Telegram security

I am using Telegram as my only way to control Home Assistant while out of wifi range. I have set it up with allowed chat id’s as in the documentation.

I have for fun deleted my wife as an allowed chat id, but since the Telegram bot is public I can still from her phone chat with it. I can then from her phone send commands to Telegram - it doesn’t respond to her account, but it does to mine, so commands she sends is responded to by Home Assistant, the acknowledgement is only sent to me however. So theoretically someone chatting with “our” bot can send the message to deactivate the alarm. Can I somehow make sure that Home Assistant is only responding to allowed chat id’s?

I know it is a very theoretically problem, as someone has to know our bot, has to know commands that the bot does not directly respond back to, and has to know the location of our house to make it really uncomfortable, but still?

You mean in your configuration.yaml? That would indeed be pretty bad. I don’t use telegram commands to control HASS, but I was under the assumption, that if you remove a chat-id from the configuration, then neither inbound nor outbund messages have any effect. :thinking: I’d go as far as saying this might be a bug in the component.

Seem’s a critical issue.
Can you share how your configuration files where before and after the modification to let investigator test?

1 Like

It was my fault hands down - I commented out my wife for the notify component and then restarted, and then commented her out in the allowed chat id’s, but then apparently didn’t restart properly, so when I did the test her chat id was still allowed, and thus it makes sense that Home Assistant reponds. Today when I also commented her allowed chat id out and restarted the bot and Home Assistant did not respond at all.

When I add her back again it of course works again.

Sorry for the false alarm :frowning:


Hey @Morten_DK,
could you please share your configaration files?
i would like to implement the same thing

Sure :slight_smile:

It looks like this:

  - platform: polling
    api_key: <BOTID>
      - <CHATID1> #Morten
      - <CHATID2> #Trine
  - name: Telegram_morten
    platform: telegram
    chat_id: <CHATID1>

  - name: Telegram_trine
    platform: telegram
    chat_id: <CHATID2>

  - name: Telegram_all
    platform: group
      - service: telegram_morten
      - service: telegram_trine

API key is the one you get for your Telegram BOT and the chat id’s are the one for your specific users.

Hope that helps otherwise let me know.

Thnx for the quick reply,
How ever my problem is how you connected telegram with the alarm itself with acknowledgement and sich. (i am using it for simple notifications),