Security Growing Pains

We discuss recent Home Assistant security news, and how we think the project could improve.

Plus a bunch of follow up, emails, and more!

Note: This episode was recorded before the recent second Home Assistant vulnerability

• Security Bulletin 1- Home Assistant — It has come to our attention that certain custom integrations have security issues and could potentially leak sensitive information.
• Security Disclosure 2: vulnerabilities in custom integrations HACS, Font Awesome and others - Home Assistant — . The conclusion is that some custom integrations are still vulnerable to a directory traversal attack while not being authenticated with Home Assistant. It allows an attacker to access any file without having to log in. This access includes any credentials that you might have stored to allow Home Assistant to access other services.
• Generic Thermostat - Home Assistant — The generic_thermostat climate platform is a thermostat implemented in Home Assistant. It uses a sensor and a switch connected to a heater or air conditioning under the hood.
• ATC_MiThermometer — Custom firmware for the Xiaomi Thermometer LYWSD03MMC and Telink Flasher via USB to Serial converter.
• ESPHome — ESPHome is a system to control your ESP8266/ESP32 by simple yet powerful configuration files and control them remotely through Home Automation systems.
• Xiaomi Mijia BLE Temperature and Humidity Sensor - Home Assistant — The mitemp_bt sensor platform allows one to monitor room temperature and humidity. The Xiaomi Mijia BLE Temperature and Humidity sensor with LCD is a small Bluetooth Low Energy device that monitors the room temperature and humidity.
• Xiaomi Mijia Bluetooth Thermometer — New Xiaomi Mijia Bluetooth Thermometer 2 Wireless Smart Electric Digital Hygrometer Thermometer
• Google-drive-backup: Automatically create and sync Hass.io snapshots into Google Drive — A complete and easy way to back up your Home Assistant snapshots to Google Drive.
• Troubleshooting your configuration - Home Assistant