0.73.2 - Security Incident

Paulus Schoutsen July 16, 2018

• Core
• Release-Notes

Comments

Today we are releasing 0.73.2 to fix a security incident. We’ve discovered that 9 months ago, with the release of Home Assistant 0.56, we misconfigured the SSL context that aiohttp used (PR). By trying to do the right thing (use an up to date cert store instead of relying on the system certs), we ended up doing the complete opposite: SSL verification was disabled for outgoing requests that were done using the shared aiohttp session. This is our fault, and not aiohttp’s faults. The impact of this is that certain integrations in Home Assistant have been susceptible to man in the middle attacks.

A man in the middle attack is when an attacker is able to inject itself between you and the server you’re communicating with, allowing it to read and alter the communication. The odds of this happening at home is very rare, yet we wanted to be transparent about this incident.

After research, the following integrations have been impacted. Although the odds are extremely small, we still suggest that if you use any of these integrations, to create new API keys or change your password.

• climate.sensibo
• cloud (only short lived tokens impacted)
• device_tracker.automatic
• duckdns
• freedns
• google_assistant (manual setup)
• google_domains
• homematicip_cloud
• image_processing.openalpr_cloud
• microsoft_face
• namecheapdns
• no_ip
• notify.flock
• notify.prowl
• rest_command
• scene.lifx_cloud
• switch.rest
• telegram_bot.polling
• tts.voicerss

Also impacted, but integrations are read only:

• sensor.airvisual
• sensor.ebox
• sensor.fido
• sensor.foobot
• sensor.hydroquebec
• sensor.startca
• sensor.teksavvy
• sensor.thethingsnetwork
• sensor.tibber
• sensor.waqi

If you are running Home Assistant on a system with Python 3.4, we’ve created a new release 0.64.4b0 with the patch applied. We have made it available as a beta. To install the pre-release run python3 -m pip install homeassistant==0.64.4b0.

For complete transparency, the following two sets of integrations also used aiohttp to send or retrieve data. However, they either did not transmit authentication or only communicated with local devices and services.

Affected, but not transmitting authentication:

• sensor.buienradar
• sensor.citybikes
• sensor.comed_hourly_pricing
• sensor.luftdaten
• sensor.pollen
• sensor.sochain
• sensor.swiss_public_transport
• sensor.viaggiatreno
• sensor.wunderground
• sensor.yr
• weather.ipma
• tts.google
• tts.yandextts
• updater

Local, so cannot be impacted:

• android_ip_webcam
• apple_tv
• camera.amcrest
• camera.doorbird
• camera.familyhub
• camera.generic
• camera.mjpeg
• camera.proxy
• camera.synology
• deconz
• device_tracker.upc_connect
• hassio
• hue
• media_player.bluesound
• media_player.epson
• media_player.kodi
• media_player.squeezebox
• media_player.volumio
• notify.kodi
• qwikswitch
• rainmachine
• scene.hunterdouglas_powerview
• sensor.netdata
• sensor.pi_hole
• sensor.sma
• sensor.worxlandroid
• spc
• tts.marytts