Skip to main content

Remote access - Security aspects

Last updated:

Making a secure solution is a challenge. In this section, we want to discuss the things we do to improve security, what weaknesses there are in our approach, and how we plan to solve them.

Our approach is secure because:

  • All data is encrypted between your browser and your local instance. The local instance has generated and owns the certificate. Therefore, only the local instance will be able to decrypt the incoming traffic.
  • Once a user is communicating with their Home Assistant instance, they will have to log in with their local credentials. These credentials are only stored locally and cannot be impersonated by anyone.

Weaknesses and man-in-the-middle attack

Before we talk about weaknesses, know that we will never abuse any weakness unless forced by a government entity. Our approach has one single weakness that is unavoidable: since we own the domain that hosts the remote connection, we are able to issue our own certificate and man-in-the-middle attack (MITM) remote connections. This would allow us to see all data passing through, including authentication tokens.

It is not going to be possible to avoid MITM attacks. However, it is possible to spot them:

  • You can validate that there is no MITM happening by making sure that the certificate fingerprints matches with the local instance certificate fingerprint. You can find the fingerprint by looking at the certificate info in the cloud configuration page inside Home Assistant.
  • Let's Encrypt takes part of the experimental internet security standard Certificate Transparency (CT). The standard creates a system of public logs that will record all certificates issued, allowing local Home Assistant instances to spot if their certificate is being impersonated. We're exploring how to automatically audit this on the local instance.

Insecure versions

Home Assistant instances known to have security issues to connect to the Cloud are blocked from using the remote access feature. This helps in securing your Home Assistant instance.

Updating your Home Assistant instance to a secure version will allow it to be accessible via remote access once again.

If you cannot update to the latest version of Home Assistant right now and are certain that your instance is safe, you can disable this protection. You do this at your own risk! You can manage this on your Nabu Casa account page.

Please note that such a block only affects the remote access feature. All other Cloud features will keep functioning normally. Amazon Alexa, Google Assistant, TTS and Webhooks will continue to work during a security block.

If this protection has been manually disabled and the Home Assistant Team has identified a new insecure version, it will automatically re-enable the protection by itself. This ensures you are protected if new security issues are found in the future, as quickly as possible.

Currently blocked versions of Home Assistant:

Edit this article on GitHub

Related articles

Home Assistant Green Click here to learn more about the device and where to buy
Home Assistant Yellow Click here to learn more about the device and where to buy
Home Assistant Voice Preview Edition Click here to learn more about the device and where to buy
Home Assistant Connect ZBT-1 Click here to learn more about the device and where to buy
Still need help? Feel free to open a ticket and talk with our Customer Service team Submit a ticket
Our community The community is happy to be of help, just visit the forums or join our Discord server
Community forum Discord chat server