In release 2023.12 we added a redesigned login page to Home Assistant. It detects when you are accessing Home Assistant via your local home network, and if so, presents a redesigned login experience that shows your user profiles. If you access Home Assistant from outside your home network, the login page still asks for your username and password, like before.

We have heard the concerns from the community that this functionality can open up your Home Assistant instance to a user enumeration attack from within the local network. A malicious actor with access to your local network could get the names and pictures of all Home Assistant users. They could use this information to make attacking your Home Assistant instance easier.

A security issue was filed for this on December 10, we have accepted and published the corresponding GitHub Security Advisory, and have disabled the redesigned login page functionality in patch 2023.12.3 released on December 14.

While researching the feedback we received, we were troubled to discover that the users who experienced problems with the new login page often used misconfigured reverse proxies. When the reverse proxy is not configured correctly, Home Assistant is no longer able to discern between traffic from your local home network or a public network. These users would see the redesigned login page when accessing Home Assistant from outside their home network.

To improve the network security of these users, we are researching how we can use Home Assistant to detect more variations of misconfigured proxies and inform them about it.

We redesigned the login page because we believed the local home network is within the privacy of your own home and a trusted environment for showing the people in it. We assumed that users attempting to log in on the local network are also trusted and allowed to see other user profiles, similar to what Microsoft, Apple, Netflix, and other companies assume in their products.

That said, we do hear you and take your feedback, and the potential security risk to users with misconfigured reverse proxies, seriously. Thank you for bringing this to our attention and being open about your concerns.

We’ve reached the end of Home Assistant’s Year of the Voice! It was our goal for 2023 to let users control Home Assistant by speaking in their own language.

At the start of 2023, Home Assistant had basic text-based control for some devices in English only. As the year closes, users can now control and ask questions of their smart homes with voice in over 50 languages across a variety of devices, including:

• Any ESPHome device with a microphone
• Android phones, tablets, and smart watches
• Old school analog phones (with an adapter)

Home Assistant users can now create multiple voice assistants by mixing and matching components of a voice “pipeline”. Home Assistant Cloud subscribers automatically gain access to high-quality voice components in over 130 languages and dialects. Fully local components are available as well, such as our Piper text-to-speech system, allowing for 100% offline voice control.

In Chapter 4, we added wake word processing directly into Home Assistant by leveraging the openWakeWord project. This allowed tiny voice satellites such as the M5 ATOM Echo Development Kit to offload wake word detection by streaming audio to a Home Assistant server. The community has been hard at work training a variety of custom wake words that everyone can use to make their voice experience unique.

For the final chapter of 2023, we have expanded the available types of voice commands to include weather, temperature, and to-do lists. Voice satellites are now aware of which area they’re in, and more hardware/software options are available too.

Happy holidays!

Assist running on the ESP32-S3-BOX.

Silicon Labs has entered an official partnership with Nabu Casa to offer support for our open-source and hardware efforts.

Silicon Labs is the company behind Z-Wave and designs chips for Z-Wave, Zigbee, Thread, and more standards. Their chips provide connectivity to many devices, including Philips Hue, Ring, IKEA TRÅDFRI, and our own Home Assistant Yellow and Home Assistant SkyConnect products. In fact, every Z-Wave chip in a Z-Wave product ever made came from Silicon Labs.

We love open standards because they live up to our Open Home values for the smart home: privacy, choice, and sustainability. This is why Nabu Casa, with the revenue received from Home Assistant Cloud subscribers, invests heavily in integrating these open standards, which involves working on a daily basis with Silicon Labs technologies. For example, we employ Dominic to work full-time on Z-Wave JS and Nikita to work full-time on Zigpy, the library powering Zigbee in Home Assistant. Other developers are dedicated to making sure the Silicon Labs chips inside our own hardware work perfectly in Home Assistant.

Z-Wave JS is the only open-source implementation of Z-Wave, powering an increasing number of Z-Wave platforms beyond Home Assistant. Our work is fundamental to the growth of the Z-Wave ecosystem, and we are happy to see this get acknowledged by Silicon Labs with this partnership. With Home Assistant, we are exposed to many different devices running Z-Wave, Zigbee, and Thread. And as a partner, we are now able to collaborate with Silicon Labs to report bugs and get our issues fixed with priority.

We’re delighted to announce that HomeWizard has joined the Works With Home Assistant program under the ‘Works Locally With Home Assistant’ badge and is committed to ensuring their products work well in Home Assistant. This Dutch company creates Wi-Fi devices that give households insight into their electricity, water, and gas consumption. They want to make people aware of their energy consumption and help them save on energy - not just because it’s good for their wallet, but also good for the world. A mission that matches our Open Home values perfectly. They will also be the first company to use our updated Works With Home Assistant badge, featuring the new Home Assistant logo!

Home Assistant Core 2023.12! 🎄

The last release of 2023 is here, and we are going out with a bang! 🎉

2023 has been the Year of the Voice, and please stay tuned, as we will host a final 5th chapter live stream on our YouTube channel on 13 December 2023, at 12:00 PST / 21:00 CET! But that is not the end of the voice journey… Be sure to tune in!

This release has some nice quality-of-life improvements, making it feel like Christmas already! The thermostat card has been redesigned to match the gorgeous new entity dialog introduced, a new feature for the ever-improving tile card, re-importing blueprints, and much more!

I’m most excited about the new login page that this release brings. It is beautiful, modern, and literally welcomes you into your own home! 🏡 Home is where Home Assistant is, right? 😃

This is it for 2023! What a year it has been! I just got one last thing to say this year:

Thank you for using Home Assistant! ❤️

Happy holidays & enjoy the release!

../Frenck

TL;DR: We represented Home Assistant, our community, and the Open Home vision at the Matter member meeting in Geneva. We’re hosting a live stream to talk Matter in January to update you about our progress and answer your questions. Leave your questions in the comments below!

Two weeks ago me, Marcel van der Veldt, and Stefan Agner, traveled to Geneva to represent Home Assistant, our community and the Open Home Vision at the Member Meeting of the Connectivity Standards Alliance (CSA). This is an important meeting where companies from all over the world meet to talk and decide about the Matter standard and how to implement it.

(Matter is the new smart home standard that promises to make everyone’s smart home devices work with each other across platforms and ecosystems, locally and privately. It’s being developed by the CSA, which is also responsible for Zigbee).

Stefan and Marcel

We were able to attend because Nabu Casa is a member of the CSA. We pay for this with the revenue from your Home Assistant Cloud subscriptions (thank you!). CSA membership ensures that we have access to official technical documentation and support to build Matter into Home Assistant. It also gives us a voice inside the CSA, which we use to advocate for the interests of Home Assistant users and our Open Home vision.

We’re happy to tell you that Home Assistant Green is now available from most of the distributors in our global network. If you were waiting for a store closer to your location to sell Home Assistant Green, check out our distributor list now to find one near you:

Buy Home Assistant Green

TL;DR: The MyQ integration will be removed from Home Assistant in release 2023.12 on December 6, 2023. Chamberlain Group, the owners of MyQ, have released a public statement saying they will continue blocking access to third-party apps, like the MyQ integration. For current MyQ users we recommend ratgdo, a device that physically connects to your MyQ garage door opener and allows you to control it locally.

If you own a garage door opener from Chamberlain or Liftmaster, you are probably familiar with MyQ. It’s a cloud-based smart home brand owned by Chamberlain Group, best known for its smart garage devices. MyQ is also currently one of the most problematic integrations for Home Assistant users. The MyQ garage door opener integration has, for the past months, been in a state of constant repair as the integration breaks, is fixed, and then breaks again. This is a direct result of actions taken by MyQ to block access from third parties.

Home Assistant 2023.11! 🎃

It seems like I forgot to come up with a release title for this release and left a placeholder in the title. If I only could have it on a to-do list somewhere… 🤔

Before we dive into this pretty massive release, I want to quickly look back at two amazing things that happened in the past month.

First, we presented chapter 4 of the Year of the Voice, which introduced the new wake word feature in Home Assistant. This really brings the voice assistant experience to the next level, and we are super excited about it! Like have you seen the R5-based voice assistant droid? 😍

Second, we had a security audit performed on Home Assistant by one of the top security auditors in the world! You can read all about it in the blog post. A big shout out to everybody subscribed to Home Assistant Cloud, as you enable us to do these things! 🥰

Alright, about this release! It is huge! I love the tile card, and the ability to easily customize the information it shows now is just. 🤩 But mostly, I’m super stoked about the new to-do lists, which will probably become a very central part of my household.

Enjoy the release!

../Frenck

Summary: Home Assistant had two security audits done as part of our regular security assessments. You are safe. No authentication bypasses have been found. We did fix issues related to attackers potentially tricking users to take over their instance. All fixes are included in Home Assistant 2023.9 (released on September 6, 2023) and the latest Home Assistant apps for iOS and Android. Please make sure you’re up-to-date.

Security is very important to us at Home Assistant and Nabu Casa. Being open source makes it easy to let anyone audit our code—and based on reported issues—people do. However, you also need to hire people to do an actual security audit to ensure that all the important code has been covered.

Subscribing to Home Assistant Cloud provides funding for the ongoing development and maintenance of Home Assistant, including external security audits. To ensure that our security is top-notch, Nabu Casa hired Cure53 to perform a security audit of critical parts of Home Assistant. Cure53 is a well-known cybersecurity firm that in the past found vulnerabilities in Mastodon and Ring products.

Cure53 found issues in Home Assistant, 3 of which were marked as “critical” severity. The critical issues would allow an attacker to trick users and steal login credentials. All reported issues have been addressed as part of Home Assistant 2023.9, released on September 6, 2023. No authentication bypass issues have been found. According to Cure53’s report:

The quality of the codebase was impressive on the whole, whilst the architecture and frameworks deployed in all relevant application areas resilient design paradigms in general. Frontend security in particular exhibited ample opportunities for hardening, as compounded by the Critical associated risks identified. Nonetheless, once these have been mitigated, an exemplary security posture will certainly be attainable.

In August, the GitHub Security Lab also audited Home Assistant. They found six non-critical issues across Home Assistant Core and our iOS and Android apps. Two of the issues overlapped with Cure53. All reported issues have been fixed and released.

We want to thank both teams for their audits, reported issues, and keeping our users safe 🙏

All found issues have been added to our security page. This page has been updated to include an ongoing timeline of reported issues, who disclosed it, and a link to the issue report on GitHub.

If you think you have found a security issue, check out our security page on how to report this to Home Assistant.