Safety audits of Dwelling Assistant

October 23, 2023

Abstract: Dwelling Assistant had two safety audits finished as a part of our common safety assessments. You might be protected. No authentication bypasses have been discovered. We did repair points associated to attackers probably tricking customers to take over their occasion. All fixes are included in Dwelling Assistant 2023.9 (launched on September 6, 2023) and the newest Dwelling Assistant apps for iOS and Android. Please be sure you’re up-to-date.

Safety is essential to us at Dwelling Assistant and Nabu Casa. Being open supply makes it simple to let anybody audit our code—and primarily based on reported points—folks do. Nonetheless, you additionally want to rent folks to do an precise safety audit to make sure that all of the essential code has been coated.

Subscribing to Home Assistant Cloud gives funding for the continuing growth and upkeep of Dwelling Assistant, together with exterior safety audits. To make sure that our safety is top-notch, Nabu Casa employed Cure53 to carry out a safety audit of essential elements of Dwelling Assistant. Cure53 is a widely known cybersecurity agency that previously discovered vulnerabilities in Mastodon and Ring products.

Cure53 discovered points in Dwelling Assistant, 3 of which have been marked as “essential” severity. The essential points would permit an attacker to trick customers and steal login credentials. All reported points have been addressed as a part of Dwelling Assistant 2023.9, launched on September 6, 2023. No authentication bypass points have been discovered. In keeping with Cure53’s report:

The standard of the codebase was spectacular on the entire, while the structure and frameworks deployed in all related software areas resilient design paradigms normally. Frontend safety specifically exhibited ample alternatives for hardening, as compounded by the Vital related dangers recognized. Nonetheless, as soon as these have been mitigated, an exemplary safety posture will definitely be attainable.

In August, the GitHub Security Lab additionally audited Dwelling Assistant. They discovered six non-critical points throughout Dwelling Assistant Core and our iOS and Android apps. Two of the problems overlapped with Cure53. All reported points have been fastened and launched.

We wish to thank each groups for his or her audits, reported points, and conserving our customers protected 🙏

All discovered points have been added to our safety web page. This web page has been up to date to incorporate an ongoing timeline of reported points, who disclosed it, and a hyperlink to the difficulty report on GitHub.

If you happen to assume you will have discovered a safety situation, try our safety web page on report this to Dwelling Assistant.

Tags: , , ,

More Stories

Aqara Launches New E1 Safety Digital camera with Superior Options

December 4, 2023

Ring Stick Up Cam Professional evaluation

December 3, 2023

FlexiSpot Ergonomic Chair – Automated House

December 2, 2023

Latest Post

Did Home windows 11’s 2023 Replace decelerate your PC? Do this

December 4, 2023

AIDA64 Hits A New Benchmark With v7.00

December 4, 2023

Ex-worker phished former employer to illegally hack community and steal knowledge

December 4, 2023

Aqara Launches New E1 Safety Digital camera with Superior Options

December 4, 2023

Warner Bros. Discovery Administration Voluntarily Acknowledges Animation Manufacturing Staff Unionization Request

December 4, 2023