Cybersecurity on Smart Home? Sure — But Secure!

DJI robot vacuum hacked: 7,000 strangers' living rooms via a master key

Sun, 01 Mar 2026 00:00:00 +0100

A few days ago a press release turned up in my feed. I skim a lot of them every day – most I just scroll past. Not this one.

DJI. Robot vacuum. 7,000 strangers’ living rooms. A master key.

I read the article twice. And then I knew immediately: a follow-up video was needed.

The pattern that keeps repeating

If you’ve read my robot vacuum article, you might be nodding right now. Back then it was Ecovacs. Hacked robots remotely controlled in real time, chasing pets and shouting slurs through their speakers. I tried to explain back then why that wasn’t an absurd one-off incident, but a structural problem with this entire product category.

And now it’s happened again. Different manufacturer. Same category. Same fundamental vulnerability in principle.

This bothers me – not because I want to vilify robot vacuums, but because I believe most people who buy one simply don’t know what’s actually happening with their data. With the floor plan of their home. With camera footage, if the model has one. With the question of who, besides themselves, could theoretically access all of that.

What happened this time

It started innocuously. A French developer, a brand-new DJI robot vacuum, a free evening. The idea: control the robot around the apartment with a PS5 controller. Mario Kart in real life, but with dust bunnies.

To connect the controller, he needed the key from the app – nothing illegal, it was his own device. But when he used that key with the DJI server, the server didn’t just download his own data – it downloaded data from thousands of others. Over 7,000 robots across 24 countries. Battery levels, home floor plans, live camera feeds from strangers’ living rooms. The key wasn’t a normal key. It was a master key for the entire system.

DJI patched the vulnerability after it was reported. That’s good. But it doesn’t change the underlying picture.

Why I keep talking about this

After making this video I naturally asked myself whether I’m starting to get repetitive. Robot vacuums again. Privacy again. Same topic again.

But then I look at the comments under the old video. And I see how many people write that they simply hadn’t known how the technology behind it works. Not because they weren’t interested. But because hardly anyone explains it without immediately descending into panic or buzzwords.

That’s exactly what I want to do differently. No moralising, no fearmongering. Just: here are the facts. Here’s what they mean. And here are three concrete things you can do – if you want to. What you do with a camera-equipped robot vacuum in your home is your decision. I just want that decision to be an informed one.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

If you already have a view on this – or you have a robot vacuum at home and feel a quiet unease stirring – write it in the comments. I genuinely appreciate every perspective. And yes, every comment helps the video reach more people who are asking themselves exactly these questions for the first time.

Sources:

ESPHome After the Security Vulnerability: Irresponsible or Still Acceptable?

Sun, 05 Oct 2025 00:00:00 +0200

“Is it irresponsible to use ESPHome?” That was the question I posed after my last video about the critical ESPHome security vulnerability. The reactions were fascinating — and often sharply divided.

Comments ranged from harshly critical to completely relaxed: from “There’s a lot more going wrong here — ESPHome developers have apparently never heard of HTTPS or password hashing” to “And what would be the reward for this extraordinary hacking effort? Turning on the light in my garage? 🤣”

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

Who’s right? A balanced look at the community discussion and practical recommendations for ESPHome users.

The Criticism of ESPHome: Justified or Overblown?

Structural Security Problems

Many comments highlighted fundamental security issues in ESPHome, and this criticism is hard to dismiss:

Multiple authentication bugs over the years — not exactly confidence-inspiring
Lack of HTTPS support and weak password hashing, both of which are long-established industry standards
Firmware upload via the web server — possible regardless of password protection

The frustration of many users is entirely understandable. HTTPS ensures that nobody on the local network can intercept HTTP traffic. Password hashing stores credentials not in plain text but as a cryptographic checksum. Both have been established security standards for years.

As I explain in the video, ESPHome shows clear weaknesses here.

Open Source: Curse or Blessing?

ESPHome illustrates a classic open-source dilemma: security is often not the top priority. Developers typically focus on features and functionality — security considerations come later, if at all.

At the same time, it’s a sign of a healthy, active community when vulnerabilities are found and reported. The sheer number of disclosed issues says little about a project’s actual security posture. Other projects may contain just as many vulnerabilities — they just haven’t been discovered or made public yet.

In the video I dig into this dilemma in detail and explain why the assessment isn’t straightforward.

The Web Server Problem

One pattern stands out with ESPHome: most vulnerabilities affect the built-in web server. This leads to a simple recommendation: only enable the web server if you actually need it.

Practical tip: If you’re using ESPHome nodes with Home Assistant, the web server is generally not necessary. Communication runs directly through the ESPHome API. And these devices should never be exposed to the internet anyway — so absolutely no port forwarding for ESPHome nodes!

“My Home Network Is Secure” — A False Sense of Safety

The LAN Illusion

A common argument goes: “The attacker would first have to get into my LAN — my local home network — so it’s fine.” Some people even dismiss the threat with quips like “Sure, someone might turn on my garage light.”

But that’s exactly where false security sets in. Modern attack vectors make it surprisingly easy for attackers to get into home networks:

Infected IoT devices as an entry point
XSS attacks in the browser enabling remote access
Insecure router configurations
Compromised smartphones or laptops

In the video I show concrete examples of how quickly this supposed safety net becomes a trap.

Cross-Site Scripting Explained

XSS, or Cross-Site Scripting, works like this: an attacker builds a manipulated web page that executes foreign code in your browser. You notice nothing, but in the background the attacker can steal data or execute commands — almost as if they were directly inside your home network.

Example: You click on what looks like a harmless link. In the background, a hidden JavaScript function sends requests to your ESPHome devices. Just like that — garage door open, heating off, lights on.

Network Architecture: Theory vs. Practice

The VLAN Discussion

One of the most interesting aspects of the community debate: network segmentation. The theory is clear: IoT devices belong in separate networks, ideally VLANs — virtual networks that isolate devices from one another.

This is definitely best practice. But many users point out: “In reality, hardly anyone does this in private networks because it’s too complicated.” On top of that, true VLAN separation is often impossible with standard consumer hardware.

That’s exactly the crux: theory versus practice. I explore this discussion from the comments thoroughly in the video.

Practical Alternatives

When full network segmentation is too complex, there are practical alternatives:

Guest Wi-Fi for IoT devices
Firewall rules for IoT traffic
Dedicated IoT routers as a separate network layer
Unifi, OPNsense, or pfSense for advanced network features

The effort should match the threat level — not everyone needs enterprise-level segmentation for their smart home.

An OTA Password Alone Is Not Enough

A False Sense of Security

A common misconception: “I’ve set an OTA password, so I’m safe.” OTA stands for “Over-the-Air” — firmware updates delivered over the network.

Unfortunately, no — for the critical ESPHome vulnerability, the OTA password provided no protection whatsoever. The flaw wasn’t in the OTA module but in the web server module, which also offered firmware upload functionality.

I explain in the video, with a practical demonstration, exactly why the OTA password was ineffective in this case.

The Swiss Cheese Model

In the end, the takeaway is this: apply updates promptly and combine multiple layers of protection.

The Swiss Cheese Model describes this principle well: each individual security layer has holes, but stacked together they form effective protection.

Example layers of protection:

Router firewall blocks external access
Network segmentation isolates IoT devices
Strong passwords defend against brute-force attacks
Timely updates close known vulnerabilities
Disabling the web server reduces the attack surface

Two Security Mindsets: Paranoia vs. Pragmatism

The Two Camps

The comments reveal two clearly defined camps:

Team Security: “You have to patch everything, segment everything, harden everything”
Team Pragmatism: “The risk is too small — I don’t want to live my life in paranoia”

Both perspectives are understandable, but in IT security, gut feeling is rarely a reliable guide. In the video I address both mindsets and explain why a fact-based assessment matters.

The Facts: CVSS 8.1

The ESPHome vulnerability was rated 8.1 under CVSS, classified as “High”. CVSS is the standard scoring system for security vulnerabilities, ranging from 0 to 10, and 8.1 is firmly in the critical range.

For reference:

0–3.9: Low (minor risk)
4.0–6.9: Medium (moderate risk)
7.0–8.9: High (high risk)
9.0–10.0: Critical (critical risk)

At 8.1, this is a vulnerability you definitely should not ignore.

A detailed breakdown of the CVSS score and what it means for ESPHome users is in the video.

Practical Recommendations for ESPHome Users

Immediate Actions

Update ESPHome to the latest version (>= 2024.6.2)
Enable the web server only when necessary — not needed for Home Assistant integration
Never expose ESPHome nodes to the internet — no port forwarding!
Use strong, unique passwords for OTA updates

Advanced Security Measures

Implement network segmentation wherever possible
Use a VPN for remote access instead of direct internet exposure
Keep all IoT devices updated regularly
Monitor network traffic for suspicious activity

Long-Term Considerations

Abandon ESPHome entirely? That seems excessive to me. The platform offers enormous value for DIY smart home projects. With the right precautions, the risk can be reduced to an acceptable level.

In the video I explain in detail why I still recommend ESPHome despite its security issues — but only under certain conditions.

Alternatives: Tasmota, the Arduino framework directly, or commercial IoT devices. But these all come with their own security problems — perfect security doesn’t exist anywhere.

Conclusion: Security Is Never Black and White

The community discussion makes one thing clear: security is never black and white. There are best practices, but in practice you have to decide how much effort to invest for how much risk reduction.

My personal take: If an update is available, why wouldn’t you apply it? It’s the easiest way to add one more security layer.

The golden rule: Stay informed, understand the threats, respond appropriately — but don’t tip into paranoia.

Using ESPHome after the security vulnerability is not irresponsible, as long as you take the right precautions. The project does have security issues, but with a mindful approach it remains a valuable option for DIY smart home enthusiasts.

The complete analysis of the community reactions and all practical tips for using ESPHome securely are in the video above.

→ The specific vulnerability this article refers to is covered in a separate video with a live demonstration: ESPHome Security Vulnerability: Critical CVE Affects All ESP32 Devices

ESPHome Security Vulnerability: Critical CVE Affects All ESP32 Devices – Live Hack Demonstrates the Problem

Sun, 14 Sep 2025 00:00:00 +0200

A recently discovered security vulnerability in ESPHome 2025.8.0 affects ESP32 devices using the IDF Framework. The flaw allows attackers to bypass the built-in Basic Auth authentication and perform over-the-air updates without valid credentials.

This means: even if you have properly protected your ESPHome devices with a username and password, attackers can under certain circumstances still push firmware updates and gain control of the device.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

Practical Demonstration of the Security Vulnerability

ESPHome as a Popular DIY Solution

ESPHome has established itself as one of the most popular solutions for DIY smart home projects. Its simple integration of ESP32 and ESP8266 controllers into the smart home makes it a widely used tool in the community.

However, the recently discovered security vulnerability shows that even established software can have unexpected weaknesses. In the video, I demonstrate the practical exploitation of this flaw on a test device.

Live Demonstration of the Vulnerability

In the video, I perform a controlled test in which I bypass the authentication of an ESP32 device. I use command-line tools to send an HTTP request with an empty Authorization header.

The result: the ESP32 device accepts the firmware update even though no valid credentials were transmitted. The web server responds with “Update successful,” confirming that Basic Auth authentication is not working correctly in this version.

Who Is Affected? The Technical Details

ESPHome Version 2025.8.0 in Focus

The security vulnerability primarily affects ESPHome version 2025.8.0, though the official vulnerability description also mentions “possibly older versions.” Particularly critical: the flaw exclusively affects ESP32 devices using the IDF Framework.

In the video, I explain exactly why this combination is problematic and how to find out whether your devices are affected.

ESP32 vs ESP8266: An Important Distinction

There is some good news: ESP8266 controllers are NOT affected by this vulnerability. If you exclusively use ESP8266-based devices, you can breathe a little easier for now.

That said, caution is warranted: most modern ESPHome projects use ESP32 controllers, since they are significantly more powerful and offer more features. These popular controllers are the ones affected by the flaw.

The Attack in Detail: How the Hack Works

The Authorization Header as the Entry Point

What you see in the video is the practical exploitation of a vulnerability in HTTP Basic Authentication. Normally, attackers need to transmit valid credentials in the Authorization header. The security vulnerability, however, allows this protection to be bypassed with an empty header.

The hack works via the /update endpoint, which is normally used for over-the-air updates. An attacker can submit manipulated firmware to this endpoint and have it installed without authentication.

Potential Impact of the Vulnerability

Since the security vulnerability allows arbitrary firmware to be flashed, various attack scenarios are conceivable. An attacker could theoretically:

Capture and exfiltrate sensor data
Use the device for further network scanning
Preserve the original functionality to remain undetected
Make modifications to the firmware

The practical impact depends heavily on the individual network configuration and the security measures already in place.

Immediate Protective Measures: What You Need to Do NOW

Step 1: Update ESPHome

The most important step: update your ESPHome installation to version 2025.8.1 or newer immediately. These versions contain the fix for the critical security vulnerability.

In the video, I show you exactly where to find the current version and how to perform the update.

Step 2: Reflash All ESP32 Devices

Even more important: you must reflash all your ESP32 devices with the updated ESPHome version. Updating the ESPHome software alone is not enough – the firmware on the devices themselves must be updated.

The easiest way to do this is via the “Update” button in the ESPHome management interface. In the video, you can see the complete process and learn what to watch out for.

Step 3: When in Doubt, Update

If you are unsure whether your devices are affected: an update never hurts. It is better to update one time too many than to have a compromised device on your network.

Assessing the Security Vulnerability

Trust in Authentication Mechanisms

ESPHome users typically rely on the built-in Basic Auth authentication to protect their devices. This security vulnerability shows that even well-established authentication mechanisms can contain bugs.

Many users run their ESP32 devices for extended periods without regular updates, since they are considered stable and reliable. However, this approach can become problematic when newly discovered security vulnerabilities emerge.

Security on the Home Network

A common assumption is that devices on the internal network are automatically protected. This vulnerability makes clear, however, that attackers with network access – for example via compromised devices or a guest Wi-Fi network – can exploit security flaws too.

In the video, I discuss the importance of regular updates even for internally operated devices.

Lessons from the Security Vulnerability

Updates Are Not Optional

This vulnerability underscores once again: regular updates are not a tiresome chore, but critical to the security of your smart home. Even well-established software like ESPHome can suddenly develop critical flaws.

Defense in Depth

A single layer of protection – no matter how well implemented – is not enough. The ESPHome vulnerability shows that even authentication can fail. Additional layers of protection such as network segmentation or VPN access can make the difference when it matters.

What You Will Learn in the Video

The video offers far more than just theoretical knowledge. You will see:

Live hack demonstration – understand the threat through a practical walkthrough
Step-by-step update guide – learn how to update your devices correctly
Technical background – understand why this vulnerability is so dangerous
Preventive security measures – protect yourself against future threats
Community discussion – find out how others are dealing with the problem

The practical demonstration in the video illustrates how the vulnerability works and shows concretely how the authentication can be bypassed. This helps in understanding the technical details and assessing the risk for your own installation.

Your Role in Smart Home Security

Community Responsibility

Security vulnerabilities like this affect not only you personally, but the entire smart home community. Share your knowledge, inform other users, and make sure this important information reaches the people affected.

A Proactive Security Stance

Use this security vulnerability as an opportunity to rethink your overall smart home security. Which other devices have not received updates in a long time? Which systems rely too heavily on a single layer of protection?

Conclusion: Security Requires Continuous Attention

The ESPHome security vulnerability underscores the importance of regular updates even for established software. It shows that even proven solutions can have unexpected weaknesses.

The video demonstrates the practical exploitation of the vulnerability and explains the necessary protective measures – from immediate updates to preventive security strategies.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

→ In a follow-up article, I analyzed the community’s reaction to this vulnerability and address the question of whether ESPHome is still justifiable: ESPHome After the Security Vulnerability: Irresponsible or Still Worth It?

The Perfect Home Assistant Password

Sun, 13 Jul 2025 00:00:00 +0200

Imagine it’s the middle of the night and suddenly your smart speaker blasts music at full volume. The lights are flashing like crazy, and your heating turns itself up to maximum. At first you think it’s a technical glitch — but then you realize: someone else has taken control of your smart home!

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

What sounds like a horror scenario isn’t actually that far-fetched. Users in the Home Assistant forum have shared their experiences:

A user reported in 2018 that their system was controlling lights without authorization — they had Home Assistant running with an open HTTP port and no password
Another case from January 2025: Immediate and massive login attacks right after opening the default port 8123

The alarming reality: According to recent studies, over 80% of all successful cyberattacks are attributed to weak or reused passwords (source: World Economic Forum/LastPass, 2023). Using services like Shodan, attackers find open smart home instances within seconds. The result: someone connects to your Home Assistant installation and — at best — just plays a prank like this.

That’s why a strong password for Home Assistant is absolutely critical. Unfortunately, many people still use trivial passwords that are easy to remember but just as easy to guess. And here’s what makes Home Assistant special: there is no built-in password policy. No requirements for how long or complex your password must be.

A serious mistake? On the contrary! I’ll explain why this is actually a good thing — and why the perfect Home Assistant password isn’t the same for everyone.

What Makes a Good Password?

You’ve probably rolled your eyes more than once when a site demanded “at least 8 characters, one uppercase letter, one number, and a special character.” Many people assume a password is automatically secure just because it looks complicated — but that’s not quite right. What really matters is entropy — how unpredictable and extensive the character combination is. And the rule here is: length beats complexity.

A long password with 20 characters is generally far more secure than a short one with 8, even if the shorter one contains every possible special character. Why? Because each additional character exponentially increases the number of possible combinations — and that’s worth more than a wide variety of character types.

A practical example:

Home123! dutifully meets all complexity rules and looks “secure” at first glance
In reality, many people follow exactly this pattern — a word with a capital letter, the number sequence 123, and an exclamation mark at the end
Passwords like this can be cracked very quickly or guessed through dictionary attacks
myhomeassistantisawesome would take years to crack, even though it uses only lowercase letters

➡️ Test it yourself: howseecureismypassword.net

Sources:

NIST SP 800‑63B (PDF) – See Section 5.1.1.2: No more mandatory regular password changes + focus on length over complexity.
NCSC: Problems forcing regular password expiry – Warns against cyclic password changes as they lead to predictable patterns.
The Guardian: Rejoice! The charade of having to change our passwords every few months is coming to an end – Reports on NIST & NCSC guidelines against frequent password changes and in favor of passphrases.

The Problem with Password Policies

Those seemingly “complicated” passwords can actually end up being insecure because they follow predictable patterns. Strict password policies often mislead users and tempt them into reusing passwords. Be honest: when you had to fight your way through an annoying password policy, didn’t you just reach for your standard password that ticks all the boxes?

You’re not alone — the numbers are alarmingly clear:

89% know that password reuse is risky, but only 12% use a unique password for every account (source: Spacelift, 2025)
62% of US users report frequently or always reusing passwords (source: NordPass, April 2025)
Especially striking for Gen Z: 72% reuse passwords even though 79% know the risk (source: Bitwarden World Password Day, 2025)
Even after data breaches, 59% of Gen Z recycle their passwords (source: HelpNetSecurity, May 2025)

This is a genuine internal conflict: we know what’s right, but act differently out of convenience or habit. Experts call this a cognitive dissonance between knowledge and behavior.

The Better Alternative: Passphrases

Current recommendations are clear: forget complexity requirements — what counts is length and uniqueness.

In plain terms: use a long passphrase you can actually remember, rather than cryptic eight-character gibberish. You may know the famous xkcd comic on this — four simple words like “correct horse battery staple” together form a nearly uncrackable password that you can still remember fairly easily.

What matters:

Length
Randomness
Uniqueness

Every additional character makes your password exponentially stronger. And of course it shouldn’t be a known word or pattern — “Password123!” is long and looks complex, but it’s still guessed quickly.

Specifics for Home Assistant

Let’s get concrete about Home Assistant: what role do passwords actually play here? Home Assistant is your self-hosted smart home hub. You set up user accounts and assign passwords for logging into the web frontend — and with that, full access to all devices connected to your Home Assistant.

Important: Home Assistant does not dictate what your passwords should look like. There’s no minimum length, no special character requirement, nothing of the sort. And that’s intentional. There used to be a warning when a password was too short. These warnings no longer exist — the developers realized it wasn’t productive. Why?

The requirements for a password depend heavily on the specific use case:

When I record videos for this channel, I’m always glad I don’t have to set a complex password for Home Assistant test instances
Someone who never exposes their smart home to the internet and has no guests on their home network can afford lower password requirements
A Home Assistant installation that is publicly accessible on the internet is subject to completely different standards

With Home Assistant, you are the administrator and must take responsibility yourself. If you’re not comfortable with that, a password manager is probably the best choice for you.

The moment your system is online, it becomes a potential target for automated attacks. And then things get serious fast. Home Assistant does have a built-in brute-force defense (Wikipedia article): after a certain number of failed login attempts, the user’s IP address is temporarily blocked. That’s helpful, but not a cure-all:

Many attackers simply spread their attempts across many different IP addresses
A weak password is often guessed after just a few tries
The IP block therefore offers only limited protection

Additional risks: Even Home Assistant with Nabu Casa has had critical security vulnerabilities — in 2023, a flaw (CVE-2023-27482) with the highest severity score of 10/10 was disclosed, enabling an authentication bypass.

➡️ More on securing Home Assistant: Home Assistant absichern: 5 Tipps für mehr Sicherheit

➡️ Why port forwarding is problematic: Portfreigaben vermeiden: So geht sicherer Fernzugriff

Conclusion

There is no single perfect Home Assistant password — it depends on your use case. But the numbers speak clearly: over 80% of all cyberattacks succeed through weak or reused passwords. At the same time, 89% of people know the risk, yet only 12% act consistently.

What matters:

Length over complexity: A long password is better than a short complex one
Uniqueness: Every system gets its own password — no exceptions!
Proportionality: Match your security requirements to your setup
Additional measures: When internet-facing, use 2FA and secure connections
Use a password manager: This breaks the cycle of password reuse

The solution is simple: A long passphrase or a password manager. That puts you in the 12% who do it right — rather than the 62% who accept security risks out of convenience.

Home Assistant gets it right by putting the responsibility in your hands. Use that freedom wisely!

A look ahead: The next generation of authentication is passkeys — a passwordless technology based on cryptographic keys that is significantly more secure than traditional passwords. Unfortunately, Home Assistant does not yet support passkeys, but the future of authentication may well head in that direction. Until then, strong, unique passwords and 2FA remain our best defense.

BSI Tips Clearly Explained: How to PROPERLY Secure Your Smart Home!

Sun, 06 Jul 2025 00:00:00 +0200

Who voluntarily reads through the lengthy publications of Germany’s Federal Office for Information Security (BSI)? I did it for you and distilled the most important tips for your smart home – explained clearly, assessed critically, and backed up with real-world examples, just like in the video!

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

Introduction: Who Actually Reads the BSI?

The BSI publishes a lot of solid advice on how to secure your smart home. But honestly – who willingly reads through pages of text on a government website? That’s why you’ll find the most important recommendations here, explained in plain language and put into perspective.

➡️ You can find the official BSI recommendations here: BSI Smart Home Tips

1. Choose Strong Passwords

It sounds obvious, but weak passwords are one of the most common entry points for attacks. Many users simply leave the default password in place – “admin”, “123456”, or even no password at all are unfortunately far from rare. The BSI advises: no real words, no simple number sequences or keyboard patterns. My tip: use a unique, strong password for every device, ideally managed with a password manager like KeePass or Bitwarden. It keeps things both easy and secure.

2. Keep Software Up to Date

Updates patch security vulnerabilities. Enable automatic updates wherever possible. Not every device offers this – in that case, there’s only one option: check manually on a regular basis, for example once a month. If a device hasn’t received updates in years, you should consider replacing it. Pay attention to the manufacturer’s update policy before you buy!

➡️ To see what can happen when devices stop receiving updates, check out the video about a robot vacuum with a security flaw: Robot Vacuum Hack: This Is How Easy Access Is!

3. Secure Your Router & Home Network

Your router is the gateway between your home network and the internet. Change the admin password, disable unnecessary services like UPnP, and enable the firewall. That said, the best firewall is of little use if you don’t know what you’re doing. Even more importantly: avoid port forwarding for smart home services. Use a VPN (e.g. WireGuard) or a Cloudflare Tunnel instead. It’s also a good idea to put smart devices on a separate guest network.

➡️ For detailed tips on securing Home Assistant and your home network, see: Securing Home Assistant: 5 Tips for Better Security

➡️ How to set up secure remote access without port forwarding: Avoid Port Forwarding: Secure Remote Access Made Easy

4. Buy Only from Trusted Sources

No-name products from overseas are often cheap, but poorly documented and without ongoing updates. The BSI recommends: buy only from reputable retailers, look for CE marking (though be cautious – it’s not a guarantee!), and pay attention to the manufacturer’s update commitment. Reviews in community forums are often far more revealing than marketing promises.

➡️ Cloud or local? What to look for when buying smart devices: Cloud or Local? Running Smart Devices Securely

5. Use the Cloud Deliberately

The cloud is convenient, but it comes with risks. Manufacturers have to maintain cloud servers – that costs money, and corners are often cut. Only use cloud-dependent features when you truly need them, and isolate cloud-connected devices from the rest of your network (e.g. via a guest network). Many devices also work locally, for example with Home Assistant.

➡️ More on cloud vs. local control and privacy: Cloud or Local? Running Smart Devices Securely

Conclusion

The BSI’s tips are solid, even if they can sometimes feel a bit abstract. You don’t have to implement everything at once – but every step makes your home a little more secure. Watch the video for the full details and practical examples.

SSH Access with YubiKey: How to Properly Secure Your Smart Home Server

Sun, 08 Jun 2025 09:00:00 +0200

Why Securing SSH in Your Smart Home Matters

Sound familiar? You’re about to leave for vacation and quickly want to change something in your system – only to find that remote access suddenly stops working. Many people then simply open their SSH port to the internet or use the Home Assistant Web Terminal add-on in the browser. That sounds convenient, but it’s extremely dangerous: often a single password is all it takes for someone to gain full access to your entire system.

In this video, I’ll show you how to properly secure your SSH access with a YubiKey. It’s easier than you think – and I’ll walk you through it step by step.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

What Is a YubiKey and Why Is It So Secure?

The YubiKey is a small USB stick that works like a digital key for you. It stores your access credentials in a way that they never reside on your computer and can’t be stolen. For SSH, the YubiKey uses the modern security standard FIDO2. Even if someone knows your password, they can’t access your server without the YubiKey. You plug in the stick, tap it – and you’re securely logged in. This is far more secure and convenient than traditional passwords or certificate files stored on your machine.

Where to Buy a YubiKey

You can get a YubiKey through my recommended links:

The following models are suitable for this project:

Tip: Always order from the official retailer or a trusted shop to ensure you receive a genuine, sealed device.

Note: These are affiliate links. If you order through them, you support my blog – at no extra cost to you. Thank you!

Password: Simple, but insecure – passwords can be guessed, intercepted, or shared.
Certificate (key pair): Much more secure, but if someone gains access to your computer, they can copy the private key.
YubiKey: The private key doesn’t live on your computer – it’s securely stored on the YubiKey. Access is only possible with the physical stick and your confirmation.

Step by Step: Setting Up a YubiKey for SSH (Using Termius as an Example)

Choose your YubiKey: There are various models (USB-A, USB-C, NFC, Lightning). Think about which devices you’ll be using the stick with.
Install Termius: This app makes the setup particularly straightforward. (OpenSSH, PuTTY, etc. also work.)
Add the YubiKey: In Termius, go to “Keychain” → “FIDO2”, select the stick, enter your PIN, name and generate the key. Enable “Require user presence”, disable “Require PIN code”, and leave the passphrase empty.
Copy the public key to the server: Termius offers an export function that automatically adds the key to ~/.ssh/authorized_keys. You can also do this manually.
Test the connection: Start a new SSH session, tap the YubiKey – done!
Disable password login: Set PasswordAuthentication no in /etc/ssh/sshd_config and restart the SSH service.

Important Notes & Tips

When setting up your YubiKey for the first time, you’ll need to set a PIN. This protects against misuse if someone finds the stick.
The private key is split into two parts: one stays on the computer, one on the YubiKey. For a new machine, you’ll need to generate a new key pair and register the public key on the server.
“Resident keys” (keys stored directly on the YubiKey) are a special case and aren’t yet widely supported by many tools.
It’s best to set up a second YubiKey as a backup right away, so you don’t lock yourself out.
If everything does go wrong: you can always access your machine directly with a monitor and keyboard.

YubiKey in Everyday Use: Much More Than Just SSH

The YubiKey can do much more: two-factor authentication for Google, Microsoft, Facebook, Dropbox, Amazon, password managers like Bitwarden or 1Password, online banking, email accounts, and much more. Once set up, it becomes a real everyday companion for everything that matters to you.

Conclusion

With a YubiKey, you make your SSH access – and many other logins – not only more secure, but also more convenient. You protect yourself against password theft, phishing, and many other attacks, all with a small stick that fits in any pocket.

Robot Vacuums in the Smart Home - The Underestimated Data Hog

Thu, 15 May 2025 00:00:00 +0000

Introduction

Imagine your robot vacuum knows more about you than your closest friends — even though it’s only supposed to clean the floor. It drives through your home, scans your rooms, listens to your conversations, and you think it’s really just vacuuming? Sounds like a horror movie, but that’s exactly reality.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

The Ecovacs Incident of 2024

In October 2024, hacked Ecovacs robot vacuums in the US turned into full-blown stalkers ¹. They chased pets and hurled racist insults at their owners, terrorizing entire households ². But how did it get to this point? The attackers exploited a glaring security vulnerability in the robots’ software. The security PIN that was supposed to prevent unauthorized access was only verified in the app, not on the device itself — a fatal flaw that hackers knew how to exploit ³.

What makes this case particularly alarming: common security measures like strong passwords or two-factor authentication would not have helped here. The manufacturer had made such a fundamental programming error that even best-practice security measures were rendered useless.

The Underestimated Problem of Profiling

But even if your robot vacuum isn’t hacked, there is another massive problem: profiling. Many people might think, what could a robot vacuum really know about me? The answer is: frighteningly much.

To understand how powerful data analysis can be, here is a real-world example from the US: In 2012, a teenager suddenly started receiving ads for baby products from the retail chain Target. Her outraged father complained to Target about the alleged harassment of his daughter — only to find out a few days later that his daughter was actually pregnant. The algorithm had detected subtle changes in purchasing behavior and drawn the right conclusions before the family even knew ⁴.

What Does This Mean for Robot Vacuums?

Your robot vacuum links movement patterns, camera images, and sounds. It knows:

When you sleep
When you come home
Whether your routines change
Which rooms are used and how often
What conversations take place in your home

Why This Matters

“Why would anyone spy on me? I’m not important at all.” This thought is understandable, but it misses the core of the problem. It’s not about targeted surveillance of individuals — it’s about mass data collection:

Companies don’t specifically target your data
They simply collect everything, because storage is cheap
What seems harmless today can become highly sensitive tomorrow through AI analysis
The value lies not in any single household, but in the sheer volume of data

This data can feed algorithms that make decisions about:

Health insurance eligibility
Credit scoring
Personalized advertising

Concrete Recommendations

What can you actually do to protect yourself?

Basic security measures:
- Use strong passwords
- Install updates regularly
- Put devices on a guest network
Consider before buying:
- Think twice before getting devices with cameras or microphones
- Be especially critical of cloud-based data processing
Alternative solutions:
- The Valetudo project offers open-source firmware for some robot vacuum models
- This lets you keep control over your own data

Conclusion

Even large, seemingly trustworthy brands are not immune to data breaches — as the Volkswagen incident of 2024 illustrates, where data from over 400,000 electric vehicles ended up unprotected on the internet ⁵.

Making a genuinely reliable purchase recommendation for a “secure” robot vacuum is nearly impossible. The most pragmatic approach seems to be avoiding models with cameras and microphones and accepting the reduced feature set. An alternative for tech-savvy users is the Valetudo project ⁶, which provides an open-source alternative to the manufacturer’s firmware. Because in the end, protecting your privacy matters more than the supposed convenience of extra features.

Remote Access with Cloudflare – Done Right!

Fri, 18 Apr 2025 00:00:00 +0000

Many people set up a Cloudflare Tunnel, see that Home Assistant is reachable from anywhere — and stop right there. The problem: the tunnel is encrypted, but anyone can access it. No login, no access control, nothing. It’s like locking your apartment door while the building’s front door is wide open.

I’ll show you how to do this properly: set up the tunnel, secure access — and at the end, make an honest assessment of what you’re trusting Cloudflare with.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

The False Sense of Security Through HTTPS

Many people think: “If I use HTTPS, I’m safe.” But that’s a misconception. SSL encrypts the connection — it does not prevent your Home Assistant from being visible and vulnerable on the internet. That’s exactly what happens when you only set up a tunnel and do nothing else.

Today we go one crucial step further: Cloudflare Tunnel plus access control. If you’ve already set up the tunnel, you can skip ahead to the next section.

Info: The hands-on step-by-step walkthrough is in the video above. You’ll need your own domain to follow along. If you don’t have one yet, I recommend Netcup based in Karlsruhe:

The Weak Spot in Many Cloudflare Setups

Your smart home is now reachable from the internet — and many people stop there, satisfied. But there is one critical problem with this setup: while the tunnel connection is encrypted, anyone can access it.

It’s like locking your apartment door while the front door of the building stands wide open. Today we do better and add an additional layer of protection.

Info: The hands-on step-by-step walkthrough is in the video above.

How Trustworthy Is Cloudflare?

So now, to stay with the analogy, the front door is also securely locked and only someone with keys to both doors can get through. Right? Unfortunately, no. Because there’s one player you may not have on your radar — and that’s Cloudflare itself.

We’ve set up two layers of protection: the authentication in Home Assistant and Cloudflare Access. For a hacker to access your smart home now, they’d need to successfully bypass both security mechanisms — Cloudflare’s and Home Assistant’s. The odds of that are orders of magnitude lower than if the system were just sitting open on the internet. Sounds like a perfect setup? Almost — because there’s one small but important catch.

Cloudflare itself has unencrypted access to everything passing through the connection in this setup. And Cloudflare is a US company, which means it is not subject to the strict data protection regulations that apply here in Europe. You therefore have to place a certain degree of trust in the company behind Cloudflare. If that makes you uncomfortable — what are the alternatives? You could set up your own VPN access with WireGuard or Tailscale — technically a bit more demanding, but privacy-friendly. Or you use Home Assistant Cloud — it’s a paid service, but offers a straightforward and secure solution with considerably more concrete privacy rules than Cloudflare. However, you still have to extend some trust here too, because Nabu Casa — the company behind Home Assistant Cloud — is also a US company and is not bound by EU rules. That said, they do advertise that they don’t log user activity or analyze it for advertising purposes. That may matter to some of you.

My Take

If you use Cloudflare correctly — with Tunnel and Access — you have a free, highly secure solution for remote access to Home Assistant, without opening a single port.

Cloudflare is, however, a US company with unencrypted access to your connection. If that’s not acceptable to you, consider WireGuard, Tailscale, or Home Assistant Cloud instead. More on those coming soon here on “Smart Home? But Secure!”

Why Port Forwarding into Your Smart Home Is So Dangerous

Thu, 10 Apr 2025 00:00:00 +0000

I’ve been diving deep into the topic of remote access to smart home systems lately – and one thing quickly becomes clear: there are now quite a few interesting options available, depending on your security needs, budget, and technical expertise.

Which makes it all the more alarming that many users still simply rely on port forwarding to make their home network services accessible from the internet. Why is that dangerous? Let’s take a closer look.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

Hi and welcome! My name is Joachim and this is Smart Home? But Secure! I originally just wanted to put together a video showing you how I’ve been handling secure remote access to Home Assistant for years. But in my research, I realized: there are now quite a few ways to solve the remote access problem elegantly and securely. Yet there are still a large number of users who rely on simple port forwarding (more technically known as port forwarding) to access their smart home systems while on the go. And honestly, that surprised me a bit.

If you’re thinking: “Sure, old news – you don’t need to explain that to me!” – then I’d invite you to subscribe to the channel. I have a feeling this topic has potential for more than one video, and there will definitely be a few more technical deep-dives to come. But if you’re thinking: “Huh? What’s actually the problem with port forwarding?” – then let’s take a closer look right now.

Why Port Forwarding Is So Popular

First of all: it’s understandable why so many users go this route. It’s simple, quick to set up, and generally involves no additional costs. And even the problem of a dynamic IP address can be solved quickly using a dynamic DNS service. But: You have to be aware of what you’re doing: you’re putting your service – for example Home Assistant or OpenHAB – directly onto the internet, exposed exactly the same way it is on your local network.

First Risk: The Protection Layer of Your Home Network Disappears

Even if you’ve set a strong password for your service: your home network itself is an additional layer of protection. In general, far fewer malicious actors are lurking there than on the open internet. With port forwarding, you remove exactly that protective layer. Your service is now directly reachable from the internet – for millions of users, hackers, and other bad actors. And even if you use a secure password and 2FA – nobody can guarantee that a new security vulnerability doesn’t already exist that bypasses authentication entirely. Sure, you can install updates diligently, but those only protect against known and already-patched vulnerabilities. That’s why you should replace that second protective layer – your home network – with something else whenever you want to expose your services on the internet.

Second Risk: Unencrypted Connections

There’s another factor to consider. As soon as your data travels over the internet, it must be encrypted – otherwise anyone can read or manipulate it. Take Home Assistant as an example: the default connection is not encrypted. If you simply open a port to the internet, access is unsecured – just like at home, where that’s usually less of a concern. Of course, you can secure it – for example with a free Let’s Encrypt certificate. But that means additional software and configuration. The “simple” port forwarding quickly turns into a complex software project – and that makes it not only more error-prone but often more insecure as well. A vicious cycle.

My Recommendation

My clear recommendation: don’t use port forwarding to make your smart home accessible from the internet. Even if you don’t have particularly high security requirements, there are better alternatives:

VPN

VPN: If you have a FRITZ!Box or another router that supports it, a VPN can be a great choice. It’s free, significantly more secure, and usually easy to set up. The VPN authentication provides the second protective layer that I believe is so important for internet access.

Home Assistant Cloud

Home Assistant Cloud: The service from the HA team at Nabu Casa is easy to set up and takes care of encryption for you. You don’t have to deal with dynamic DNS either. But: it costs a monthly subscription fee – though at least that money goes to the company developing Home Assistant. The downside is that the second protective layer is still missing – the login screen is directly reachable from the internet, which you’ll quickly notice from “login failed” messages in your Home Assistant log.

Cloudflare

Reverse proxies such as Cloudflare: here you build an encrypted tunnel from your home network to the proxy. There are already many great videos about this from the big smart home channels on YouTube, but I strongly recommend enabling an additional authentication layer on the proxy (called “Access” in Cloudflare) – that gives you your second protective layer here as well. Cloudflare is a US-based provider, which may be a dealbreaker for those with privacy concerns. In my research I haven’t found a comparable European alternative – if you know of one, let me know in the comments!

Twingate

Twingate is a provider that enables zero-trust networking and promises a modern VPN alternative. Setup is surprisingly straightforward, clients are available for all platforms, and access to individual services can be controlled in a very granular way. Even though the service is primarily aimed at businesses, it can be interesting in a smart home context – especially if you want to secure multiple devices or users.

Tailscale

Tailscale takes a different approach: using WireGuard, it builds a private mesh network in which all your devices can reach each other directly – wherever they are. Particularly interesting is the newer Tailscale Funnel feature: it lets you expose a home network service publicly over the internet, including HTTPS and access control. Funnel isn’t available everywhere yet, but it’s a promising approach – especially for technically minded users.

I haven’t taken a closer look at either of these two options (Twingate and Tailscale) myself yet.

What role does remote access play in your smart home setup? Which solution are you using – or which one are you considering? Leave a comment below.

What I Use Personally

I’ve set up my own reverse proxy with the German hosting provider netcup. From my home network I establish an SSH tunnel that exposes only selected services toward the reverse proxy. The proxy itself is responsible for authentication and controls who can access what. I’ve configured it so that a client certificate is required for authentication. That’s how I’ve implemented my second protective layer – without opening any ports. At the same time it’s incredibly convenient, because authentication happens in the background and I don’t need to connect to a VPN or enter additional passwords. It’s certainly not the right solution for everyone – but for technically experienced users, it’s in my opinion a very elegant approach for the level of protection it provides.

What’s Next

In the upcoming videos we’ll take a detailed look at each of these alternatives – so you can find the right solution for your situation.

Cloud Integrations vs. Local Integrations

Fri, 03 Jan 2025 00:00:00 +0000

Bose simply pulled the plug. Overnight, SoundTouch speakers that cost well over €1,000 turned into expensive paperweights – because the manufacturer shut down its cloud service. Vorwerk did the same thing with Neato robot vacuums. The list keeps growing.

This is the fundamental problem with cloud integrations in a smart home: you buy a device, but you don’t really own the functionality behind it. That belongs to the manufacturer – and they can take it back at any time. Here I’ll look at what that means in practice, and when cloud integrations still make sense.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

What are cloud and local integrations?

Cloud integrations connect your devices to external servers over the internet. This lets you access them from anywhere in the world. Examples include Google Nest, Amazon Alexa, and Ring cameras. The cloud offers convenience, but it also comes with risks.

Local integrations, by contrast, run directly in your home network – with no internet connection required. Typical examples are Zigbee devices or ESPHome sensors controlled via a local hub. Local integrations give you more control and independence.

Risks of cloud integrations

Privacy and data security

Many cloud devices send sensitive data to manufacturer servers. A prominent example is the VW data leak in 2024, where a vulnerability exposed the data of 800,000 customers. Security gaps like this can give unauthorized third parties access to your private data.

Vendor dependency

Another risk is dependence on the manufacturer’s services. A well-known example is the Revolv Smart Home Hub, whose servers were shut down by Google in 2016. Users were suddenly left with useless hardware.

Attack surface for hackers

Insecure cloud connections can serve as an entry point into your home network. Once an attacker gains access to a cloud-connected device, they could potentially compromise other devices on your network.

Dependence on internet connectivity

Cloud devices rely on a stable internet connection. If a server goes down or your internet is disrupted, they often stop working entirely. This can cause serious problems with security-critical applications like smart door locks.

Advantages of local integrations

Full data control

With local integrations, all data stays within your home network. You’re not relying on a third party’s data security practices and you minimize the risk of data leaks.

Independence from external services

Local integrations work even without an internet connection. A Zigbee light switch, for example, keeps working even if your internet goes down.

Smaller attack surface

Because there’s no connection to the internet, there are fewer ways for attackers to compromise your network.

Fast response times

Local systems react instantly, since no data has to travel over the internet. This is a decisive advantage for automations and scenarios that depend on precise timing.

How to make cloud integrations more secure

If you want or need to use cloud integrations, there are steps you can take to minimize the risk:

Two-factor authentication (2FA): Enable 2FA to make unauthorized access to your accounts harder.
Strong passwords: Use complex, unique passwords for every service.
Regular updates: Keep all devices and apps up to date to close security vulnerabilities.
Use a separate network: Place cloud devices on a guest network to protect your main network.

When should you choose cloud or local?

Cloud integrations are a good fit if you want to access your devices from anywhere or need complex additional features that depend on external services.

Local integrations are the better choice if you prioritize privacy, security, and reliability.

Conclusion

The choice between cloud and local integrations depends heavily on your individual needs. Both approaches have their pros and cons, but with the right security measures you can minimize the risks. My recommendation: use local integrations wherever possible, and secure your cloud devices carefully. That makes your smart home not just smarter – but also more secure.

When your smart home suddenly turns dumb – and what you can do about it – Concrete examples of manufacturers shutting down their cloud: Bose SoundTouch, Neato, and more.
Home Assistant Backups in 2025 – Your data safe and recoverable at any time – If you rely on local control, you should also back up your data locally.

Securing Home Assistant - 5 Security Mistakes to Avoid in Your Smart Home

Fri, 13 Dec 2024 00:00:00 +0000

In the Home Assistant forum, someone opened their port 8123 in January 2025 – and described how login attacks started within minutes. Massive, automated, relentless. This is not an isolated case. Using services like Shodan, attackers can find open Home Assistant instances in seconds.

Most of these attacks are preventable. Not through complicated measures, but through five things that many people simply never set up.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

Home Assistant was built with privacy and IT security in mind, letting you run your smart home completely locally and independently of manufacturers. The local approach minimizes the risk of data leaks. With options like SSL, user management, and regular updates, you can make Home Assistant one of the most secure vendor-independent solutions available – if you use the security features correctly.

Many users overlook important security features or don’t take full advantage of what Home Assistant offers. The problem: this creates unnecessary attack surfaces, so-called attack vectors, through which hackers could break into your smart home. Whether it’s weak passwords, unsecured connections, or outdated software – it’s often small oversights that can have major consequences.

In this article, I’ll show you 5 typical security mistakes and how to avoid them. I’ll give you tips to make Home Assistant even more secure. Whether you’re just setting up your smart home or have been using it for a while – these tips will help you identify potential vulnerabilities and better protect your home.

Mistake 1: Using Weak Passwords or Default Passwords

A classic that is still underestimated: weak or even pre-set default passwords. Many smart home devices connected to Home Assistant come with simple default passwords like ‘admin’ or ‘1234’. And the problem is: these passwords are not only easy to remember, they’re also easy to hack. Attackers use automated programs that try exactly these default passwords in seconds.

Why is this dangerous? A weak password can allow attackers not only to gain access to your smart home, but through Home Assistant to all your devices and automations. Imagine someone being able to control your lights, access cameras, or even disable alarm systems – that would be an absolute nightmare.

The solution is fortunately simple: change default passwords immediately after setting up your device. Use a strong password with at least 12 characters – length is more important than complexity here. Lowercase letters and digits are often perfectly sufficient, as long as the length is right.

Even better is using a password manager like KeePass. It not only generates secure passwords but also stores them securely, so you only need to remember one master password.

My tip: Give every user and every service in your smart home its own password. This minimizes the risk of a single compromised password putting your entire smart home at risk.

Mistake 2: Ignoring Firmware and Add-on Updates

Another major mistake that’s made frequently: not performing updates regularly. Home Assistant itself, as well as the devices you control with it, run on software that needs to be updated regularly – not just to get new features, but above all to close security vulnerabilities.

Why is this so important? Outdated software is a goldmine for hackers. When vulnerabilities become known – and this happens more often than you might think based on media coverage – attackers can specifically search for devices with those security gaps. One website, for example, automatically lists surveillance cameras found to be unprotected from access.

The good news: Home Assistant makes it easy to stay up to date. You can immediately see when updates are available on the dashboard. And with one click, you can install them. The same applies to custom components you’ve installed through the Home Assistant Community Store (HACS).

My tip: Schedule regular maintenance windows for your smart home – at least once a month. Set aside 15 minutes to apply all available updates for Home Assistant, your add-ons, and devices. This not only makes your system more secure but also ensures everything runs smoothly.

Mistake 3: Not Setting Up a Separate Network for Smart Home Devices

A common mistake many smart home users make: connecting all their devices – from lights to thermostats to cameras – to the same network used by their laptops, smartphones, and tablets. This sounds convenient at first, but it’s exactly what can become a problem.

What risks does this create? Smart home devices often have fewer security mechanisms than your laptop or smartphone. Many devices are only minimally secured or are based on older technologies that are vulnerable to attacks. If a hacker compromises a single device on your network – for example, a cheap smart plug or an unsecured camera – they gain the same access to your home network as a visitor in your home to whom you’ve given access to your private Wi-Fi.

The solution? Set up a separate network for your smart home devices. This sounds complicated, but it’s easier than you might think.

Most modern routers offer the option to create a so-called guest network. You can use this not only for visitors but also for smart home devices that communicate via the manufacturer’s cloud – because those are exactly the ones critical to the security of your home network.

Your Home Assistant installation, on the other hand, should be placed in your regular home network along with the smart home devices that don’t require internet communication. If you want to be extra safe, you can block those devices from accessing the internet through your router settings.

Some routers like FritzBoxes ([buy here – affiliate link])(https://amzn.to/3W6bgOr) or UniFi Access Points ([buy here – affiliate link])(https://amzn.to/4foMsb8) make it especially easy to set up guest networks and block access to the main network.

You can tell whether a smart home device communicates via the cloud in Home Assistant by checking the relevant integration. If it says “Dependent on the internet,” that integration and its associated device is such a candidate. Devices that don’t communicate with the internet but directly with your Home Assistant installation cannot be reached by a hacker from the internet and are therefore less critical.

Mistake 4: Not Using Two-Factor Authentication

A frequent mistake that often happens out of convenience or lack of awareness: not enabling two-factor authentication – or 2FA for short. Yet 2FA is one of the simplest and most effective measures to prevent unauthorized access to important systems like your Home Assistant installation and thus your smart home.

Why should you care? Imagine someone gets hold of your password – through phishing, a data leak, or because you reuse the password across services. Without 2FA, attackers can immediately access your Home Assistant and control your entire smart home: capture camera feeds, manipulate automations, or view sensitive data. With 2FA, however, they also need a second confirmation code generated only on your device – which makes it nearly impossible for hackers to hijack your account.

The good news: Home Assistant supports 2FA and makes setup straightforward. Simply go to Settings under Users and enable two-factor authentication. Use an authenticator app such as Google Authenticator, Authy, or Microsoft Authenticator. These apps generate new one-time codes every 30 seconds that you need to log in. Important: store the backup codes that Home Assistant generates in a safe place – for example, as a printout in a folder. This lets you recover your account if you lose access to the authenticator app.

My tip: Enable 2FA not just for your admin account, but for all users who have access to Home Assistant – especially for accounts other than your own. This gives you the assurance that nobody can unauthorized manipulate your system, regardless of the permissions of the associated user or how carelessly other users handle their passwords.

Mistake 5: Integrating Insecure or Unknown Devices into Home Assistant

One of the biggest advantages of Home Assistant is that you can integrate devices from a wide variety of manufacturers. This makes your smart home extremely flexible, but it also comes with risks. Many users buy cheap smart home devices from unknown or questionable manufacturers without checking how secure they actually are.

Why is this a problem? Insecure devices can act like a Trojan horse: if they are poorly programmed or intentionally built with backdoors, hackers can use these devices as an entry point into your network. Some cheap devices even send data unencrypted to servers you can’t control. This allows attackers not only to spy on your private data but also to gain access to other devices on your network.

The solution? Buy devices from reputable manufacturers: make sure they provide regular firmware updates and support established standards like Zigbee, Z-Wave, or Matter.

Check data transmission: use local integrations that communicate directly with Home Assistant, rather than devices dependent on a cloud. Platforms like Zigbee2MQTT or ESPHome are ideal because they give you full control over your data. Block unnecessary traffic: with tools like a modern router or firewall, you can prevent devices from communicating with the internet without authorization.

My tip: Be cautious with extremely cheap devices or products that offer little documentation or support. Infrequent updates can also be a warning sign. If you’re unsure, check reviews or community discussions about a device before buying – you’ll find out whether there are known vulnerabilities, whether the device should be considered potentially problematic, and how often updates are released.

Conclusion

Avoiding these five security mistakes takes you a big step toward a more secure smart home. Which security measures are you already using? If you have additional tips, feel free to share them in the comments.

These 5 Automation Mistakes Every Home Assistant User Has Made – Before security is solid, automations need to be reliable
5 More Home Assistant Automation Mistakes – Are You Affected? – Newer pitfalls around trigger IDs, script modes, and AI-generated automations

Cybersecurity on Smart Home? Sure — But Secure!

DJI robot vacuum hacked: 7,000 strangers' living rooms via a master key

The pattern that keeps repeating

What happened this time

Why I keep talking about this

ESPHome After the Security Vulnerability: Irresponsible or Still Acceptable?

The Criticism of ESPHome: Justified or Overblown?

Structural Security Problems

Open Source: Curse or Blessing?

The Web Server Problem

“My Home Network Is Secure” — A False Sense of Safety

The LAN Illusion

Cross-Site Scripting Explained

Network Architecture: Theory vs. Practice

The VLAN Discussion

Practical Alternatives

An OTA Password Alone Is Not Enough

A False Sense of Security

The Swiss Cheese Model

Two Security Mindsets: Paranoia vs. Pragmatism

The Two Camps

The Facts: CVSS 8.1

Practical Recommendations for ESPHome Users

Immediate Actions

Advanced Security Measures

Long-Term Considerations

Conclusion: Security Is Never Black and White

ESPHome Security Vulnerability: Critical CVE Affects All ESP32 Devices – Live Hack Demonstrates the Problem

Practical Demonstration of the Security Vulnerability

ESPHome as a Popular DIY Solution

Live Demonstration of the Vulnerability

Who Is Affected? The Technical Details

ESPHome Version 2025.8.0 in Focus

ESP32 vs ESP8266: An Important Distinction

The Attack in Detail: How the Hack Works

The Authorization Header as the Entry Point

Potential Impact of the Vulnerability

Immediate Protective Measures: What You Need to Do NOW

Step 1: Update ESPHome

Step 2: Reflash All ESP32 Devices

Step 3: When in Doubt, Update

Assessing the Security Vulnerability

Trust in Authentication Mechanisms

Security on the Home Network

Lessons from the Security Vulnerability

Updates Are Not Optional

Defense in Depth

What You Will Learn in the Video

Your Role in Smart Home Security

Community Responsibility

A Proactive Security Stance

Conclusion: Security Requires Continuous Attention

The Perfect Home Assistant Password

What Makes a Good Password?

Sources:

The Problem with Password Policies

The Better Alternative: Passphrases

Specifics for Home Assistant

Conclusion

BSI Tips Clearly Explained: How to PROPERLY Secure Your Smart Home!

Introduction: Who Actually Reads the BSI?

1. Choose Strong Passwords

2. Keep Software Up to Date

3. Secure Your Router & Home Network

4. Buy Only from Trusted Sources

5. Use the Cloud Deliberately

Conclusion

SSH Access with YubiKey: How to Properly Secure Your Smart Home Server

Why Securing SSH in Your Smart Home Matters

What Is a YubiKey and Why Is It So Secure?

Where to Buy a YubiKey

The Three Ways to SSH Login – and Why YubiKey Is the Best Choice

Step by Step: Setting Up a YubiKey for SSH (Using Termius as an Example)

Important Notes & Tips

YubiKey in Everyday Use: Much More Than Just SSH

Conclusion

Robot Vacuums in the Smart Home - The Underestimated Data Hog

Introduction

The Ecovacs Incident of 2024

The Underestimated Problem of Profiling