Sometimes tracking down holes in existing software can be as exciting as delivering top quality code. Especially when your findings result in greater Internet security for all. Looking for weak points within code, bugs that have the potential implications in terms of intruders – that’s my job here, at intive. My name is Marcin Teodorczyk and I recently helped Home Assistant platform in making their environment safer. Challenging open-source projects is what I do for fun.
Home Assistant is a user-friendly tool that makes the Internet of Things easily manageable and available to everyone. It can be deployed on Raspberry Pi and integrates out-of-the-box with products like: Alexa, Apple TV, Belkin WeMo, Google Cast, IKEA Tradfri, Philips Hue, Plex and Sonos to name a few. The project focuses on home control and home automation. To put it simply: hub’s creators see it as a switch from ‘app per device’ to ‘one platform for all’. Intelligent devices are slowly becoming real game-changers when it comes to everyday life. The only problem is that they often don’t communicate well enough to create a complete and easily accessible system. Home Assistant is a free solution that speaks to all the different protocols devices use. It serves as a handy translator and offers a neat UI.
Testing skills in my free time
Medium level danger yet big satisfaction
My proof of concept has been performed with access to a local network and API. As long as those are required, there is a minor security risk. However, with autodiscovery and many third-party components supported by Home Assistant, such vulnerability
was potentially exploitable, by placing a malicious autodiscoverable service on the network or exploiting a third-party already configured service. The intive Common Vulnerability Scoring System v3.0 Calculator
/(a tool just recently made available through our intive website) rated this particular bug as a medium level defect (4.3/10).
Home Assistant team's reaction
was quick and professional. Within days the vulnerability has been removed. I got a thank you, but more importantly, I have a feeling I contributed to the open-source enthusiasts’ community. Thanks to devs spending some extra time, software quality and security are being tested on a daily basis. It brings benefit to the users, the software itself gets safer
, and the testers gain knowledge in the process. So, it’s a win-win-win situation for everyone.
New version of the platform
On November 4th a fixed version
of Home Assistant 0.57 was published. That counts as my reward. Some proprietary software solutions providers also welcome such tests and even organize bug bounties programs for those who love to track down system vulnerabilities. In my case, it’s all about a security issue that’s being reported and solved.