marcin teodorczyk

6 min read

Challenge everything? Home Assistant security bug found & fixed

Marcin Teodorczyk

Senior QA Engineer

Sometimes tracking down holes in existing software can be as exciting as delivering top quality code. Especially when your findings result in greater Internet security for all.  Looking for weak points within code, bugs that have the potential implications in terms of intruders – that’s my job here, at intive. My name is Marcin Teodorczyk and I recently helped Home Assistant platform in making their environment safer. Challenging open-source projects is what I do for fun. 

Home Assistant is a user-friendly tool that makes the Internet of Things easily manageable and available to everyone. It can be deployed on Raspberry Pi and integrates out-of-the-box with products like: Alexa, Apple TV, Belkin WeMo, Google Cast, IKEA Tradfri, Philips Hue, Plex and Sonos to name a few. The project focuses on home control and home automation. To put it simply: hub’s creators see it as a switch from ‘app per device’ to ‘one platform for all’. Intelligent devices are slowly becoming real game-changers when it comes to everyday life. The only problem is that they often don’t communicate well enough to create a complete and easily accessible system. Home Assistant is a free solution that speaks to all the different protocols devices use. It serves as a handy translator and offers a neat UI.

Testing skills in my free time

Being an open-source project, Home Assistant presents a great testing field for all the different issues developers might want to tackle. Open and free-for-all software solutions rely on user feedback. In my case, the testing ground was the security of the system. At some point, in between my intive tasks, I figured I’ll try and see if the platform’s tight and intrusion-resistant. I performed a series of tests. It took me about one day of testing their input validation to discover that the system was vulnerable to XSS. Using the endpoint /api/states/persistent_notification.httplogin (check out the gif above) it was possible to inject arbitrary javascript code that would be executed when a user visits the main page of the web interface. This meant that an attacker could theoretically perform any action in the name of an authenticated user.

Medium level danger yet big satisfaction

My proof of concept has been performed with access to a local network and API. As long as those are required, there is a minor security risk. However, with autodiscovery and many third-party components supported by Home Assistant, such vulnerability was potentially exploitable, by placing a malicious autodiscoverable service on the network or exploiting a third-party already configured service. The intive Common Vulnerability Scoring System v3.0 Calculator /(a tool just recently made available through our intive website) rated this particular bug as a medium level defect (4.3/10).

Home Assistant team's reaction was quick and professional. Within days the vulnerability has been removed. I got a thank you, but more importantly, I have a feeling I contributed to the open-source enthusiasts’ community. Thanks to devs spending some extra time, software quality and security are being tested on a daily basis. It brings benefit to the users, the software itself gets safer, and the testers gain knowledge in the process. So, it’s a win-win-win situation for everyone.

New version of the platform

On November 4th a fixed version of Home Assistant 0.57 was published. That counts as my reward. Some proprietary software solutions providers also welcome such tests and even organize bug bounties programs for those who love to track down system vulnerabilities. In my case, it’s all about a security issue that’s being reported and solved. 

Challenge everything!
About pattern image
  • Data and files
  • Confirmation

How can we help you?

Please provide information so we can contact you.
Please provide correct name
Please provide correct e-mail
Please provide correct description
Attach a file if you wish
You can upload up to 5 files. Max file size: 5MB Allowed file types: .pdf, .doc, .docx, .docm, .ppt, .pptx. File name length must be less than 50 characters File name must not contain two or more spaces in a row File name must not contain the following characters: \/?|<>:*'"+,;=[]&
    We adjusted your file name to our file naming convention. This file extension is not accepted. Please upload one of following file types: .pdf, .doc, .docx, .docm, .ppt, .pptx. This file is too large. The max upload file size is 5MB. Your file size is tiny, please check if you upload correct file.
    Please read and agree to the terms and conditions in order to continue.
    • The controller of personal data in relation to the messages sent using a contact form and in answering questions sent is intive S.A. with its registered office in Szczecin, Plac Hołdu Pruskiego 9, 70-550 Szczecin. More information on the principles of personal data processing, including the purposes of processing and the rights of individuals, is available in our Privacy Policy.

    Message Sent

    Thank you for your trust, {name}.
    We are looking forward to talk to you.
    Our representative will contact you.
    Dirk Heider

    VP, Project Delivery

    Oh no!

    We have run into problems while submitting your form. Please try again later.