Review Security Architecture of Home Assistant

[mmccool]

I recently set up Home Assistant (over about 30 devices in my house, mostly Zwave, but also some of my own experimental devices) and have some experience now with its security architecture that I should write up. Some brief notes:

1. Uses the typical-but-not-great approach of not really enforcing security within the local network
2. Hub itself is protected, and things like Zwave, etc. do have reasonable security, but the hub actually supports an MQTT bridge that is not protected and exposes (otherwise secure) Zwave devices, so... generally the system is extensible with add-ons but add-ons can also be a source of insecurity.
3. There is an external remote UI supported and it is protected by OAuth. They also have a mechanism to automatically disable access to people known to be running an insecure version (which they actually invoked last year when a security flaw was discovered)
4. There are various versions of the hub installation supported, from DIY setups using docker containers to a "managed" OS image installation. A managed installation takes care of managing keys, etc. However, if an attacker does somehow manage to get into a hub, things like API keys etc. can be exposed (no secure store or "vault").

[mmccool]

An additional comment here is that the REST API is protected by bearer tokens (generated by the system, not OAuth) but these can be used without TLS on the LAN. See experimental TDs for Home Assistant access for Retail test case.

[mmccool]

Propose closing, analysis has been done. Summary is that current description mechanisms in TDs work for HA: Bearer tokens, API keys, and TLS.