Just how secure is Home Assistant? (Hint: very)

On our most recent IoT Podcast, a listener with the same name as me called in asking about Home Assistant security. Specifically, he wanted to know how secure I thought it was and I’m super glad he asked. Why? Because as I’ve continued my DIY journey to using Home Assistant in my home, I really didn’t dig into the security aspect of it until now.

By the way, if you’ve missed the steps I’ve taken so far with Home Assistant, here’s what I’ve been up to:

• Why I’ve decided to try Home Assistant
• Home Assistant smart home setup: Easy for techies, less so for “normals”
• Tested: Home Assistant integrations, remote access, and voice commands

So in terms of security, there are two aspects to consider. First is data privacy and second is the overall security implementation.

The first, data privacy, is one of the main reasons people opt for DIY Home Assistant hub over one bought off of a retail shelf. Since the entire system runs locally on a server in your smart home, there is far less of your personal data going out to the cloud. So Home Assistant gets a big thumbs up here.

On the implementation side, I had to dig into the official documentation for details. And when I did, I really liked what I saw.

For starters, there’s no remote access enabled by default to Home Assistant. That, along with other functions I’ll hit in a minute, makes it more difficult for someone on the outside to get into your system.

You can enable remote access through Nabu Casa, the official Home Assistant cloud provider, for a $5 monthly fee. But, let’s say you don’t trust that option for some reason. You can also expose your own remote access via TLS/SSH over a VPN, an SSH client or the Tor browser. Essentially, you can set up Home Assistant multiple ways, depending on your level of technical expertise and comfort level.

At the moment, I’m testing the official Home Assistant mobile app with the $5 fee, which also includes both Alexa and Google Assistant integration. Yes, that’s the easiest method; I simply didn’t want to deal with router configuration and/or SSH keys. And I feel comfortable from a security perspective with this choice.

I should also note that Home Assistant does provide a 2FA (two-factor authentication) method that works with most authenticator apps. That’s another win on the security front as is the fact that Home Assistant is an open-source project. If you know what you’re looking at, you can review the code for any potential security flaws. And Home Assistant does rate all add-ons from a security perspective, which is a nice touch.

To hear the Kevin’s question in full, as well as our discussion on the topic, tune in to the IoT Podcast below.