Supply chain attacks on FOSS have recently increased massively. If it was already bad before, it has become really bad recently.
The HA community is rightly proud of the title of the most active project on GitHub. 17,000 committers is a gigantic number. But it’s also a bit scary. I wonder: who is that? Are they all always up to good?
A smart home control center is a very valuable target. It runs 24/7, usually has a lot of computing power and is often not permanently monitored. Depending on the network, it has access to everything else in the house. This often includes critical systems such as the heating and energy systems, cameras and microphones. HA also runs with far-reaching rights in its respective environment.
What happens if a maintainer in one of the countless dependencies breaks down or goes bad?
And I’m not even talking about HACS. The “Alexa integration” case is a frightening example from several perspectives.
But I am thinking more about the almost unmanageable number of external dependencies in the HA core and frontend.
What is the HA community or the core team / Nabu Casa doing to make this horror scenario less likely?
Is there a security strategy that also covers the supply chain?
I know IT security can be annoying and boring. But personally, I’m starting to get queasy with every update.
In my opinion, Nabu Casa has gone overboard with security. Every integration has various degrees of security protocols. Thankfully most are optional.
I keep reading, here and on other forums, the panic of “exposing” my home to hackers, but no one has ever been able to cite an instance of this really happening. Yes, there have been accidental API leaks, for example Wyze accidentally let some users see other users’ cameras on the Wyze app. But that is the risk of any cloud-based system. Very few Home Assistant integrations that use the cloud have no local-only alternatives.
Just what risks are you so afraid of that have actually happened?
No, no. I don’t see the main problem with cloud services. Even though I generally avoid them - but mainly for other reasons.
I mean, for example, backdoors that have been smuggled into libraries. There are Python libraries that are only maintained sporadically and incidentally by their original creator. It becomes critical when these libraries appear in a large number of dependencies. Attackers are now very clever and often take a very long-term approach. An attack vector is slowly distributed via countless, usually inconspicuous, pull requests. This can take months or years.
North Korea has just further expanded a massive infiltration campaign. The main targets are servers belonging to companies and authorities. But they also attack components of entire software stacks that can also be used in HA.
You could have been infiltrated long ago without realizing it. That would be typical of state hackers. They install infostealers, steal passwords, session cookies and sell them on the darknet. But the main purpose is to use your machine as a weapon of attack on day X.
Look at the forum here for posts above unknown connections.
There are a lot of people here monitoring there connections in ways that would make banks and state envy.
Nothing would survive more than a few minutes in the wild in the HA world without an outcry in the forums.
NabuCasa do hire external security audits from time to time.
Here is one of the reports.
Security requires a holistic approach. I see the main problem as not understanding the interdependencies and complexity of the technology being used and how to manage the associated risks. Solving for a single attack vector is not enough.
You can run HA without Nabu Casa if this is your concern. My concern is devices phoning home to send my information to manufacturers. Therefore HA is an excellent solution as its main goal is to work locally. Add a firewall and block these devices to connect to the internet. Then you’ll find out who is calling home. Like a simple Tuya device, that even when working locally, will fail to work if it cannot phone home. Most camera’s try to sens stuff every minute. I think that is a bigger risk…
This category is for all things social. Want to organize a meetup? Talked about Home Assistant at a conference? Planning an exhibition using Home Assistant?
The topic wasn’t meant to be that easy peasy. Security design is clearly a topic of development, not just a let’s-talk-about-it-over-a-cup-of-coffee issue.
If of the 397,789 HA instances currently running somewhere, even 50% have relatively free access to the Internet - and I estimate the value to be significantly higher - we are talking about a major potential botnet.
I currently see the biggest edge in the Python/Pip and npm dependencies. The best code quality in your own project is of no use if you become vulnerable through dependencies.
And I asked myself whether at least something like OWASP-DependenyCheck or other SCA tools are used in the dev workflow.
It’s clearly a strategic and operational development issue and I wonder what it’s doing at Social. But of course it’s fine if you don’t want to take the topic seriously.
GitHub have a security team that check projects now and then and also look at dependency libraries.
NabuCasa also hire external reviewers, like Cure53.
