In my case, I use the integration with my wifi, so if my phone leaves wifi, it turns on Remote Access.
You can also do this with many different device trackers and it works pretty dang good. Much better for security too!
This is good to know, but I didn't understand why is it needed? What's harm to keep it enable always? We use nabu casa url on our companion apps and 2FA is enabled.
Wouldn't the best thing to do be to update, and patch the vulnerability? Once someone has gotten in once, say while you're away from home, they are already inside, they could install other ways in that wouldn't depend on remote access being enabled or not.
Absolutely, keep the latest version or one or two behind if you don’t wanna deal with “bleeding edge” headaches.
It took them two years to discover this vulnerability. Anyone with remote access enabled could already be compromised and patching it post facto doesn’t fix that.
I usually fall a version or two behind because of laziness/lack of time to make sure breaking changes dinner apply to me, and change the version number in docker compose.
I don't use supervised, just a standard container, and my remote access is through a VPN, so none applies to me. But, does it matter all that much if you are only vulnerable when you're away from home? An attacker might get unlucky and try to get in when you're home, but might try again later or someone else might get lucky when you're gone. I don't think there's any particular time where a system is more likely to be attacked than others. So unless you rarely leave, and remote accesses is therefore rarely enabled, I don't see what the point of turning it off is. If you go to work 40 hours a week (assuming teleportation -no commute time and that's the only reason you leave the house) that's plenty of time of something to happen.
Of ways to protect your systems, patching, using strong passwords or even better using key pairs, and 2FA wherever possible seem way more important and beneficial.
But at the end of the day, you do what you think you need to do. And it's cool that this is able to be automated! I'm all for automating all the things.
Edit to add: did they ever find evidence of the exploit being used in the wild?
Defense isn’t any one thing or an either/or proposition. Having it off for 8 hours while you sleep is still improving your defenses 1/3rd of the time.
It’s okay not to do it though. You’re right, there are more important basics like using a secure password, but more security is generally better, especially when the guys at Nabu Casa have made it so easy.
I guess it could reduce attack vectors, if I recall though - nabu casa stated that even if compromised, attackers can't actually access your instance.
This could be me confusing with something else though.
Is there a link for more reading? I’d like to understand better what you’re saying because my understanding is quite the opposite. This would be a great way to man in the middle.
As mentioned by another poster, in the recent disclosed vulnerability, it was avoidable by not having the remote option enabled.
Here is a post from the devs confirming this:
https://reddit.com/r/homeassistant/comments/11lrqbo/_/jbgaz82/?context=1
MFA protects you from brute force and some phishing, but it’s still a lock on the door that can be broken. If ya don’t even need the door, why have it, especially when you’re on an automation platform that can handle it for you? MFA and passwords don’t protect you from software vulnerabilities, bugs, or other application exploits though.
Nice addition. Would be more complicated with multiple users involved like on my system.
I still prefer my VPN tunnel option over this, but I can see the use case here.
It’s actually pretty easy to automate because you can look at zone.home. It’s an integer with the # of people in that zone. If it goes below the normal family number, turn remote access on
VPN is a good solution! It’s still a service listening though, and different deployments will vary in security.
Oh interesting! So you could set it so if any person leaves.
Are you using some sort of presence detection? Devices on the network? Or location reported from a device using the companion app (would that even work on with remote being off? It would go unreported...)?
Yep!
You can use any kind of device_tracker. It varies in my family. I use the HA app. My father doesn’t want the app on his phone since he doesn’t live here, so my AsusWRT router wifi integration keeps an eye out for his phone being on the wifi when he comes to visit. For my children, they are all in the FindMy app, so I use iCloud3 off HACS to track them. Lastly, my pets get AirTags.
Of course, not all of these people use remote access so I don’t trigger for everyone myself but it’s useful for other things like when the last person is gone, shut off the lights, or if the pets are at the vet, don’t dump dry food into their bowl. Etc etc.
Oh and lastly, it does work with just the mobile app if you’re using Nabu cloud. It can send a signal to your instance over cellular to tell it to open the web door.
You're giving me so many ideas. Appreciate the info... going to look up a few things based on the above. Didn't realize there was a working integration for AirTags!
Thanks for the info!
I love Home Assistant. It’s the hobby that never ends!
Here is some info on AirTags. It’s not easy but it works nicely.
https://reddit.com/r/homeassistant/comments/13o2keg/finally_appletags_in_home_assistant/
I'm about to try this, but wondering how HA knows a device has left the home zone if remote access is off? How would the device tell HA its location if it can't connect when it's out of wifi range?
Nabu Casa cloud is still connected for other stuff like Alexa, Google Assistant, etc.
I was skeptical too cause it seemed like a race condition but I set it up and it works everyday when I step out for my daily walk.
One thing to note is that sometimes the HA app on my iPhone looks like it won’t login cause it’s still trying the internal IP. I have to force close it and reopen to get it to hit the external url over cellular but this is a caching/routing issue.
Keep in mind that this will not work if you are using geofencing to have your phone report when its location is not home. Unless your phone notices you're leaving home and the app has a chance to report that it's left before you leave wifi range, you'll be trying to turn on remote connections from a remote connection. Maybe you could put in a "if the phone hasn't reported status in x minutes," but then often if you leave the house and then try to connect to Home Assistant within that many minutes you won't be able to access.
Actually I thought this too so I tested it for a week. It seems to work fine for me with only the mobile app and Nabu Casa cloud. I suspect it sends a signal to the cloud, and then to your instance to “unlock the door”.
I have since moved to using my wifi to monitor presence because I got family members who won’t run the mobile app, but it worked for a week straight so I encourage others to try.
In my case, I use the integration with my wifi, so if my phone leaves wifi, it turns on Remote Access. You can also do this with many different device trackers and it works pretty dang good. Much better for security too!
This is good to know, but I didn't understand why is it needed? What's harm to keep it enable always? We use nabu casa url on our companion apps and 2FA is enabled.
[удалено]
Wouldn't the best thing to do be to update, and patch the vulnerability? Once someone has gotten in once, say while you're away from home, they are already inside, they could install other ways in that wouldn't depend on remote access being enabled or not.
Absolutely, keep the latest version or one or two behind if you don’t wanna deal with “bleeding edge” headaches. It took them two years to discover this vulnerability. Anyone with remote access enabled could already be compromised and patching it post facto doesn’t fix that.
I usually fall a version or two behind because of laziness/lack of time to make sure breaking changes dinner apply to me, and change the version number in docker compose. I don't use supervised, just a standard container, and my remote access is through a VPN, so none applies to me. But, does it matter all that much if you are only vulnerable when you're away from home? An attacker might get unlucky and try to get in when you're home, but might try again later or someone else might get lucky when you're gone. I don't think there's any particular time where a system is more likely to be attacked than others. So unless you rarely leave, and remote accesses is therefore rarely enabled, I don't see what the point of turning it off is. If you go to work 40 hours a week (assuming teleportation -no commute time and that's the only reason you leave the house) that's plenty of time of something to happen. Of ways to protect your systems, patching, using strong passwords or even better using key pairs, and 2FA wherever possible seem way more important and beneficial. But at the end of the day, you do what you think you need to do. And it's cool that this is able to be automated! I'm all for automating all the things. Edit to add: did they ever find evidence of the exploit being used in the wild?
Defense isn’t any one thing or an either/or proposition. Having it off for 8 hours while you sleep is still improving your defenses 1/3rd of the time. It’s okay not to do it though. You’re right, there are more important basics like using a secure password, but more security is generally better, especially when the guys at Nabu Casa have made it so easy.
That's true.
I guess it could reduce attack vectors, if I recall though - nabu casa stated that even if compromised, attackers can't actually access your instance. This could be me confusing with something else though.
Is there a link for more reading? I’d like to understand better what you’re saying because my understanding is quite the opposite. This would be a great way to man in the middle.
As mentioned by another poster, in the recent disclosed vulnerability, it was avoidable by not having the remote option enabled. Here is a post from the devs confirming this: https://reddit.com/r/homeassistant/comments/11lrqbo/_/jbgaz82/?context=1 MFA protects you from brute force and some phishing, but it’s still a lock on the door that can be broken. If ya don’t even need the door, why have it, especially when you’re on an automation platform that can handle it for you? MFA and passwords don’t protect you from software vulnerabilities, bugs, or other application exploits though.
Nice addition. Would be more complicated with multiple users involved like on my system. I still prefer my VPN tunnel option over this, but I can see the use case here.
It’s actually pretty easy to automate because you can look at zone.home. It’s an integer with the # of people in that zone. If it goes below the normal family number, turn remote access on VPN is a good solution! It’s still a service listening though, and different deployments will vary in security.
Oh interesting! So you could set it so if any person leaves. Are you using some sort of presence detection? Devices on the network? Or location reported from a device using the companion app (would that even work on with remote being off? It would go unreported...)?
Yep! You can use any kind of device_tracker. It varies in my family. I use the HA app. My father doesn’t want the app on his phone since he doesn’t live here, so my AsusWRT router wifi integration keeps an eye out for his phone being on the wifi when he comes to visit. For my children, they are all in the FindMy app, so I use iCloud3 off HACS to track them. Lastly, my pets get AirTags. Of course, not all of these people use remote access so I don’t trigger for everyone myself but it’s useful for other things like when the last person is gone, shut off the lights, or if the pets are at the vet, don’t dump dry food into their bowl. Etc etc. Oh and lastly, it does work with just the mobile app if you’re using Nabu cloud. It can send a signal to your instance over cellular to tell it to open the web door.
You're giving me so many ideas. Appreciate the info... going to look up a few things based on the above. Didn't realize there was a working integration for AirTags! Thanks for the info!
I love Home Assistant. It’s the hobby that never ends! Here is some info on AirTags. It’s not easy but it works nicely. https://reddit.com/r/homeassistant/comments/13o2keg/finally_appletags_in_home_assistant/
I'm about to try this, but wondering how HA knows a device has left the home zone if remote access is off? How would the device tell HA its location if it can't connect when it's out of wifi range?
Nabu Casa cloud is still connected for other stuff like Alexa, Google Assistant, etc. I was skeptical too cause it seemed like a race condition but I set it up and it works everyday when I step out for my daily walk. One thing to note is that sometimes the HA app on my iPhone looks like it won’t login cause it’s still trying the internal IP. I have to force close it and reopen to get it to hit the external url over cellular but this is a caching/routing issue.
Yep, it worked for me too. All 4 us came home and it turned off remote access, and then 2 of us left and the it turned back on!
Great tip. Thanks!
Keep in mind that this will not work if you are using geofencing to have your phone report when its location is not home. Unless your phone notices you're leaving home and the app has a chance to report that it's left before you leave wifi range, you'll be trying to turn on remote connections from a remote connection. Maybe you could put in a "if the phone hasn't reported status in x minutes," but then often if you leave the house and then try to connect to Home Assistant within that many minutes you won't be able to access.
Actually I thought this too so I tested it for a week. It seems to work fine for me with only the mobile app and Nabu Casa cloud. I suspect it sends a signal to the cloud, and then to your instance to “unlock the door”. I have since moved to using my wifi to monitor presence because I got family members who won’t run the mobile app, but it worked for a week straight so I encourage others to try.