6.03.20183 min

Marcin Teodorczyk intive

Challenge everything? Home Assistant security bug found & fixed

Sometimes tracking down holes in existing software can be as exciting as delivering top quality code. Especially when your findings result in greater Internet security for all. 

Challenge everything? Home Assistant security bug found & fixed

Looking for weak points within code, bugs that have the potential implications in terms of intruders – that’s my job at Intive. I recently helped Home Assistant platform in making their environment safer. Challenging open-source projects is what I do for fun. 

Home Assistant is a user-friendly tool that makes the Internet of Things easily manageable and available to everyone. It can be deployed on Raspberry Pi and integrates out-of-the-box with products like: Alexa, Apple TV, Belkin WeMo, Google Cast, IKEA Tradfri, Philips Hue, Plex and Sonos to name a few. The project focuses on home control and home automation. To put it simply: hub’s creators see it as a switch from ‘app per device’ to ‘one platform for all’. Intelligent devices are slowly becoming real game-changers when it comes to everyday life. The only problem is that they often don’t communicate well enough to create a complete and easily accessible system. Home Assistant is a free solution that speaks to all the different protocols devices use. It serves as a handy translator and offers a neat UI.

Testing skills in my free time

Being an open-source project, Home Assistant presents a great testing field for all the different issues developers might want to tackle. Open and free-for-all software solutions rely on user feedback. In my case, the testing ground was the security of the system. At some point, in between my intive tasks, I figured I’ll try and see if the platform’s tight and intrusion-resistant. I performed a series of tests. It took me about one day of testing their input validation to discover that the system was vulnerable to XSS. Using the endpoint /api/states/persistent_notification.httplogin (check out the gif above) it was possible to inject arbitrary javascript code that would be executed when a user visits the main page of the web interface. This meant that an attacker could theoretically perform any action in the name of an authenticated user.


Medium level danger yet big satisfaction

My proof of concept has been performed with access to a local network and API. As long as those are required, there is a minor security risk. However, with autodiscovery and many third-party components supported by Home Assistant, such vulnerability was potentially exploitable, by placing a malicious autodiscoverable service on the network or exploiting a third-party already configured service.

The intive Common Vulnerability Scoring System v3.0 Calculator (a tool just recently made available through our intive website) rated this particular bug as a medium level defect (4.3/10).
Home Assistant team's reaction was quick and professional. Within days the vulnerability has been removed. I got a thank you, but more importantly, I have a feeling I contributed to the open-source enthusiasts’ community. Thanks to devs spending some extra time, software quality and security are being tested on a daily basis. It brings benefit to the users, the software itself gets safer, and the testers gain knowledge in the process. So, it’s a win-win-win situation for everyone.


New version of the platform

On November 4th a fixed version of Home Assistant 0.57 was published. That counts as my reward. Some proprietary software solutions providers also welcome such tests and even organize bug bounties programs for those who love to track down system vulnerabilities. In my case, it’s all about a security issue that’s being reported and solved.