Home assistant can not be secured for internet access

The Goal: Smart Heating Control

Home automation is a cool toy but also allows my house hold to be more energy efficient: My aim was to configure my home's heating to switch off when my family is away and turn back on when we return. This is achieved with home assistant, a popular open-source home automation platform, with location/presence notifications from mobile devices. To do this, the home assistant server needs to be accessible from the internet, as mobile devices must communicate with it remotely.

The Constraints

One might suggest using a VPN to secure the connection. However, this approach is impractical for us for several reasons. My main one being that not all devices in our family can connect to a VPN. Given our family's constraints, I concluded that it's necessary to expose home assistant directly to the internet, which in turn introduces a security challenge: protecting the server from unauthorized access.

The Security Dilemma

Home assistant allows authentication using username and password (and even two-factor authentication) as its primary security measure. While this is a solid baseline, I don't think it's sufficient in case there are security issues in home assistant itself. I want to provide defense in depth to protect against opportunistic attackers who regularly scan the internet for exposed systems. This could be applied using a reverse HTTP(S) proxy. However, several limitations made this impossible:

  • Subdomains: Home assistant could be hosted on a "secret" domain/subdomain, but I assume that DNS is not universally encrypted and leaks are to be expected.
  • No Basic Authentication Support: Home assistant's mobile apps cannot handle URLs with embedded credentials (e.g., https://user:pass@hostname).
  • Path Limitations: Home assistant must be hosted at the root path (/), preventing the use of an obscure web host path to deter scanners.
  • Authentication controls: Home assistant responds to authentication failures without a HTTP 200 response that carries JSON data. This also makes it impossible to apply controls based on the amount of HTTP errors for too many authentication attempts.

These restrictions make it basically impossible to provide additional security mechanisms like web server authentication or hiding the service behind unconventional paths. As a result, home assistant's security depends solely on its internal measures.

The Conclusion: A Disappointing State of Affairs

Despite its robust feature set, home assistant's architecture makes it challenging to secure against internet threats. Without the ability to implement defense-in-depth practices, I've concluded that home assistant is not properly securable for direct internet exposure. While it may adhere to software best practices internally, its design limitations prevent users from applying additional layers of protection elsewhere.

Home assistant's reliance on internal security mechanisms leaves much to be desired, especially for users who would like to apply additional access control. I believe this highlights the need for the home assistant community to address these concerns and improve its flexibility for advanced security configurations.

If you find a mistake in this article, you can submit a pull request on GitHub.

Other posts

  1. Home assistant can not be secured for internet access (Sun 15 December 2024)
  2. Modern solutions against cross-site attacks (Tue 26 November 2024)
  3. Prompt Injections and a demo (Wed 18 September 2024)
  4. The Mozilla Monument in San Francisco (Fri 05 July 2024)
  5. What is mixed content? (Sat 15 June 2024)
  6. How I got a new domain name (Sat 15 June 2024)
  7. How Firefox gives special permissions to some domains (Fri 02 February 2024)
  8. Examine Firefox Inter-Process Communication using JavaScript in 2023 (Mon 17 April 2023)
  9. Origins, Sites and other Terminologies (Sat 14 January 2023)
  10. Finding and Fixing DOM-based XSS with Static Analysis (Mon 02 January 2023)
  11. DOM Clobbering (Mon 12 December 2022)
  12. Neue Methoden für Cross-Origin Isolation: Resource, Opener & Embedding Policies mit COOP, COEP, CORP und CORB (Thu 10 November 2022)
  13. Reference Sheet for Principals in Mozilla Code (Mon 03 August 2020)
  14. Hardening Firefox against Injection Attacks – The Technical Details (Tue 07 July 2020)
  15. Understanding Web Security Checks in Firefox (Part 1) (Wed 10 June 2020)
  16. Help Test Firefox's built-in HTML Sanitizer to protect against UXSS bugs (Fri 06 December 2019)
  17. Remote Code Execution in Firefox beyond memory corruptions (Sun 29 September 2019)
  18. XSS in The Digital #ClimateStrike Widget (Mon 23 September 2019)
  19. Chrome switching the XSSAuditor to filter mode re-enables old attack (Fri 10 May 2019)
  20. Challenge Write-up: Subresource Integrity in Service Workers (Sat 25 March 2017)
  21. Finding the SqueezeBox Radio Default SSH Password (Fri 02 September 2016)
  22. New CSP directive to make Subresource Integrity mandatory (`require-sri-for`) (Thu 02 June 2016)
  23. Firefox OS apps and beyond (Tue 12 April 2016)
  24. Teacher's Pinboard Write-up (Wed 02 December 2015)
  25. A CDN that can not XSS you: Using Subresource Integrity (Sun 19 July 2015)
  26. The Twitter Gazebo (Sat 18 July 2015)
  27. German Firefox 1.0 ad (OCR) (Sun 09 November 2014)
  28. My thoughts on Tor appliances (Tue 14 October 2014)
  29. Subresource Integrity (Sun 05 October 2014)
  30. Revoke App Permissions on Firefox OS (Sun 24 August 2014)
  31. (Self) XSS at Mozilla's internal Phonebook (Fri 23 May 2014)
  32. Tales of Python's Encoding (Mon 17 March 2014)
  33. On the X-Frame-Options Security Header (Thu 12 December 2013)
  34. html2dom (Tue 24 September 2013)
  35. Security Review: HTML sanitizer in Thunderbird (Mon 22 July 2013)
  36. Week 29 2013 (Sun 21 July 2013)
  37. The First Post (Tue 16 July 2013)
π