[ale] Home Assistant / Docker / Network Security

Discussion:

Derek Atkins via Ale

2018-07-24 14:22:06 UTC

Hi,

I'm looking to install Home Assistant to integrate a bunch of various
home automation tasks (this is a longer-term project, but I'm looking to
start experimenting early). Unfortunately I found [0] which seems to
imply that there is at least one (if not more) serious security flaws in
HA.

My plan was to set up Hass.io in a Fedora VM on oVirt. I was NOT
planning to enable/turn on SAMBA (Eww) -- but it does appear there may
be some other security issue. I suppose I don't HAVE to use Hass.io --
I could theoretically run HA directly on the Fedora VM and manually
install the AddOns -- and I could do this for final deployment -- but I
was thinking about Hass.io at least for my initial experimentation.

However, Hass.io is released as a docker instance -- and I've never run
docker. I can take this as yet another learning experience, of course.
But finding someone more knowledgeable would be a good first step.

So... Anyone run HA? Hass.io? Docker? And have insights to provide?

Thanks,

-derek

[0] https://community.home-assistant.io/t/home-assistant-security-concern/57914
--
Derek Atkins 617-623-3745
***@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

Raj Wurttemberg via Ale

2018-07-24 15:27:47 UTC

Permalink

I have run Home Assistant (HA) for about two years now. I run it on a
Raspberry Pi but not in a container. I installed HA directly on Raspbian and
have not really had any issues.

I have my HA monitoring my outside gates, the doors & windows and
controlling several lights. I'm using Z-Wave for everything.

/Raj

-----Original Message-----
From: Ale <ale-***@ale.org> On Behalf Of Derek Atkins via Ale
Sent: Tuesday, July 24, 2018 10:22 AM
To: ***@ale.org
Subject: [ale] Home Assistant / Docker / Network Security

Hi,

I'm looking to install Home Assistant to integrate a bunch of various home
automation tasks (this is a longer-term project, but I'm looking to start
experimenting early). Unfortunately I found [0] which seems to imply that
there is at least one (if not more) serious security flaws in HA.

My plan was to set up Hass.io in a Fedora VM on oVirt. I was NOT planning
to enable/turn on SAMBA (Eww) -- but it does appear there may be some other
security issue. I suppose I don't HAVE to use Hass.io -- I could
theoretically run HA directly on the Fedora VM and manually install the
AddOns -- and I could do this for final deployment -- but I was thinking
about Hass.io at least for my initial experimentation.

However, Hass.io is released as a docker instance -- and I've never run
docker. I can take this as yet another learning experience, of course.
But finding someone more knowledgeable would be a good first step.

So... Anyone run HA? Hass.io? Docker? And have insights to provide?

Thanks,

-derek

_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

Derek Atkins via Ale

2018-07-24 15:36:09 UTC

Permalink

So there are no "Add Ons" that you care about?
There did seem to be a few that looked interesting (that I wasn't sure how
to do on my own)

What do you do about security? Can you connect from the outside world?

-derek

Post by Raj Wurttemberg via Ale
I have run Home Assistant (HA) for about two years now. I run it on a
Raspberry Pi but not in a container. I installed HA directly on Raspbian and
have not really had any issues.
I have my HA monitoring my outside gates, the doors & windows and
controlling several lights. I'm using Z-Wave for everything.
/Raj
-----Original Message-----
Sent: Tuesday, July 24, 2018 10:22 AM
Subject: [ale] Home Assistant / Docker / Network Security
Hi,
I'm looking to install Home Assistant to integrate a bunch of various home
automation tasks (this is a longer-term project, but I'm looking to start
experimenting early). Unfortunately I found [0] which seems to imply that
there is at least one (if not more) serious security flaws in HA.
My plan was to set up Hass.io in a Fedora VM on oVirt. I was NOT planning
to enable/turn on SAMBA (Eww) -- but it does appear there may be some other
security issue. I suppose I don't HAVE to use Hass.io -- I could
theoretically run HA directly on the Fedora VM and manually install the
AddOns -- and I could do this for final deployment -- but I was thinking
about Hass.io at least for my initial experimentation.
However, Hass.io is released as a docker instance -- and I've never run
docker. I can take this as yet another learning experience, of course.
But finding someone more knowledgeable would be a good first step.
So... Anyone run HA? Hass.io? Docker? And have insights to provide?
Thanks,
-derek
_______________________________________________
Ale mailing list
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

--
Derek Atkins 617-623-3745
***@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

Raj Wurttemberg via Ale

2018-07-24 15:47:12 UTC

Permalink

I think that I really only use the z-wave add-on. I do access my HA remotely but it's though a proxy server. I also only enable remote access if I am going away for a few days.
For the most part I never need to touch my HA, it just runs and sends me e-mail alerts if there are any issues.

/Raj

-----Original Message-----
From: Derek Atkins <***@ihtfp.com>
Sent: Tuesday, July 24, 2018 11:36 AM
To: Raj Wurttemberg <***@c64.us>; Atlanta Linux Enthusiasts <***@ale.org>
Subject: Re: [ale] Home Assistant / Docker / Network Security

So there are no "Add Ons" that you care about?
There did seem to be a few that looked interesting (that I wasn't sure how to do on my own)

What do you do about security? Can you connect from the outside world?

-derek

_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

DJ-Pfulio via Ale

2018-07-24 17:04:26 UTC

Permalink

Wouldn't a VPN be more secure? I know nothing about HomeAssist protocols.

I use VPN (openvpn AES256) or an ssh-SOCKS proxy to access a LAN-only
Plex server.

Patching? Is that not done, like how Asterisk is generally deployed
commercially?

Post by Raj Wurttemberg via Ale
I think that I really only use the z-wave add-on. I do access my HA remotely but it's though a proxy server. I also only enable remote access if I am going away for a few days.
For the most part I never need to touch my HA, it just runs and sends me e-mail alerts if there are any issues.
/Raj
-----Original Message-----
Sent: Tuesday, July 24, 2018 11:36 AM
Subject: Re: [ale] Home Assistant / Docker / Network Security
So there are no "Add Ons" that you care about?
There did seem to be a few that looked interesting (that I wasn't sure how to do on my own)
What do you do about security? Can you connect from the outside world?
-derek

_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

Derek Atkins via Ale

2018-07-24 17:22:54 UTC

Permalink

Post by DJ-Pfulio via Ale
Wouldn't a VPN be more secure? I know nothing about HomeAssist protocols.
I use VPN (openvpn AES256) or an ssh-SOCKS proxy to access a LAN-only
Plex server.

Much harder to set up on my Android and iOS devices in order to monitor
the house when I'm out.

Post by DJ-Pfulio via Ale
Patching? Is that not done, like how Asterisk is generally deployed
commercially?

Patching requires code updates that solve the problem... Which requires
developers who acknowledge there is a problem and then fix it.

Based on the (10-page) thread I read, there does seem to be a problem, but
it's unclear if it's based on SAMBA, a combination of proxy, trust, and
x-forward-for, or some other bug. There certainly isn't a "Best Practice"
that I can find.

I suspect securing the docker instance would be much harder than securing
a base OS running HA natively. On the other hand, upgrading the native
HA is probably harder as it's not as simple as clicking a button and
loading the new docker image. (I honestly have no clue how to update a
"pip-installed" thing).

-derek

Post by DJ-Pfulio via Ale

Post by Raj Wurttemberg via Ale
I think that I really only use the z-wave add-on. I do access my HA
remotely but it's though a proxy server. I also only enable remote
access if I am going away for a few days.
For the most part I never need to touch my HA, it just runs and sends me
e-mail alerts if there are any issues.
/Raj
-----Original Message-----
Sent: Tuesday, July 24, 2018 11:36 AM
Subject: Re: [ale] Home Assistant / Docker / Network Security
So there are no "Add Ons" that you care about?
There did seem to be a few that looked interesting (that I wasn't sure
how to do on my own)
What do you do about security? Can you connect from the outside world?
-derek

_______________________________________________
Ale mailing list
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

Raj Wurttemberg via Ale

2018-07-24 17:38:54 UTC

Permalink

(From my notes...)

This is how I update my HA:

Upgrade:

sudo systemctl stop home-***@homeassistant.service
sudo su -s /bin/bash homeassistant
source /srv/homeassistant/bin/activate
pip3 install --upgrade homeassistant
exit
sudo systemctl start home-***@homeassistant.service

/Raj

-----Original Message-----
From: Ale <ale-***@ale.org> On Behalf Of Derek Atkins via Ale
Sent: Tuesday, July 24, 2018 1:23 PM
To: DJ-Pfulio <***@jdpfu.com>; Atlanta Linux Enthusiasts <***@ale.org>
Subject: Re: [ale] Home Assistant / Docker / Network Security

H,

Post by DJ-Pfulio via Ale
Wouldn't a VPN be more secure? I know nothing about HomeAssist protocols.
I use VPN (openvpn AES256) or an ssh-SOCKS proxy to access a LAN-only
Plex server.

Much harder to set up on my Android and iOS devices in order to monitor the
house when I'm out.

Post by DJ-Pfulio via Ale
Patching? Is that not done, like how Asterisk is generally deployed
commercially?

Patching requires code updates that solve the problem... Which requires
developers who acknowledge there is a problem and then fix it.

Based on the (10-page) thread I read, there does seem to be a problem, but
it's unclear if it's based on SAMBA, a combination of proxy, trust, and
x-forward-for, or some other bug. There certainly isn't a "Best Practice"
that I can find.

I suspect securing the docker instance would be much harder than securing
a base OS running HA natively. On the other hand, upgrading the native
HA is probably harder as it's not as simple as clicking a button and loading
the new docker image. (I honestly have no clue how to update a
"pip-installed" thing).

-derek

_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

Alex Carver via Ale

2018-07-24 19:54:02 UTC

Permalink

Post by Derek Atkins via Ale
H,

Post by DJ-Pfulio via Ale
Wouldn't a VPN be more secure? I know nothing about HomeAssist protocols.
I use VPN (openvpn AES256) or an ssh-SOCKS proxy to access a LAN-only
Plex server.

Much harder to set up on my Android and iOS devices in order to monitor
the house when I'm out.

OpenVPN on a phone is actually quite easy. I use it all the time on my
Android. Download the client from the store, generate your system keys
& certs, generate keys and certs for each client, then create an
all-in-one .ovpn file (contains config, keys, certs, etc. in one block)
that the client reads in when creating a new connection.

Post by Derek Atkins via Ale

Post by DJ-Pfulio via Ale
Patching? Is that not done, like how Asterisk is generally deployed
commercially?

Patching requires code updates that solve the problem... Which requires
developers who acknowledge there is a problem and then fix it.
Based on the (10-page) thread I read, there does seem to be a problem, but
it's unclear if it's based on SAMBA, a combination of proxy, trust, and
x-forward-for, or some other bug. There certainly isn't a "Best Practice"
that I can find.
I suspect securing the docker instance would be much harder than securing
a base OS running HA natively. On the other hand, upgrading the native
HA is probably harder as it's not as simple as clicking a button and
loading the new docker image. (I honestly have no clue how to update a
"pip-installed" thing).

If you're worried about security then you'd have to trust the docker
image as well. The same thing goes for Hass.io. It seems that even
Hass.io is one more wrapper to worry about over the base Home Assistant
installation.
_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

Derek Atkins via Ale

2018-07-24 20:08:13 UTC

Permalink

Alex,

Post by Alex Carver via Ale
OpenVPN on a phone is actually quite easy. I use it all the time on my
Android. Download the client from the store, generate your system keys
& certs, generate keys and certs for each client, then create an
all-in-one .ovpn file (contains config, keys, certs, etc. in one block)
that the client reads in when creating a new connection.

Where in iOS can I plug that in?

[snip]

Post by Alex Carver via Ale
If you're worried about security then you'd have to trust the docker
image as well. The same thing goes for Hass.io. It seems that even
Hass.io is one more wrapper to worry about over the base Home Assistant
installation.

HA is a bunch of python crap. Hass.io is a docker package and management
wrapped around the python crap.

I feel perfectly comfortable securing a Fedora system. I don't feel as
comfortable securing a bunch of python crap, let along a docker package
around it. :( I feel even less comfortable give the thread I linked in
my OP.

The "benefit" of using hass.io is that it allows "add-ons" (which
apparently are not usable from the raw HA code). Some of the add-ons I
don't care about. Some of the add-ons I can implement myself (e.g.
LetsEncrypt). But there may be others that I *do* care about -- hard to
say.

At least Raj pointed me to the method to upgrade the python crap. ;)

-derek
--
Derek Atkins 617-623-3745
***@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

DJ-Pfulio via Ale

2018-07-24 20:16:13 UTC

Permalink

Post by Derek Atkins via Ale
Alex,

Where in iOS can I plug that in?

https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8

Or you could use IPSec which is supported by both Android and iOS with
the OS.
_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

Alex Carver via Ale

2018-07-24 20:27:14 UTC

Permalink

Post by Derek Atkins via Ale
Alex,

Where in iOS can I plug that in?

You transfer the file to the phone. Then you run the openVPN client and
point it at that file through its "Import Profile" feature.

Post by Derek Atkins via Ale
[snip]

HA is a bunch of python crap. Hass.io is a docker package and management
wrapped around the python crap.

From what I see Hass.io is not even the Docker package, it's a Python
wrapper around the HA python to make configuration easy for new people.
It runs directly on hardware without Docker (so sayeth the docs, it uses
resin-io and was meant to be Raspberry Pi specific). The Docker
wrapping is a third layer of abstraction.

Post by Derek Atkins via Ale
I feel perfectly comfortable securing a Fedora system. I don't feel as
comfortable securing a bunch of python crap, let along a docker package
around it. :( I feel even less comfortable give the thread I linked in
my OP.

If you hide everything behind a VPN and never let HA or anything else
talk to the Internet at large directly then you have far less to worry
about than that thread. That thread *everyone* was opening themselves
up to direct connections. 2FA or not, there was a direct connection
available.

I rolled my own HA and security stuff and it all hides behind the VPN.
I can still do anything I want from anywhere as long as I attach to the
VPN. That also keeps lowlifes out since they have to penetrate
something much harder than a simple python script.

Post by Derek Atkins via Ale
The "benefit" of using hass.io is that it allows "add-ons" (which
apparently are not usable from the raw HA code). Some of the add-ons I
don't care about. Some of the add-ons I can implement myself (e.g.
LetsEncrypt). But there may be others that I *do* care about -- hard to
say.

I see, so it's just more wrappers. An "add-on" is nothing more than a
link between something and HA from what I'm reading (actually it's a
link wrapped up in a Docker image). Enventually the add-on just sends
commands to HA via a TCP/IP port.

Post by Derek Atkins via Ale
At least Raj pointed me to the method to upgrade the python crap. ;)

Yes, python isn't hard to update, no harder than apt-get.

I'm disappointed that Hass.io's dependency list includes Network Manager.
_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo