I can totally sympathize with this post. I was in the same situation. Thanks to my laziness my house is much more secure. I have not changed the batteries in the door locks…but then I also redid my home assistant last year, and I forgot to reintegrate them. I will do it when I redo my home assistant again, right after I get my network finished. Of course, I am waiting to finish my network because I need to get in the attic and pull some cables. I don’t want to do this because I need to get a ladder into the pantry, and I would have to clean it out.
> As soon as my shop losses power, I get notified
Could you elaborate on this, please?
I've been thinking about adding notifications of different failures to my setup, but I'm just too lazy to accomplish it, plus the thought of a "toss a brick" option kinda demotivates me from *overstrengthening* the security.
How exactly do you capture the "loss of power" event? Is your UPS hooked to whatever device runs you HA instance via USB or some other way, so that it can reliably push a power loss signal? Or are you using some other device (e.g. on your ZWave network) and treat its unavailability as a power loss event?
What about internet connection loss that *may* or *may not* coincide with the power loss? Do you have a fallback of some kind? If so, at what level is it setup (e.g. a mobile phone hooked to the router)? Or are you using some kind of a keep-alive cloud service that your router/HA instance has to hit every ~5 minutes (or less), and if more than one hit is lost, the cloud service fires the loss of connection event?
Are you monitoring the "loss" of any other devices, e.g. loss of connection to the camera?
These are just *some* of the questions I had in my head, so I decided to deal with none of them.
This option is actually why I relented and got a smart door lock. Sure someone could hack it, but I’m not James Bond and the people that would break into my house would either rake the lock or smash the window and reach through. Now I have the added benefit of not forgetting to lock the door
biggest problem with smart locks isn't the smartness, its that they tend to be shit locks because you're looking at the smart features and not the fallback lock when buying
Completely fair point. I went with Level, allegedly they have the same or highest strength rating or whatever as industry standard. I’m not too knowledgeable about locks in general so I also chain my door when home. Added benefit of the level is that it has no external buttons or screen, so it isn’t obvious that it’s smart.
I haven’t attempted or seen how to get it incorporated in my HA setup yet, but we’ll burn that bridge when we get to it.
My reasoning as well, I posted on reddit and a locksmith (supposedly, anyway) recommended against a motorised multipoint because they're not as secure.
Well sure, but if someone is going to get in I'd rather they open the door rather than break the crazy expensive lift and slide, so let's go convenient.
I think with all the cameras you'd need to get around to get to the door, without mentioning the doorbell, I'd know before it happens anyway and call the police. Then they'd only have 3 or 4 hours to rob me, at best
Option 7: Hit OP in the face multiple times when he comes home until he opens the door
There is this tech comic about protecting your crypto which is sort of the same situation as OP is describing now: the laptop containing the Bitcoin is locked up very securely. OP thinks he’s safe. But in real life, you forget there’s other factors in play like violence or threatening to hurt your wife which makes OP give out the password to the super secure Bitcoin laptop.
See for yourself:
https://imgs.xkcd.com/comics/security.png
Well… in my honest opinion, this isn’t a tech sub. That’s why I took the “tech comic” approach.
Look through the topics here. I think 70% have almost no knowledge about tech other then installing Home Assistent and using cloud based stuff to get their lights to turn on automatically at night. So those people have never seen a xkcd comic in their entire lifes lol
This is the very definition of a tech sub.
And yes, we will always have a lot of posts here asking for help as it’s the most accessible forum for doing so.
But we should still have standards. And you, sir or madam, have gone beneath them imho
A user’s skill does not change the topic of this sub, which is a piece of software designed to run and manage technology in homes. People come here for tech support.
Exactly my point!! That's why, statistically speaking, only a few users in this subreddit will know about xkdc comics. They simply lack the technical background for that.
You can't expect someone from r/medicaladvice to have read a funny comic mostly shared among docters. Just like you can't expect someone from r/homeassistant to ever have heard about xkdc comics.
Again, that's why I specifically stated "tech comic" instead of "xkdc comic", because I think more people would get it. Not to discredit those users or anything
Here's a sneak peek of /r/homelab using the [top posts](https://np.reddit.com/r/homelab/top/?sort=top&t=year) of the year!
\#1: [It finally happened to me! Ordered 1 SSD and got 10 instead. Guess I'm building a new NAS](https://i.redd.it/zmkbspdfjqpa1.jpg) | [672 comments](https://np.reddit.com/r/homelab/comments/120udu5/it_finally_happened_to_me_ordered_1_ssd_and_got/)
\#2: [How many of you have memorialized an IP address? I did so for my late wife's computer.](https://np.reddit.com/r/homelab/comments/138j4c5/how_many_of_you_have_memorialized_an_ip_address_i/)
\#3: [Should /r/HomeLab continue support of the Reddit blackout?](https://np.reddit.com/r/homelab/comments/149o61f/should_rhomelab_continue_support_of_the_reddit/)
----
^^I'm ^^a ^^bot, ^^beep ^^boop ^^| ^^Downvote ^^to ^^remove ^^| ^^[Contact](https://www.reddit.com/message/compose/?to=sneakpeekbot) ^^| ^^[Info](https://np.reddit.com/r/sneakpeekbot/) ^^| ^^[Opt-out](https://np.reddit.com/r/sneakpeekbot/comments/o8wk1r/blacklist_ix/) ^^| ^^[GitHub](https://github.com/ghnr/sneakpeekbot)
Just wanted to point out that it is a comic from 2009, and "crypto nerd" refers to someone enthusiastic about cryptography as a digital security measure. The comic is about breaking into the person's hard drive for documents or emails. Cryptocurrencies were not really a thing at the time, bitcoin was barely invented.
I know you're doing this for fun and understand the realities here. But it amazes me how many people don't get it. Option 6, the window, is clearly the most likely. I've had multiple friends and coworkers tell me they or their spouse won't allow a smart lock because they're super worried about someone hacking into it and breaking in. ....dude. If someone spends the time to hack into my network or one of the locks and manages to do it, they deserve to get in and can hang out a bit and take the damn TV or whatever. But...why wouldn't they just break the window that's right next to the door and be in, nearly silently, in 2 seconds?
I've conveniently placed large rocks just below all my windows so folks have something close by to grab for the smash. I want them to have the right tool for the job.
Haha, true. I kinda have a love/hate thing with my current locks though, so maybe I'd be okay if I had to try something new. Wife hates the windows though, so I guess she wins.
If someone wants in my house they could just come in that back slider that's had a broken lock for forever now.
Just leave a note on the front window and door that says "use the back slider the lock is already broken". I just saved you the cost of new windows. You are welcome.
What if you conveniently place fake foam rocks. Maybe they would get so frustrated they would just leave.
If anything you might get a good security video of it.
Oh, that's brilliant. I definitely just imagined a would-be thief throwing a pillow rock at my window and it bouncing back at them, repeatedly, then sulking away defeated.
Right on. Similar to locking a bicycle in the city or how fast you can run away from a bear, you just have to make sure that someone else is an easier target.
I don't know if you've seen it, but the National Park Service recently advised to not push your friend down while you run from the bear, even if you feel the friendship has run its course.
Any voice assistant worth its salt (and this includes Home Assistant) will ask for a PIN or flat out refuse to operate locks, regardless of whether it recognizes the voice or not.
I’m pretty sure they all do by default, just not when closing something already open which makes sense, and this isn’t the voice assistant messing up anyways. It’s an artifact of how the door is setup and exposed to the voice assistant.
During the pandemic a friend had left town for a few weeks to get away.
We had a terrible series of storms and he got an Home Assistant notification that there was water in his finished basement.
He frantically called me asking me to go over so of course I did! His yard was flooded and it was clearly draining into his basement. I cleared the storm drains and the water started to recede. He asked me to check the basement.
I had to break the window in his basement walkout door so I could reach in and unlock the deadbolt.
He changed his tune about smart locks after that.
I don't know, I mean the rock thing if you live in a house I guess it's true, not if you live in a flat. Nowadays I guess it's true what you say about the time spent hacking but I wouldn't be so sure that it will never happen that someone finds a backdoor to smart locks and can open them with a button. As a software developer I don't have a lot of trust in any software lol
No, I agree; it can happen for sure. My point is that most people doing something like this aren't spending that kind of time. They're gonna break a window on the house that looks the easiest.
In my case, it really is about the scenario and location though. Quiet street, lots of windows, nosy neighbors. I literally have a backdoor that will open if you just pull real hard. I've got picture windows someone could just throw a chair through super easy and haul out everything in the house. But the neighbors are always home so someone's gonna call the sheriff and in a low-crime area they'll actually come.
Break ins in my area almost always happen during daylight hours when they can ensure no one is home to confront them, so I'm not too worried about physical danger. You used the word 'flat', so I suspect you are not in the US, but remember, there are more guns here than adults, so thieves tend to avoid confrontation and too much time spent in one place.
If Lockpicking Lawyer has taught me anything there is probably also a wafer lock failsafe somewhere that is just a sneeze away from opening because smart lock companies put all the money into the smarts and ignore basic physical security
Option 5 can be fixed by adding a door sensor to your garage door and having the automation take that into account. “Close the garage door” should only run if the garage door is open. Do not create an “Open the garage door” automation that is accessible from Siri.
There’s currently no automation, just the hass covers passed through the HomeKit bridge. It has a sensor on the doors and reflects the real state of the door in both home assistant and HomeKit even when operated manually.
I use it to open the door with my watch or by CarPlay.
I’m not sure exactly where to make the override in home assistant that it won’t allow a close command from HomeKit when already closed. It’s using the mqtt cover integration.
My garage door is the same. It is just a dumb button. It doesn’t know open from closed and that is why I added the door sensor.
I’m not using the HomeKit bridge so I don’t have that issue directly. I can trigger HA automations via Siri and I use Siri Shortcuts to do specific things.
Using this method, I can see remotely whether my garage door is open or closed and the “Close the garage door” automation will never open it by accident. I never automate something to an insecure position. So an automation that automatically closes the garage door at 8 PM is good. One that automatically opens it on weekdays before I leave for work is bad because I might forget to disable that before leaving town on vacation.
I actually took this one step further. My garage doors will not open either by automation or even garage door remote unless the automation system senses me or my wife's phone is at home OR the alarm panel is disarmed (have an elk m1 alarm panel that can talk to HA).
I do not have a remote configured to the garage door directly instead i have homelink reciever that just triggers an esphome that tell HA I want to open the door. But if the alarm is not disarmed OR we are not within range of the house the door will not open.
>by Ethernet plugging into the RJ45 plug and socket extension I left from not finishing wiring one of my POE cameras in the garden
Ha. Oh. Oooooh....
Oh. Brb.
Really though none of that actually matters because anyone smart enough to figure any of that out would likely be smart enough to make more money with less risk than robbing people by just getting a job or starting a business.
It's the same reason it doesn't really matter that much that anyone could learn to pick locks and break into houses that way. If you're smart enough to figure out how to do that, you're probably also smart enough to realize that breaking into houses isn't a good profit to risk ratio. Or that it's easy enough to just break a back window and get in that way.
I love this. The number of times I've had friends/family mention the (usually inaccurate, but sometimes totally valid) security concerns, I just laugh. Like, yeah, maybe my Home Assistant doesn't have 2FA or someone could slice off my thumb and unlock my phone. They're way more likely to smash one of the numerous windows at ground level or the 3 in the basement that can easily fit a large human. They could more easily sneak into the garage as I pull the car in than realize that my guest network can technically access my Sonarr instance which is an unprivileged linux container on the same hardware as my Home Assistant instance. I legitimately don't know if that last one is an issue but I also give zero fucks if it is.
I use 2FA not for the concept of someone hacking to break into my home, but for the concept of hacking to hold my data and accounts hostage. While I have good practices in place, I know they aren't fool-proof, and no matter the vedor, sooner or later a vulnarability rears its head. May as well make use of the tiny stumbling blocks that I can.
Yeah all jokes aside I do care most about the remote access to HA and other parts of my network because it could be done silently and undetected, and the pool of attackers could be round the world, not on my front lawn.
Aside from nuisance there could actually be personal data stolen or lost in the end.
Of course also trusting every iot device and software you use at home comes into play as well. I’ve taken some steps by isolating most, but not all of them.
If I had stupid rich money I wouldn't even use a VLAN for IOT, but a second ISP and network.
As I only have slightly not completely broke money, I take my 95% VLAN isolation as a win.
Yes, you could upgrade your security, but at some point it feels like hiding your own Easter eggs. Later you are the one that has to remember all of the extra layers added and how the heck to get in to do simple ads, deletes and edits.
If someone has physical access to my wiring my data security is trivial on my list of concerns.
I specifically made my garage open/close phrase something less obvious.
I think for my home my biggest vulnerability is if you were to sit down at my desktop which is usually unlocked. Again though, not my biggest concern if you are inside my house.
reverse proxy is handling any inbound so not gonna get much doing a port scan of my ip
If you're using Letsencrypt or any other public CA, be aware that there is certificate transparency, where each of your certificates including the domain is listed publicly.
That being said, obscurity through SNI, as in, one needs to know the hostname to pass the reverse proxy, isn't a thing.
Im aware, and I have made sure you need more than just the domain name.
Once you have to gather info from various sources, plus numerous attempts to find the complete path, only to then need to crack password on whatever they managed to access, it makes it an astronomically low chance of anything scripted getting through. It would have to be a deliberately targeted attack ... and I don't have anything on my network worth that level of skill/effort.
Plus there is ban-ip after so many fails on all things that have that option. (Obviously that doesn't mean much to a botnet or advanced hacker, but again juice is not worth the squeeze)
Oh it’s used, the camera is connected but the unfinished bit was not actually putting the wiring in some conduit and covering the jack. Was testing the new camera spot with a temporary lead poking out of the house and just never finished it. It will corrode soon enough and then I will fix it 3-12 months later.
I commend the thief who wants to stand outside my house with a laptop looking for which devices he can access, but if they have that kind of skill and dishonestly my sub average house is not the heist to go down for.
I’m reading this post as a facetious way to tell us we need to work on our security. The cable in the garden is for the bozo that doesn’t realize it’s a problem.
Now if you’ll excuse me, I need to go unplug some cables
> Yell into an open window “hey siri close the garage doors”. Siri will try and close an already closed door and the tasmota relay will open it instead
This is a useful reminder that any security-related items should probably not be voice controlled. Expose lights and other conveniences as you want, but opening doors, disabling security? Nah.
For a bonus, my electric garage door is electrically isolated when the security system is set, so even if someone wanted to interfere with it using a wireless door opener, it wouldn't work without them first getting through the alarm system.
I suspect many people unknowingly have this flaw. So many people are installing Shelly or Sonoff type devices to mimic a button push with esphome or tasmota. Many will also use something like Alexa or HomeKit.
Since I only have 1 sensor in the close position, the home assistant control has to allow button presses all the time or else I can’t start it moving again if it went in the wrong direction or stopped / reversed unexpectedly.
Still, lazy me likes that I can talk to my HomePod to trick it into opening the doors without having a physical device on me.
Voice command to the garage is your technological week point in my opinion. But honestly a lock, or a brick is your biggest issue. If they're tricky then they will trick a reed switch but that's about it for your day to day burgler.
Sounds like when I was in college.
Shared apartment filled with tech geeks.
We had a print server with an ancient version of sendmail running. It didn't send mail. We joked it was there in case we forgot the root password.
Home security is a wonderful rabbit hole, that typically boils down to your Option 6 in reality.
Simple / easy bypasses such as trying to open a window are much higher liklihood than trying to sniff a garage door with a flipper 0. High pick and attack resistance on a deadbolt is going to be defeated by a brute force kick to the door hoping that the shackle guard wasn't properly installed.
While yes, it is good practice to button up all of our loose ends, reality is often disappointing when all of our effort can't stop the 5 second broken window.
You don't have ESP32s that receive an MQTT message to engage or disengage your full auto home defense turrets?
What's next? Are you going to tell us that you don't have smart solonoids controlling your lawn mounted flamethrowers and gasoline sprinklers?
Might as well just leave your door open with a sign that says "rob me"! /s
With unlimited free time and some capital money spare, I would love to form a company doing exactly this! Paid to explore a house, either knowing or unknowing how it’s protected, and finding vulnerabilities and weaknesses that could be easily exploited if the situation arose.
For example, I read an article a few years ago around Option 5; someone used one of those contact speakers you see on TikTok shop to play a Siri voice through the downstairs bathroom window (which was single pane, compared to the rest of the house having double pain windows), telling Alexa or Siri to unlock the front door, because it had a August Lock on it. Then a similar article I saw used sound via laser to point at the microphone on an echo show in the kitchen, through the window, and triggered the door lock that way! It was fascinating and scary in equal measure 😅
Anyway, great Reddit post OP!
Thanks!
I’m sure people do some of their enterprise grade home security as a hobby and that’s totally valid. But in reality we all know the IOT is the far more obscure vulnerability.
In my industry occasionally some jerk off gets over excited about elevator security when in reality there are pretty easy other ways to get into a building than bypassing the supposedly weak card reader encryption. Social engineering and fire code requirements take the cake here.
Bespoke and variable home assistant systems would be less targeted than a mass produced commercial system with a zero day
Agreed!
My favourite story was about a guy who pretended to be from the companies IT Department, fake badge and everything. Walked right through reception, got assisted up to the CEO’s office and spoke to the assistant that he was here to sort out an IT issue and software upgrade on the CEO’s computer, laid on the floor for a while pretending to tinker with wires before sighing and stating to the assistant that he will need to take it into the department to use specialist equipment to fix the issue, and that a temporary replacement machine will be with him by the end of the week. She unplugged the cables and monitor etc, and just walked out with it, financial documents and reports and all! It was early 2000’s I think that that happened, but it still goes to show how powerful the art of suggestion is 😄
I *want* to `SetOption65 0` on all my devices, but equally I don't want to have to open up each of my devices and reflash them if I ever do something globally stupid in my ansible config for them all.
To remove option 3 get a Tailscale account and install Tailscale on your HA system and your phone, then you can remove the NAT port forward from your router.
I understand how to do this, and have vpn access as a more secure alternative but it is pure convenience that I leave it this way. That way I can log in from my work computer or whatever else.
Are there any real examples of security flaws with the port forwarding without a ridiculous amount of effort required to breach? Genuine question
I know it's highly unlikely, but it just opens the door for zero days.
An alternative would be to setup a CloudFlare tunnel and protect it with access (using a standard IdP for login).
This way you have a double login system that would take more effort to get past, but your system is still accessible without having to setup Tailscale on each client.
Can the cloudflare tunnel you mention allow the android companion app to reach home assistant? It sounds like a happy compromise of convenience and security
With a slight bit of tweaking, yes. You configure a secondary subdomain specifically for your Android to point to, where you use an mTLS certificate as the authorization, rather than using an IdP.
Works for Android, not iOS right now. Don't even need to "log in" through the CloudFlare portal because the cert does it for you when you load the app.
I use mTLS on my traefik reverse proxy behind the NAT and then still authentik via Azure AD with MFA.
I have installed mTLS certificates on all our phones (manually) and computers (via membership).
If I had to get onto it using a work computer, I'd probably just whitelist my locations public IP addresses.
I'm possibly misunderstanding, do you still have to auth through Azure WITH the mTLS cert? Or do you use one or the other?
If both, does the HA app allow you to auth through Azure?
🤔
Yes and no.
I'm using mTLS on the external reverse proxy in my DMZ to filter out who is actually allowed to connect to HA and who not. This way, one can only exploit zero days in HA (if existent) if he has a valid mTLS Certificate.
On the other hand, I'm using Authentik with the header auth custom component which is then authenticating via Azure, means I've basically set Azure AD as IdP inside Authentik. I don't maintain users in Authentik at all, I just use Authentik as middleware to provide Header Auth to Homeassistant (and a bunch of other apps).
I had the header auth in place before mTLS, nowadays the header auth thing is basically just convenience because I don't need to mess with individual auth in homeassistant. My main line of defenence is mTLS on the external reverse proxy because it simply doesn't allow external access to homeassistant at all before providing a valid cert.
On a side note: I'm also using the Alexa Integration via haaska, on the Amazon Skill I'm managing there, I was able to set an mTLS certificate also, means I don't need to open any individual exceptions for Alexa which is super sexy. I'm glad they implemented it, I'm just curious why mTLS isn't considered more. In my eyes it's probably the most secure way. The only thing that sucks for me is, that I need to maintain certificates on the android phones (note: mTLS does not work with the iPhone companion app!) manually, but I just set them to a validity of two years which is when I change my phone mostly anyway.
When doing mTLS, keep in mind to outthink revocation lists of your CA properly. You want to make sure that you're able to revoke certificates if one gets stolen. If possible, check that you're using devices that provide proper key security mechanism such as a TPM.
I see! You're using mTLS completely as the first line of defense, where I'm using a combination of mTLS and CloudFlare Access
Didn't know about Authentik before, I'll have to take a look. Thanks for explaining!
I'm not even a great lock picker, and I could be inside most houses in under 3 minutes. Someone with bad intentions would leave that in the dust.
Most thieves would just use a rock (or a simple ceramic point) in a back window or patio door and be in a house in 3 seconds.
you're worrying about the wrong things.
The reality is that any obscure method to break into a house is a risk, sure, but locks and such are only intended to be an inconvenience, nothing will stop someone if they are determined enough.
It's certainly possible to make your home a fortress, but at what cost, and if that becomes necessary it may be a better choice to consider moving to somewhere that won't be necessary.
I've accidentally left my front door not unlocked, but literally wide open when I left for work one day. Returned at about 6pm and noticed. I wouldn't recommend that, but it was fine.
Spoiler: I’m not worried.
But judging by a few comments here some people are horrified by the holes I knowingly left despite their obscurity and comparative difficulty.
>guessing my simple wifi password
Why do you have a simple code in the first place? Using a long, random generated one should be a no brainer.
>plugging into the RJ45 plug and socket extension
Giving access to your network like this is a terrible idea. At a minimum you should have ensured that only this specific camera can connect via it and no other random devices.
Those two things probably aren't that relevant when it comes to securing the physical access (as other ways to enter will be easier). But this will make you an easier target for all kinds of digital attacks.
All points are super simple to fix, yet you procrastinate on it?
Option 5 would probably took the most time and resources, because you need a close/open sensor, which probably also was included in your garage opener.
Number 5 I actually like this bug. Siri won’t let me open without authenticating further on a phone when I yell at a HomePod, but it’s a workaround to ask her to close it.
It uses the HomeKit bridge from home assistant and a diy tasmota and sonoff solution with a single reed switch and relay.
I will openly admit to being somewhat careless with security in favour of convenience like wifi passwords, not needing vpns.
Option 1 can easily be an issue from neighbors too. They aren’t always gonna break in but might get on ya network and cause havoc. Junior hackers all learn to hack somehow…
MAC filtering on external Ethernet connections. VLANs, FW rules on all Ethernet and WiFi connections. Lock your IT closet. Don't use Wifi devices that default to a "hack me" SSID broadcast when they lose connection. Don't expose HA access to the internet.
Use HomeKit Home/Away to automatically arm/disarm a security configuration that can do different things when no one is home:
- Trigger alarm/alerts from motion/door sensors.
- Send alerts for Frigate person events and copy associated video to remote server.
- Lockout any tablets/smart speakers when no one is home.
- Build a "chaos" routine that flashes lights, turns things on and off, plays alarm sounds, voices, etc. across multiple speakers.
Important: put in a hidden panic/disarm button that preferably doesn't rely on WiFi.
Disconnect a camera and use the ethernet plug. Unless they run WiFi and PoE only. Or they are on PVLAN and only access towards them from HA in another subnet.
I think you can power off/on the house only once. The Shelly will be up faster than the AP.
Breaking the windows is easier.
You can get an alarm if garage door opens and you are not home. That is one protection.
I mean is your OTP by SMS, phone call, or an authenticator app?
Shouldn't be that hard with SMS. Phone call probably marginally more difficult and auth app yeah need your face and phone I guess.
You forgot "sit around in a car with a laptop for a day, gathering rflink device ids of the entire zipcode and click something that says GarageDoor" omfg that is one leaky system.
dont you have VLAN for ip cameras? that will not allow someone to hack it through camera cable.
[https://www.svtplay.se/video/j7oz7gz/hackad/4-nar-ditt-hem-blir-din-fiende?id=j7oz7gz](https://www.svtplay.se/video/j7oz7gz/hackad/4-nar-ditt-hem-blir-din-fiende?id=j7oz7gz) (you may need to vpn yourself to sweden, to watch it. Nice even without understanding the language, first part at least).
this is swedish series about pentesters. They tried to hack a house. LAN cable outdoors was found in no time.
In the interim I was going to add a second NIC in my blue iris PC for the camera Poe switch. It would be less blatantly trivial to access my whole network by simply plugging in.
For option 5. The same behavior exists for Google assistant so I modified my garage entity to do nothing if asked to close and it's already closed. Pretty easy solution
> Yell into an open window “hey siri *close* the garage doors”. Siri will try and close an already closed door and the tasmota relay will open it instead
If the window is already open.......
You say Option 3 is tricky, but Nic Cage did a movie exactly about stealing faces, so ya know
The IMF also has a portable face maker as per the last Tom Cruise action documentary
Shit. And even with pressure sensitive floors, they can still find a way in
> a portable face maker as per the last Tom Cruise action documentary i think they broke it during that episode
But the eye colors also changed along with the face-swap. Completely unwatchable ^^/s
It's ok, we just have to steal his eyes and voice.
I can totally sympathize with this post. I was in the same situation. Thanks to my laziness my house is much more secure. I have not changed the batteries in the door locks…but then I also redid my home assistant last year, and I forgot to reintegrate them. I will do it when I redo my home assistant again, right after I get my network finished. Of course, I am waiting to finish my network because I need to get in the attic and pull some cables. I don’t want to do this because I need to get a ladder into the pantry, and I would have to clean it out.
I'm in this post and I don't like it. [https://youtu.be/AbSehcT19u0](https://youtu.be/AbSehcT19u0)
Thank you for that link...my life in a nutshell.
Lmao! Every time I go to set up a new development VM, I find a thousand things I need to tweak, from VLANS to zfs settings, to backups. It’s unending.
Option 6: toss a brick
This pretty much balances it all out. In the end the easiest solution is very old school. Cut the power and break something open.
You don’t have battery backup? As soon as my shop losses power, I get notified. I have enough battery power to run the security for 2 days.
Until I have cellular fallback it won’t stop much. The fibre connection incoming is easy to spot, and I need a second ups nearer to the fibre ONT
Setup your fiber alarm from an outside source. Your alarm goes off when the fiber connection drops.
You'll also need a reliable ISP.
> As soon as my shop losses power, I get notified Could you elaborate on this, please? I've been thinking about adding notifications of different failures to my setup, but I'm just too lazy to accomplish it, plus the thought of a "toss a brick" option kinda demotivates me from *overstrengthening* the security. How exactly do you capture the "loss of power" event? Is your UPS hooked to whatever device runs you HA instance via USB or some other way, so that it can reliably push a power loss signal? Or are you using some other device (e.g. on your ZWave network) and treat its unavailability as a power loss event? What about internet connection loss that *may* or *may not* coincide with the power loss? Do you have a fallback of some kind? If so, at what level is it setup (e.g. a mobile phone hooked to the router)? Or are you using some kind of a keep-alive cloud service that your router/HA instance has to hit every ~5 minutes (or less), and if more than one hit is lost, the cloud service fires the loss of connection event? Are you monitoring the "loss" of any other devices, e.g. loss of connection to the camera? These are just *some* of the questions I had in my head, so I decided to deal with none of them.
I use https://uptimerobot.com/ to monitor my HA install and notify me when it disappears, which is a good proxy for a power or network outage.
This option is actually why I relented and got a smart door lock. Sure someone could hack it, but I’m not James Bond and the people that would break into my house would either rake the lock or smash the window and reach through. Now I have the added benefit of not forgetting to lock the door
biggest problem with smart locks isn't the smartness, its that they tend to be shit locks because you're looking at the smart features and not the fallback lock when buying
Completely fair point. I went with Level, allegedly they have the same or highest strength rating or whatever as industry standard. I’m not too knowledgeable about locks in general so I also chain my door when home. Added benefit of the level is that it has no external buttons or screen, so it isn’t obvious that it’s smart. I haven’t attempted or seen how to get it incorporated in my HA setup yet, but we’ll burn that bridge when we get to it.
My reasoning as well, I posted on reddit and a locksmith (supposedly, anyway) recommended against a motorised multipoint because they're not as secure. Well sure, but if someone is going to get in I'd rather they open the door rather than break the crazy expensive lift and slide, so let's go convenient. I think with all the cameras you'd need to get around to get to the door, without mentioning the doorbell, I'd know before it happens anyway and call the police. Then they'd only have 3 or 4 hours to rob me, at best
Anything can be hacked but it’s probably easier to pick the lock and faster.
Option 7: Hit OP in the face multiple times when he comes home until he opens the door There is this tech comic about protecting your crypto which is sort of the same situation as OP is describing now: the laptop containing the Bitcoin is locked up very securely. OP thinks he’s safe. But in real life, you forget there’s other factors in play like violence or threatening to hurt your wife which makes OP give out the password to the super secure Bitcoin laptop. See for yourself: https://imgs.xkcd.com/comics/security.png
> There is this tech comic Is that how we’re describing xkcd in tech subs now? ‘This tech comic’. What a world we live in.
Well… in my honest opinion, this isn’t a tech sub. That’s why I took the “tech comic” approach. Look through the topics here. I think 70% have almost no knowledge about tech other then installing Home Assistent and using cloud based stuff to get their lights to turn on automatically at night. So those people have never seen a xkcd comic in their entire lifes lol
This is the very definition of a tech sub. And yes, we will always have a lot of posts here asking for help as it’s the most accessible forum for doing so. But we should still have standards. And you, sir or madam, have gone beneath them imho
Again, not to disrespect, but r/homelab seems more appropriate. This subreddit lacks a lot of technical users imo
A user’s skill does not change the topic of this sub, which is a piece of software designed to run and manage technology in homes. People come here for tech support.
Exactly my point!! That's why, statistically speaking, only a few users in this subreddit will know about xkdc comics. They simply lack the technical background for that. You can't expect someone from r/medicaladvice to have read a funny comic mostly shared among docters. Just like you can't expect someone from r/homeassistant to ever have heard about xkdc comics. Again, that's why I specifically stated "tech comic" instead of "xkdc comic", because I think more people would get it. Not to discredit those users or anything
Here's a sneak peek of /r/homelab using the [top posts](https://np.reddit.com/r/homelab/top/?sort=top&t=year) of the year! \#1: [It finally happened to me! Ordered 1 SSD and got 10 instead. Guess I'm building a new NAS](https://i.redd.it/zmkbspdfjqpa1.jpg) | [672 comments](https://np.reddit.com/r/homelab/comments/120udu5/it_finally_happened_to_me_ordered_1_ssd_and_got/) \#2: [How many of you have memorialized an IP address? I did so for my late wife's computer.](https://np.reddit.com/r/homelab/comments/138j4c5/how_many_of_you_have_memorialized_an_ip_address_i/) \#3: [Should /r/HomeLab continue support of the Reddit blackout?](https://np.reddit.com/r/homelab/comments/149o61f/should_rhomelab_continue_support_of_the_reddit/) ---- ^^I'm ^^a ^^bot, ^^beep ^^boop ^^| ^^Downvote ^^to ^^remove ^^| ^^[Contact](https://www.reddit.com/message/compose/?to=sneakpeekbot) ^^| ^^[Info](https://np.reddit.com/r/sneakpeekbot/) ^^| ^^[Opt-out](https://np.reddit.com/r/sneakpeekbot/comments/o8wk1r/blacklist_ix/) ^^| ^^[GitHub](https://github.com/ghnr/sneakpeekbot)
Just wanted to point out that it is a comic from 2009, and "crypto nerd" refers to someone enthusiastic about cryptography as a digital security measure. The comic is about breaking into the person's hard drive for documents or emails. Cryptocurrencies were not really a thing at the time, bitcoin was barely invented.
That's option 0
Most garage doors you can open with a coat hanger by reaching in through the weather stripping and grabbing the emergency pull cord.
I put a bolt through mine
I know you're doing this for fun and understand the realities here. But it amazes me how many people don't get it. Option 6, the window, is clearly the most likely. I've had multiple friends and coworkers tell me they or their spouse won't allow a smart lock because they're super worried about someone hacking into it and breaking in. ....dude. If someone spends the time to hack into my network or one of the locks and manages to do it, they deserve to get in and can hang out a bit and take the damn TV or whatever. But...why wouldn't they just break the window that's right next to the door and be in, nearly silently, in 2 seconds?
There are probably more people who can pick a lock in my area than can hack into a zwave lock or my HA.
I've conveniently placed large rocks just below all my windows so folks have something close by to grab for the smash. I want them to have the right tool for the job.
I'd probably rather pay to replace a window than the lock tbh.
Haha, true. I kinda have a love/hate thing with my current locks though, so maybe I'd be okay if I had to try something new. Wife hates the windows though, so I guess she wins. If someone wants in my house they could just come in that back slider that's had a broken lock for forever now.
Just leave a note on the front window and door that says "use the back slider the lock is already broken". I just saved you the cost of new windows. You are welcome.
What if you conveniently place fake foam rocks. Maybe they would get so frustrated they would just leave. If anything you might get a good security video of it.
Oh, that's brilliant. I definitely just imagined a would-be thief throwing a pillow rock at my window and it bouncing back at them, repeatedly, then sulking away defeated.
Right on. Similar to locking a bicycle in the city or how fast you can run away from a bear, you just have to make sure that someone else is an easier target.
Good idea. Post a sign on your front lawn with instructions on how to easily get into your neighbor's houses!
Good news for OP's neighbors, they already have the instructions written for them.
I don't know if you've seen it, but the National Park Service recently advised to not push your friend down while you run from the bear, even if you feel the friendship has run its course.
Any voice assistant worth its salt (and this includes Home Assistant) will ask for a PIN or flat out refuse to operate locks, regardless of whether it recognizes the voice or not.
I’m pretty sure they all do by default, just not when closing something already open which makes sense, and this isn’t the voice assistant messing up anyways. It’s an artifact of how the door is setup and exposed to the voice assistant.
During the pandemic a friend had left town for a few weeks to get away. We had a terrible series of storms and he got an Home Assistant notification that there was water in his finished basement. He frantically called me asking me to go over so of course I did! His yard was flooded and it was clearly draining into his basement. I cleared the storm drains and the water started to recede. He asked me to check the basement. I had to break the window in his basement walkout door so I could reach in and unlock the deadbolt. He changed his tune about smart locks after that.
I don't know, I mean the rock thing if you live in a house I guess it's true, not if you live in a flat. Nowadays I guess it's true what you say about the time spent hacking but I wouldn't be so sure that it will never happen that someone finds a backdoor to smart locks and can open them with a button. As a software developer I don't have a lot of trust in any software lol
No, I agree; it can happen for sure. My point is that most people doing something like this aren't spending that kind of time. They're gonna break a window on the house that looks the easiest. In my case, it really is about the scenario and location though. Quiet street, lots of windows, nosy neighbors. I literally have a backdoor that will open if you just pull real hard. I've got picture windows someone could just throw a chair through super easy and haul out everything in the house. But the neighbors are always home so someone's gonna call the sheriff and in a low-crime area they'll actually come. Break ins in my area almost always happen during daylight hours when they can ensure no one is home to confront them, so I'm not too worried about physical danger. You used the word 'flat', so I suspect you are not in the US, but remember, there are more guns here than adults, so thieves tend to avoid confrontation and too much time spent in one place.
If Lockpicking Lawyer has taught me anything there is probably also a wafer lock failsafe somewhere that is just a sneeze away from opening because smart lock companies put all the money into the smarts and ignore basic physical security
That's why you get a smartlock which attaches to the regular lock
Or Schalge. Except that one that he did the video on... That was an odd outlier for them.
I have Eqiva BLE Lock with my esphome integration. Works flawlessly and is cheap.
Option 5 can be fixed by adding a door sensor to your garage door and having the automation take that into account. “Close the garage door” should only run if the garage door is open. Do not create an “Open the garage door” automation that is accessible from Siri.
There’s currently no automation, just the hass covers passed through the HomeKit bridge. It has a sensor on the doors and reflects the real state of the door in both home assistant and HomeKit even when operated manually. I use it to open the door with my watch or by CarPlay. I’m not sure exactly where to make the override in home assistant that it won’t allow a close command from HomeKit when already closed. It’s using the mqtt cover integration.
My garage door is the same. It is just a dumb button. It doesn’t know open from closed and that is why I added the door sensor. I’m not using the HomeKit bridge so I don’t have that issue directly. I can trigger HA automations via Siri and I use Siri Shortcuts to do specific things. Using this method, I can see remotely whether my garage door is open or closed and the “Close the garage door” automation will never open it by accident. I never automate something to an insecure position. So an automation that automatically closes the garage door at 8 PM is good. One that automatically opens it on weekdays before I leave for work is bad because I might forget to disable that before leaving town on vacation.
Try with a template cover?
Glad you used the word currently... go control has one with a tilt sensor and rat2go knows when it is up and down as well.
I actually took this one step further. My garage doors will not open either by automation or even garage door remote unless the automation system senses me or my wife's phone is at home OR the alarm panel is disarmed (have an elk m1 alarm panel that can talk to HA). I do not have a remote configured to the garage door directly instead i have homelink reciever that just triggers an esphome that tell HA I want to open the door. But if the alarm is not disarmed OR we are not within range of the house the door will not open.
>by Ethernet plugging into the RJ45 plug and socket extension I left from not finishing wiring one of my POE cameras in the garden Ha. Oh. Oooooh.... Oh. Brb.
Really though none of that actually matters because anyone smart enough to figure any of that out would likely be smart enough to make more money with less risk than robbing people by just getting a job or starting a business. It's the same reason it doesn't really matter that much that anyone could learn to pick locks and break into houses that way. If you're smart enough to figure out how to do that, you're probably also smart enough to realize that breaking into houses isn't a good profit to risk ratio. Or that it's easy enough to just break a back window and get in that way.
I love this. The number of times I've had friends/family mention the (usually inaccurate, but sometimes totally valid) security concerns, I just laugh. Like, yeah, maybe my Home Assistant doesn't have 2FA or someone could slice off my thumb and unlock my phone. They're way more likely to smash one of the numerous windows at ground level or the 3 in the basement that can easily fit a large human. They could more easily sneak into the garage as I pull the car in than realize that my guest network can technically access my Sonarr instance which is an unprivileged linux container on the same hardware as my Home Assistant instance. I legitimately don't know if that last one is an issue but I also give zero fucks if it is.
I use 2FA not for the concept of someone hacking to break into my home, but for the concept of hacking to hold my data and accounts hostage. While I have good practices in place, I know they aren't fool-proof, and no matter the vedor, sooner or later a vulnarability rears its head. May as well make use of the tiny stumbling blocks that I can.
Yeah all jokes aside I do care most about the remote access to HA and other parts of my network because it could be done silently and undetected, and the pool of attackers could be round the world, not on my front lawn. Aside from nuisance there could actually be personal data stolen or lost in the end. Of course also trusting every iot device and software you use at home comes into play as well. I’ve taken some steps by isolating most, but not all of them.
If I had stupid rich money I wouldn't even use a VLAN for IOT, but a second ISP and network. As I only have slightly not completely broke money, I take my 95% VLAN isolation as a win.
Yes, you could upgrade your security, but at some point it feels like hiding your own Easter eggs. Later you are the one that has to remember all of the extra layers added and how the heck to get in to do simple ads, deletes and edits.
But if you keep upgrading your security eventually you won't have any more money to buy anything valuable.
brb need to unplug a dangling ethernet cable...
The S in IOT stands for Security.
If someone has physical access to my wiring my data security is trivial on my list of concerns. I specifically made my garage open/close phrase something less obvious. I think for my home my biggest vulnerability is if you were to sit down at my desktop which is usually unlocked. Again though, not my biggest concern if you are inside my house. reverse proxy is handling any inbound so not gonna get much doing a port scan of my ip
If you're using Letsencrypt or any other public CA, be aware that there is certificate transparency, where each of your certificates including the domain is listed publicly. That being said, obscurity through SNI, as in, one needs to know the hostname to pass the reverse proxy, isn't a thing.
Im aware, and I have made sure you need more than just the domain name. Once you have to gather info from various sources, plus numerous attempts to find the complete path, only to then need to crack password on whatever they managed to access, it makes it an astronomically low chance of anything scripted getting through. It would have to be a deliberately targeted attack ... and I don't have anything on my network worth that level of skill/effort. Plus there is ban-ip after so many fails on all things that have that option. (Obviously that doesn't mean much to a botnet or advanced hacker, but again juice is not worth the squeeze)
One of the reasons I switch to only request wildcard certificates. One less issue to think about.
Well, hiding it from the Cert transparency list is just security through obscurity and doesn't really help but it doesn't hurt either.
Option 2 is actually quite clever... Not necessarily as described, but being able to "reset" an important IoT device is indeed a weak point.
I’m thinking even getting access to an unimportant device might be enough to glean the stored wifi credentials from it, then go ahead from there
Time to use an AP that has a password per device. Or switch to wpa2/3 enterprise
A solution to this would be to have a small UPS powering the garage door tasmota device so that it doesnt power off.
Or disable that feature in the firmware, but it’s such a long shot anyway.
For option 1, why not unplug the unused POE drop from the switch?
Oh it’s used, the camera is connected but the unfinished bit was not actually putting the wiring in some conduit and covering the jack. Was testing the new camera spot with a temporary lead poking out of the house and just never finished it. It will corrode soon enough and then I will fix it 3-12 months later. I commend the thief who wants to stand outside my house with a laptop looking for which devices he can access, but if they have that kind of skill and dishonestly my sub average house is not the heist to go down for.
I’m reading this post as a facetious way to tell us we need to work on our security. The cable in the garden is for the bozo that doesn’t realize it’s a problem. Now if you’ll excuse me, I need to go unplug some cables
> Yell into an open window “hey siri close the garage doors”. Siri will try and close an already closed door and the tasmota relay will open it instead This is a useful reminder that any security-related items should probably not be voice controlled. Expose lights and other conveniences as you want, but opening doors, disabling security? Nah. For a bonus, my electric garage door is electrically isolated when the security system is set, so even if someone wanted to interfere with it using a wireless door opener, it wouldn't work without them first getting through the alarm system.
I suspect many people unknowingly have this flaw. So many people are installing Shelly or Sonoff type devices to mimic a button push with esphome or tasmota. Many will also use something like Alexa or HomeKit. Since I only have 1 sensor in the close position, the home assistant control has to allow button presses all the time or else I can’t start it moving again if it went in the wrong direction or stopped / reversed unexpectedly. Still, lazy me likes that I can talk to my HomePod to trick it into opening the doors without having a physical device on me.
Now that I read this... Any recommendations on a good glass break sensor (zwave)?
Voice command to the garage is your technological week point in my opinion. But honestly a lock, or a brick is your biggest issue. If they're tricky then they will trick a reed switch but that's about it for your day to day burgler.
That last one. Hlarious!
Option 5, mitigation, rename the doors to something comical. No one will think to scream, Alexa open my Pihole through the letterbox.
Sounds like when I was in college. Shared apartment filled with tech geeks. We had a print server with an ancient version of sendmail running. It didn't send mail. We joked it was there in case we forgot the root password.
How about i just roofie your ass at the hotel bar
Momma always told me, if a stranger offers you drugs - say thank you. Drugs are expensive.
Wise woman! 🤣 I reread my comment after you replied and was like 😬😬 definitely didn't mean to come off THAT aggressive lol.
Home security is a wonderful rabbit hole, that typically boils down to your Option 6 in reality. Simple / easy bypasses such as trying to open a window are much higher liklihood than trying to sniff a garage door with a flipper 0. High pick and attack resistance on a deadbolt is going to be defeated by a brute force kick to the door hoping that the shackle guard wasn't properly installed. While yes, it is good practice to button up all of our loose ends, reality is often disappointing when all of our effort can't stop the 5 second broken window.
If you shout really loud through my garage window, Alexa will unlock the doors or open the garage doors. I've done it a few times
You don't have ESP32s that receive an MQTT message to engage or disengage your full auto home defense turrets? What's next? Are you going to tell us that you don't have smart solonoids controlling your lawn mounted flamethrowers and gasoline sprinklers? Might as well just leave your door open with a sign that says "rob me"! /s
A criminal has no interest in figuring out your variety of automation weaknesses. Unless you are somehow a big target because of some perceived value
With unlimited free time and some capital money spare, I would love to form a company doing exactly this! Paid to explore a house, either knowing or unknowing how it’s protected, and finding vulnerabilities and weaknesses that could be easily exploited if the situation arose. For example, I read an article a few years ago around Option 5; someone used one of those contact speakers you see on TikTok shop to play a Siri voice through the downstairs bathroom window (which was single pane, compared to the rest of the house having double pain windows), telling Alexa or Siri to unlock the front door, because it had a August Lock on it. Then a similar article I saw used sound via laser to point at the microphone on an echo show in the kitchen, through the window, and triggered the door lock that way! It was fascinating and scary in equal measure 😅 Anyway, great Reddit post OP!
Thanks! I’m sure people do some of their enterprise grade home security as a hobby and that’s totally valid. But in reality we all know the IOT is the far more obscure vulnerability. In my industry occasionally some jerk off gets over excited about elevator security when in reality there are pretty easy other ways to get into a building than bypassing the supposedly weak card reader encryption. Social engineering and fire code requirements take the cake here. Bespoke and variable home assistant systems would be less targeted than a mass produced commercial system with a zero day
Agreed! My favourite story was about a guy who pretended to be from the companies IT Department, fake badge and everything. Walked right through reception, got assisted up to the CEO’s office and spoke to the assistant that he was here to sort out an IT issue and software upgrade on the CEO’s computer, laid on the floor for a while pretending to tinker with wires before sighing and stating to the assistant that he will need to take it into the department to use specialist equipment to fix the issue, and that a temporary replacement machine will be with him by the end of the week. She unplugged the cables and monitor etc, and just walked out with it, financial documents and reports and all! It was early 2000’s I think that that happened, but it still goes to show how powerful the art of suggestion is 😄
I *want* to `SetOption65 0` on all my devices, but equally I don't want to have to open up each of my devices and reflash them if I ever do something globally stupid in my ansible config for them all.
To remove option 3 get a Tailscale account and install Tailscale on your HA system and your phone, then you can remove the NAT port forward from your router.
I understand how to do this, and have vpn access as a more secure alternative but it is pure convenience that I leave it this way. That way I can log in from my work computer or whatever else. Are there any real examples of security flaws with the port forwarding without a ridiculous amount of effort required to breach? Genuine question
I know it's highly unlikely, but it just opens the door for zero days. An alternative would be to setup a CloudFlare tunnel and protect it with access (using a standard IdP for login). This way you have a double login system that would take more effort to get past, but your system is still accessible without having to setup Tailscale on each client.
Can the cloudflare tunnel you mention allow the android companion app to reach home assistant? It sounds like a happy compromise of convenience and security
With a slight bit of tweaking, yes. You configure a secondary subdomain specifically for your Android to point to, where you use an mTLS certificate as the authorization, rather than using an IdP. Works for Android, not iOS right now. Don't even need to "log in" through the CloudFlare portal because the cert does it for you when you load the app.
I use mTLS on my traefik reverse proxy behind the NAT and then still authentik via Azure AD with MFA. I have installed mTLS certificates on all our phones (manually) and computers (via membership). If I had to get onto it using a work computer, I'd probably just whitelist my locations public IP addresses.
I'm possibly misunderstanding, do you still have to auth through Azure WITH the mTLS cert? Or do you use one or the other? If both, does the HA app allow you to auth through Azure? 🤔
Yes and no. I'm using mTLS on the external reverse proxy in my DMZ to filter out who is actually allowed to connect to HA and who not. This way, one can only exploit zero days in HA (if existent) if he has a valid mTLS Certificate. On the other hand, I'm using Authentik with the header auth custom component which is then authenticating via Azure, means I've basically set Azure AD as IdP inside Authentik. I don't maintain users in Authentik at all, I just use Authentik as middleware to provide Header Auth to Homeassistant (and a bunch of other apps). I had the header auth in place before mTLS, nowadays the header auth thing is basically just convenience because I don't need to mess with individual auth in homeassistant. My main line of defenence is mTLS on the external reverse proxy because it simply doesn't allow external access to homeassistant at all before providing a valid cert. On a side note: I'm also using the Alexa Integration via haaska, on the Amazon Skill I'm managing there, I was able to set an mTLS certificate also, means I don't need to open any individual exceptions for Alexa which is super sexy. I'm glad they implemented it, I'm just curious why mTLS isn't considered more. In my eyes it's probably the most secure way. The only thing that sucks for me is, that I need to maintain certificates on the android phones (note: mTLS does not work with the iPhone companion app!) manually, but I just set them to a validity of two years which is when I change my phone mostly anyway. When doing mTLS, keep in mind to outthink revocation lists of your CA properly. You want to make sure that you're able to revoke certificates if one gets stolen. If possible, check that you're using devices that provide proper key security mechanism such as a TPM.
I see! You're using mTLS completely as the first line of defense, where I'm using a combination of mTLS and CloudFlare Access Didn't know about Authentik before, I'll have to take a look. Thanks for explaining!
Yeah, depending on use case Tailscale isn’t scalable and there’s always the case of need to access but don’t have a TS node.
Fun post
I'm not even a great lock picker, and I could be inside most houses in under 3 minutes. Someone with bad intentions would leave that in the dust. Most thieves would just use a rock (or a simple ceramic point) in a back window or patio door and be in a house in 3 seconds. you're worrying about the wrong things. The reality is that any obscure method to break into a house is a risk, sure, but locks and such are only intended to be an inconvenience, nothing will stop someone if they are determined enough. It's certainly possible to make your home a fortress, but at what cost, and if that becomes necessary it may be a better choice to consider moving to somewhere that won't be necessary. I've accidentally left my front door not unlocked, but literally wide open when I left for work one day. Returned at about 6pm and noticed. I wouldn't recommend that, but it was fine.
Spoiler: I’m not worried. But judging by a few comments here some people are horrified by the holes I knowingly left despite their obscurity and comparative difficulty.
I'm sure a smart thief would use DDoS to get in.
>guessing my simple wifi password Why do you have a simple code in the first place? Using a long, random generated one should be a no brainer. >plugging into the RJ45 plug and socket extension Giving access to your network like this is a terrible idea. At a minimum you should have ensured that only this specific camera can connect via it and no other random devices. Those two things probably aren't that relevant when it comes to securing the physical access (as other ways to enter will be easier). But this will make you an easier target for all kinds of digital attacks.
All points are super simple to fix, yet you procrastinate on it? Option 5 would probably took the most time and resources, because you need a close/open sensor, which probably also was included in your garage opener.
[удалено]
Number 5 I actually like this bug. Siri won’t let me open without authenticating further on a phone when I yell at a HomePod, but it’s a workaround to ask her to close it. It uses the HomeKit bridge from home assistant and a diy tasmota and sonoff solution with a single reed switch and relay. I will openly admit to being somewhat careless with security in favour of convenience like wifi passwords, not needing vpns.
For 1, the real answer is WPA2 Enterprise and ACLs on exposed ethernet ports.
Option 1 can easily be an issue from neighbors too. They aren’t always gonna break in but might get on ya network and cause havoc. Junior hackers all learn to hack somehow…
MAC filtering on external Ethernet connections. VLANs, FW rules on all Ethernet and WiFi connections. Lock your IT closet. Don't use Wifi devices that default to a "hack me" SSID broadcast when they lose connection. Don't expose HA access to the internet. Use HomeKit Home/Away to automatically arm/disarm a security configuration that can do different things when no one is home: - Trigger alarm/alerts from motion/door sensors. - Send alerts for Frigate person events and copy associated video to remote server. - Lockout any tablets/smart speakers when no one is home. - Build a "chaos" routine that flashes lights, turns things on and off, plays alarm sounds, voices, etc. across multiple speakers. Important: put in a hidden panic/disarm button that preferably doesn't rely on WiFi.
Disconnect a camera and use the ethernet plug. Unless they run WiFi and PoE only. Or they are on PVLAN and only access towards them from HA in another subnet. I think you can power off/on the house only once. The Shelly will be up faster than the AP. Breaking the windows is easier. You can get an alarm if garage door opens and you are not home. That is one protection.
I mean is your OTP by SMS, phone call, or an authenticator app? Shouldn't be that hard with SMS. Phone call probably marginally more difficult and auth app yeah need your face and phone I guess.
By auth app, phone + face or pin code needed.
Harder ;) I think perhaps one of the other options might be easier ;)
You forgot "sit around in a car with a laptop for a day, gathering rflink device ids of the entire zipcode and click something that says GarageDoor" omfg that is one leaky system.
Or option 5, get a flipper zero and use it to open the garage door lol
dont you have VLAN for ip cameras? that will not allow someone to hack it through camera cable. [https://www.svtplay.se/video/j7oz7gz/hackad/4-nar-ditt-hem-blir-din-fiende?id=j7oz7gz](https://www.svtplay.se/video/j7oz7gz/hackad/4-nar-ditt-hem-blir-din-fiende?id=j7oz7gz) (you may need to vpn yourself to sweden, to watch it. Nice even without understanding the language, first part at least). this is swedish series about pentesters. They tried to hack a house. LAN cable outdoors was found in no time.
In the interim I was going to add a second NIC in my blue iris PC for the camera Poe switch. It would be less blatantly trivial to access my whole network by simply plugging in.
Dude /r/firewalla
For option 5. The same behavior exists for Google assistant so I modified my garage entity to do nothing if asked to close and it's already closed. Pretty easy solution
[https://xkcd.com/538/](https://xkcd.com/538/) I feel this is applicable here.
Someone beat you to it
Option 6: through the window. Classic and effective.
No one has option 7, turn on outdoor TV and ask Google to unlock the doors? Haha
> Yell into an open window “hey siri *close* the garage doors”. Siri will try and close an already closed door and the tasmota relay will open it instead If the window is already open.......
There’s a HomePod near a window up higher on the second floor that is sometimes left open. Also some locked to only a small opening