Abstract: Dwelling Assistant had two safety audits finished as a part of our common safety assessments. You might be protected. No authentication bypasses have been discovered. We did repair points associated to attackers probably tricking customers to take over their occasion. All fixes are included in Dwelling Assistant 2023.9 (launched on September 6, 2023) and the newest Dwelling Assistant apps for iOS and Android. Please be sure you’re up-to-date.
Safety is essential to us at Dwelling Assistant and Nabu Casa. Being open supply makes it simple to let anybody audit our code—and primarily based on reported points—folks do. Nonetheless, you additionally want to rent folks to do an precise safety audit to make sure that all of the essential code has been coated.
Subscribing to Home Assistant Cloud gives funding for the continuing growth and upkeep of Dwelling Assistant, together with exterior safety audits. To make sure that our safety is top-notch, Nabu Casa employed Cure53 to carry out a safety audit of essential elements of Dwelling Assistant. Cure53 is a widely known cybersecurity agency that previously discovered vulnerabilities in Mastodon and Ring products.
Cure53 discovered points in Dwelling Assistant, 3 of which have been marked as “essential” severity. The essential points would permit an attacker to trick customers and steal login credentials. All reported points have been addressed as a part of Dwelling Assistant 2023.9, launched on September 6, 2023. No authentication bypass points have been discovered. In keeping with Cure53’s report:
The standard of the codebase was spectacular on the entire, while the structure and frameworks deployed in all related software areas resilient design paradigms normally. Frontend safety specifically exhibited ample alternatives for hardening, as compounded by the Vital related dangers recognized. Nonetheless, as soon as these have been mitigated, an exemplary safety posture will definitely be attainable.
In August, the GitHub Security Lab additionally audited Dwelling Assistant. They discovered six non-critical points throughout Dwelling Assistant Core and our iOS and Android apps. Two of the problems overlapped with Cure53. All reported points have been fastened and launched.
We wish to thank each groups for his or her audits, reported points, and conserving our customers protected 🙏
All discovered points have been added to our safety web page. This web page has been up to date to incorporate an ongoing timeline of reported points, who disclosed it, and a hyperlink to the difficulty report on GitHub.
If you happen to assume you will have discovered a safety situation, try our safety web page on report this to Dwelling Assistant.