ll look in configuration.yaml to see what I can find.

By using your pfSense how it’s supposed to be used: block all outbound traffic, and then whitelist what you feel is needed and acceptable for daily operation.

sigh the dilemma of making something that is useful out of the box with an innocuous weather query, while making sure the tinfoil hats are not glowing white hot.

If you install their Hasio variant, NTP is hard coded to Google’s NTP server.

For the developers, they do not totally equate usefulness & local-only security

Ah. So it’s okay if developers publish insecure applications because users have good firewalls, right?

Is there a way to mute people on this board? I looked, but I can’t find one.

1. Could it be you’re mixing up security and privacy? You initial concern was about leaking information due to the outbound connections the weather-component makes. It does not create a command and control server which allows external access to compromise your networks security.
2. Developers should ship software which is safe to use (within their best efforts and knowledge). As noted in 1., the relevant weather-component only performs outbound queries. So there is in fact no security issue. Only a privacy issue.
3. By default a Home Assistant installation doesn’t know about your location, and keeps not knowing it until you set it. So by default it does not publish private data (not taking your public IP into consideration).
4. A network-security enthusiast with such a focus on privacy would never allow arbitrary outbound traffic from a secure network into a public network in the first place. I don’t want to be offending, but expecting a piece of software, which primary task is communicating with devices across networks to aggregate data, not to establish one or more outbound connections by default to showcase a minimal part of its functionality is just plain naive.
5. Home Assistant isn’t marketed as software that never talks to external services (without proper configuration).
6. Have you complained at Apple, Microsoft, Ubuntu (etc. whatever) yet? They all communicate with external resources by default. And some of those vendors even have the nerve to charge you for their software, while not quitting to perform their communication. Scandalous!

I think I found it. Click you user I con & then the gear.
With Preferences selected at the top, select Notifications → Users on the left.

That looks like the right place but I have not tried it.

Thank you for the warning. Because a couple of my clients have time-critical applications, my networks often have two machines that test and compare times from three randomly-chosen NTP servers from a list, then elect one as a source for that instant. Then those local servers become the sources for the rest of the network.

Why does Hasio call NTP servers instead of using the local system time? Every operating system that I know of that can run Hasio already checks their networks’ authorized NTP servers or, if there aren’t any, the OS specifies its own default NTP server.

definitely looks like that should work.

…but the OP blocks @nickrout at their peril.

He’s a productive member here and has good information to offer and generally willing to help (even if occasionally a little gruff, sarcastic and bossy ). It’s never good to burn bridges right out of the gate. If that’s all it takes to get under your skin bad enough to block someone then I take it this is your first day on the internet?

Thanks for the warning, but if that was typical of the quality of posts that I can expect from him, then my policy of allowing only one strike is justified. Besides, it looks like there are a lot of other helpful people here, and I’m grateful for their suggestions.

In fact, my main question was answered in the first response that I got, from gpbenton, and I’m quite satisfied with the result. As far as I’m concerned, my issue has been resolved.

You must not be human then.
No human can honestly say they are perfect and always say & write the proper thing. Generally if they state that, they are not honest.

bosborne There are 7.7 billion people on the Earth. Filtering is not optional. It’s a requirement for properly allocating one’s limited time here.

That may be true, but triggering on one strike is NOT reasonable IMHO.
I guess I make your ignore list too.

I had a similar doubt (about location access) with recent build(s) after seeing a location related entry (don’t remember exact details now) alluding to resolving location even though my config has 0 for coordinates. Again, not 100% sure if this was HASS or the SUN or YR or some component reporting this in logs… I’d have to do a complete check later.

I guess then the question is does home-assistant resolve location details through the Internet connection or other means without having the coordinates? Apart from literature (and our motto here), was this verified?

And, in general news, [google, youtube] a bit about “Intel IME” or “AMD PSP”. You’d be surprised how secure our systems truly are!

They are not, “going to get in”… they are “already in”!

I understand that at one stage HA was trying towork out location nie geoiplocation, I recall my very first install thought I was at my ISP’s address in downtown Auckland which is, I dunno, 1.5 hours flight away.

Whether it is still doing this I am not sure, as I have been copying configuration.yaml from install to install.

I don’t block people for simple disagreements. I expect disagreements. I /hope/ for them. How else can I learn unless I hear opposing ideas and opinions? I learn when I’m wrong. I don’t even mind if someone is a jerk when they disagree, although I do tend to sneer at amateurs. (I’m a /professional/ jerk.) I have only one simple requirement: Don’t waste my time. Nickrout ignored certain simple principles that are at the core of my profession and are no longer subject to debate (I’m a sysadmin). That was Strike One. He’s out.

Yes.

Systems such as Home Assistant are intended to be used in people’s homes. It is not unreasonable to assume that people want privacy in their homes. In additions, systems such as Home Assistant will be used to help maintain the security of people’s homes, and our security depends as much on our privacy as on the strength of the locks on our doors.

You say that Home Assistant doesn’t know about my location until I tell it. That is not relevant when it sends information requests, even with a bogus latitude and longitude, to a weather service. That service then knows that a computer, which is sufficiently uniquely identified by the IP address from which the request came, the HTTP header of the request, and the time, is polling it for data.

Criminals create virtual honey pots by intercepting such unencrypted traffic. In this case, they would know that my computer is running software that contains a host of insecurities, not the least of which is the AIO web server which controlled by a sudoer user account that doesn’t have a password.

I don’t mind that HA is insecure as it is now. It’s still an alpha project, and I expect it to be insecure. Believe me: It does not have access to the rest of my network, and it will not be controlling anything in my home any time soon.

As it turns out, my security depends on my privacy, and Home Assistant is noisy by design. From a security perspective, that is a greater weakness than even having an unprotected privileged user account control vital systems.

As to your point 5, Home Assistant is also not marketed as a product that is dangerous to use for the control of vital systems in people’s homes, but it should be. No system intended for any home control should ever communicate with the outside world unbidden. Others have learned that the hard way. Let’s hope that Home Assistant’s developers don’t suffer the same experience.