Elttam Researchers Find a Serious Security Vulnerability in Home Assistant Supervisor
Remote code execution flaw requires no authentication and allows for a complete system takeover — so patch now.
Cybersecurity firm Elttam has published an analysis of serious vulnerabilities in the popular Home Assistant automation platform — including a remote code execution (RCE) flaw in the Home Assistant Supervisor integration which leaves unpatched servers open to attack.
"Recently, a few members in our team decided to look into home automation and the inherent risks that come with having a 'smart home,'" the company explains by way of background. "Although IoT [Internet of Things] devices and their associated cloud infrastructure may pose a risk on its own, we decided to look into the very established and known open-source automation ecosystem known as Home Assistant. Although Home Assistant aims to bring devices offline and return power to the user, many users still aim to access their instances remotely, whether that be through a private VPN tunnel, or perhaps exposure to the internet."
It's this remote access that poses a problem, Elttam's research suggests — opening up an avenue of attack from which ne'er-do-wells could jump off into the user's home network. With figures suggesting that as many as 130,000 Home Assistant instances respond to public connection attempts, security is a definite concern — with Elttam's research pointing to a series of vulnerabilities which need to be patched sooner rather than later.
"When looking through [available] integrations, we noticed one particularly interesting one: the Home Assistant Supervisor integration," the team explains. "This integration's purpose is to allow Home Assistant Core (and hence the web application user interface) to interact with the Supervisor. Given the context of the Supervisor's role within the Home Assistant architecture, we understood this to be a very critical security boundary in which a bug could lead to severe outcomes. Auditing this integration resulted in CVE-2023-27482, a pre-authentication RCE vulnerability."
While the Home Assistant Supervisor integration needs to be installed manually for many users, it's installed by default in Home Assistant OS and Home Assistant Supervised — and, by the project's own stats, used in nearly 75 percent of active installations. "[The vulnerability] allowed for a remote unauthenticated attacker to achieve Remote Code Execution (RCE) on the target Home Assistant instance, and consequently, full access to control all smart home devices, stored data and credentials, and also internal access to the home network," Elttam's researchers warn.
"Ultimately, the vulnerability is exploitable as long as the Home Assistant instance runs the Supervisor component with the Supervisor integration and is reachable via the internet or through local network access – random hostnames or TLS [Transport Layer Security] do not provide any form of protection in this case. The simplest way to avoid being at risk from a remote attacker is to not expose the instance to the internet. We encourage users to consider VPN services like Tailscale which make remote access simple and secure."
Anyone running Home Assistant should ensure that Home Assistant Supervisor is either not installed or is at least version 2023.03.3 to patch the vulnerability, and potentially take Elttam's advice and make it less easily accessible from the public internet.
More information is available on the company's blog, with a vulnerability test and proof-of-concept attack code available on GitHub.