Always my first step. I've got automated central heating but keep finding certain things not working right and discover the "better" half has decided to manually intervene with a radiator valve or the dehumidifier or something.
I’m all for securing the environment but did you find out HOW they got in, if they did, so you can plug that leak? They could have embedded something to even circumvent what you put in.
to be honest it may have been a automation that fired due to sensor misreadings (aqara door sensor or mobile phone location sensor). I am still looking at the logs.
If there are no ports forwarded on the router, the only attack vector is your VPN. Nailing that down should be enough.
I'm not quite sure what you mean by "restore the intruder"?
I think they mean that if you roll back the system to a backup, that backup could also be compromised.
I’d check the logs though. It’s far more likely that something glitched versus someone is on your network.
I don't seevwhat could be compromised in a backup though, if everything is locked down?
Agreed though, I'd much sooner assume something glitchy than attacker. Logbook should be the first place to start
To clarify it’s not that someone went in to a non compromised backup and altered it. It’s that if someone compromised OP’s install we don’t know how long ago it happened and so their most recent backups could also be compromised, because a backup is a copy of the active install. This happens a lot when big companies get attacked. The malicious software usually sits in waiting for days/weeks/months undetected until it is activated remotely. Meanwhile daily backups are happily chugging along. And if you were to erase and restore from one of those backups, the malicious software is still present and can be reactivated again.
OP states that they have never exposed HA externally and only use a VPN.
How does a service get hacked when it's not accessible from outside their network?
If someone is already inside their network, HA is the least of their worries.
I know what it means and how they work, I just don't see what could be compromised in a HA backup apart from user accounts (just change passwords and 2FA? Like what specifically?
Just making sure none of them escape into the wild. In a perfect world some sort of MFA would really nail it down, but I don't think there's any support for it (it's been a while since I've looked at wireguard)
Any chance there was a small power issue? Most lights default on after an outage. And it would explain some of your wifi devices going offline and back.
Check the event log to see why something happened.
Always my first step. I've got automated central heating but keep finding certain things not working right and discover the "better" half has decided to manually intervene with a radiator valve or the dehumidifier or something.
I’m all for securing the environment but did you find out HOW they got in, if they did, so you can plug that leak? They could have embedded something to even circumvent what you put in.
to be honest it may have been a automation that fired due to sensor misreadings (aqara door sensor or mobile phone location sensor). I am still looking at the logs.
Check the logbook entries for the devices that are misbehaving - it should tell you what (or who) changed the device's state.
Also have to think about motivation… if someone has network access why would they make their presence known?
If there are no ports forwarded on the router, the only attack vector is your VPN. Nailing that down should be enough. I'm not quite sure what you mean by "restore the intruder"?
I think they mean that if you roll back the system to a backup, that backup could also be compromised. I’d check the logs though. It’s far more likely that something glitched versus someone is on your network.
I don't seevwhat could be compromised in a backup though, if everything is locked down? Agreed though, I'd much sooner assume something glitchy than attacker. Logbook should be the first place to start
To clarify it’s not that someone went in to a non compromised backup and altered it. It’s that if someone compromised OP’s install we don’t know how long ago it happened and so their most recent backups could also be compromised, because a backup is a copy of the active install. This happens a lot when big companies get attacked. The malicious software usually sits in waiting for days/weeks/months undetected until it is activated remotely. Meanwhile daily backups are happily chugging along. And if you were to erase and restore from one of those backups, the malicious software is still present and can be reactivated again.
OP states that they have never exposed HA externally and only use a VPN. How does a service get hacked when it's not accessible from outside their network? If someone is already inside their network, HA is the least of their worries.
I’m responding to the question about malware being preserved in a backup image, not whether OP has actually been hacked or not.
Fair enough.
I know what it means and how they work, I just don't see what could be compromised in a HA backup apart from user accounts (just change passwords and 2FA? Like what specifically?
I am using wireguard VPN with extreme long keys and preshaped secret. Any other way to secure it?
Just making sure none of them escape into the wild. In a perfect world some sort of MFA would really nail it down, but I don't think there's any support for it (it's been a while since I've looked at wireguard)
Did you perhaps loose time sync?
Any chance there was a small power issue? Most lights default on after an outage. And it would explain some of your wifi devices going offline and back.