{"id":388,"date":"2025-09-30T11:49:41","date_gmt":"2025-09-30T11:49:41","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=388"},"modified":"2025-09-30T11:49:41","modified_gmt":"2025-09-30T11:49:41","slug":"securing-my-smart-home","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=388","title":{"rendered":"Securing my smart home"},"content":{"rendered":"\n

It\u2019s been a while \u2014 I was out sick and focused on getting better \u2014 but I\u2019m back and ready to post again. To get me warmed up I want to write about something practical and relevant: Home Assistant (HA) and how easy it is for poorly configured smart devices to leak sensitive data on a local network.<\/p>\n\n\n\n

A few days ago my brother-in-law installed HA with me and he was shocked at how much the automatic discovery showed on his network \u2014 and that some devices were sending data in the clear. That inspired this short lab: a small network compromise simulation and a defensive checklist you can use to harden a home setup.<\/p>\n\n\n\n

Scenario (what I simulated)<\/h2>\n\n\n\n

Imagine an attacker has a foothold on your LAN. That could happen via a phishing link, a compromised laptop, or a malicious guest device. From that position the attacker does basic network discovery to enumerate devices:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In my test the scan revealed a small web panel on X.X.50.10<\/code> and another host with a Home Assistant web UI. The HA UI looked normal, but further enumeration showed MQTT on a non-standard port (I saw it on 1833 in my case). That\u2019s when I wanted to see whether traffic was encrypted.<\/p>\n\n\n\n

\"\"
ip changed while documenting<\/em><\/figcaption><\/figure>\n\n\n\n

We fingerprinted the web panel and discovered another host that my arp-scan<\/code> didn\u2019t show initially. Pointing a browser at that host brought up a Home Assistant login page. A quick port scan showed an MQTT-ish service on port 1833<\/strong> (non-standard, but suspicious). That\u2019s when I decided to try a layer-2 MiTM to see if traffic (MQTT\/HTTP) was being sent in the clear.<\/p>\n\n\n\n

In the lab I used bettercap<\/strong> to perform ARP spoofing and live network sniffing.<\/p>\n\n\n\n

sudo bettercap -face wlan0\narp.spoof on\nnet.sniff on<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
While the MiTM runs, open Wireshark and load the capture (or capture live). Useful filters:<\/p>\n\n\n\n
    \n
  • Capture filter (if you want only MQTT-ish traffic): tcp port 1833<\/code><\/li>\n\n\n\n
  • Display filter for inspection in Wireshark: mqtt<\/code> (or http<\/code> for web traffic)<\/li>\n<\/ul>\n\n\n\n
    What to look for:<\/p>\n\n\n\n
      \n
    • Plaintext MQTT payloads (topics, message bodies) \u2014 these often leak device state, tokens or credentials.<\/li>\n\n\n\n
    • Plain HTTP POST\/GET requests that contain tokens or session cookies.<\/li>\n\n\n\n
    • Any repeated auth attempts or cleartext credentials.<\/li>\n<\/ul>\n\n\n\n
      If the traffic is TLS-protected you\u2019ll only see encrypted blobs \u2014 but many cheap IoT devices or misconfigured integrations don\u2019t use TLS at all. In my lab the beacon and some messages were clearly readable, which is a fast win for post-compromise reconnaissance.<\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      This shows messages and payloads. On my network I could see beacon updates, and \u2014 in cases where the device didn\u2019t use TLS \u2014 even login-like payloads. That\u2019s a clear privacy risk: usernames, tokens and device state information can leak. http<\/code> will show HTTP requests if you\u2019re testing that:<\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      Why this matters \u2014 typical weak behaviours<\/h2>\n\n\n\n
      A lot of smart devices \u2014 cheap Wi-Fi modules, ESP32\/ESP8266 devices, older integrations \u2014 do one or more of the following:<\/p>\n\n\n\n
        \n
      • Use unencrypted MQTT<\/strong> (plain TCP) with no TLS<\/li>\n\n\n\n
      • Use anonymous MQTT<\/strong> (no username\/password)<\/li>\n\n\n\n
      • Broadcast services (mDNS, SSDP, UPnP), leaking device names and info<\/li>\n\n\n\n
      • Expose an admin web UI with default or weak credentials<\/li>\n\n\n\n
      • Allow auto-discovery (Home Assistant\u2019s discovery can be convenient but noisy)<\/li>\n\n\n\n
      • Use insecure OTA or HTTP endpoints (no certs)<\/li>\n<\/ul>\n\n\n\n
        If an attacker can sniff or intercept that traffic, they can learn device state, credentials, tokens, or even control some devices directly.<\/p>\n\n\n\n
        How to harden your smart home \u2014 practical checklist<\/h2>\n\n\n\n
        Below are practical mitigations you can apply today. I split them between network-level & service-level.<\/p>\n\n\n\n
        Network-level<\/h3>\n\n\n\n
          \n
        • Segmentation \/ VLANs<\/strong>
          Put IoT devices on a separate VLAN from your laptops\/phones. Block inter-VLAN traffic except to the HA server (and only to required ports).<\/li>\n\n\n\n
        • Client isolation \/ private LANs<\/strong>
          On Wi-Fi APs, enable AP\/client isolation for guest networks and (where supported) for IoT SSIDs.<\/li>\n\n\n\n
        • Use a firewall \/ block local discovery across networks<\/strong>
          Block mDNS\/SSDP between VLANs (unless explicitly needed). Only allow control ports to your HA server.<\/li>\n\n\n\n
        • Disable unused broadcast services<\/strong>
          Turn off UPnP\/SSDP in routers\/APs unless you need them for a specific device.<\/li>\n\n\n\n
        • Strong Wi-Fi security<\/strong>
          Use WPA2-Enterprise or WPA3 with strong passphrases. Avoid open networks for IoT unless absolutely necessary and isolated.<\/li>\n<\/ul>\n\n\n\n
          Service-level<\/h3>\n\n\n\n
            \n
          • MQTT over TLS<\/strong>\n
              \n
            • Configure your broker (e.g. Mosquitto) to listen on TLS (8883) and require client certs or at least username\/password + TLS.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
            • Disable anonymous MQTT<\/strong>\n
                \n
              • Always require credentials. Store per-device \/ per-integration credentials and avoid global shared accounts.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
              • Use TLS for HTTP endpoints (reverse proxy)<\/strong>\n
                  \n
                • Put Home Assistant and other web UI\u2019s behind a reverse proxy (Nginx\/Caddy) and use valid certificates from Let\u2019s Encrypt.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                • Disable or restrict HA Discovery<\/strong>\n
                    \n
                  • Home Assistant discovery is convenient but noisy. Consider disabling discovery for integrations you don\u2019t use or restrict it to specific devices.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                  • Harden devices<\/strong>\n
                      \n
                    • Change default passwords on devices (don\u2019t rely on default credentials)<\/li>\n\n\n\n
                    • Keep firmware updated<\/li>\n\n\n\n
                    • Use device-specific accounts (avoid reusing passwords)<\/li>\n\n\n\n
                    • Use long-lived tokens wisely (rotate if possible)<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                    • Use VPN for remote access<\/strong>\n
                        \n
                      • Instead of exposing HA to the public internet, use a VPN to connect to your home network, or use Home Assistant Cloud (if you prefer a managed approach).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
                        Monitoring & detection<\/h3>\n\n\n\n
                          \n
                        • Enable logging and alerting in HA<\/strong>
                          Watch for unexpected connections or auth failures.<\/li>\n\n\n\n
                        • Network monitoring<\/strong>
                          Use an IDS (e.g., Suricata) or at least log unusual ARP\/traffic patterns.<\/li>\n\n\n\n
                        • Regular backups<\/strong>
                          Backup HA configs and device settings<\/li>\n<\/ul>\n\n\n\n
                          Reflection \u2014 what I learned<\/h2>\n\n\n\n
                          This was a simple purple-hat exercise for myself: knowing how attacks work is useful \u2014 not to exploit people, but to better defend them.<\/p>\n\n\n\n
                          Key takeaways:<\/p>\n\n\n\n
                            \n
                          • Many cheap IoT devices still communicate in plaintext. The weakest device can expose data for the whole home network.<\/li>\n\n\n\n
                          • Small configuration changes (TLS for MQTT, VLANs, reverse proxy) drastically reduce risk.<\/li>\n\n\n\n
                          • Auto-discovery features are useful, but they increase attack surface \u2014 be deliberate about what you allow.<\/li>\n\n\n\n
                          • Defensive testing in a lab helps you explain risks to family and colleagues in a much clearer way than purely theoretical advice.<\/li>\n<\/ul>\n\n\n\n
                            My brother-in-law left thinking: \u201cI had no idea my smart plugs were talking in plain text.\u201d He implemented network segmentation and turned on TLS where possible \u2014 those two steps alone go a long way.<\/p>\n","protected":false},"excerpt":{"rendered":"
                            It\u2019s been a while \u2014 I was out sick and focused on getting better \u2014 but I\u2019m back and ready to post again. To get me warmed up I want to write about something practical and relevant: Home Assistant (HA) and how easy it is for poorly configured smart devices to leak sensitive data on […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[20,9],"tags":[],"class_list":["post-388","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-network-hacking"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=388"}],"version-history":[{"count":3,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/388\/revisions"}],"predecessor-version":[{"id":396,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/388\/revisions\/396"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}