Blog

Community Highlights: 11th edition

The 11th edition of the Home Assistant Community Highlights! Some interesting things popped up around our community, we thought was worth sharing.

From now on we will also highlight a cool blueprint that we encountered on the Blueprint exchange. Do you want to share something for the next edition? Information on how to share.

./Klaas

Blueprint of the week

Do you have an IP camera in Home Assistant instance and do you no longer want to miss who is at the door? Then you could try the camera snapshot Blueprint from vorion. You can also indicate to which device you would like to receive a notification with a photo. Try it out!

Solar weather station in birdhouse

Spring is approaching, so it’s a good time to start building a birdhouse 🐦, so why not immediately turn it into a weather station? With the manual from Martin, you can make your own weather (birdhouse) station that works with ESPHome.

Outdoor pathway light

Do you have a garden and do you want to create lighting along the paths? Maybe the garden lighting tutorial from KidA001 will give you some inspiration to get started with this.

PoE powered stack light

Looking for a creative way to display the status of your Home Assistant instance? For example: there is a new Core update, too much RAM is being used or your instance is no longer online? Plenty of options to bind to each color segment.

So let yourself be inspired with the PoE stack light from Karl and start building.

Got a tip for the next edition?

Have you seen (or made) something awesome, interesting, unique, amazing, inspirational, unusual or funny, using Home Assistant?

Click here to send us your Community Highlight suggestion.

Also, don’t forget to share your creations with us via Social Media:

See you next edition!


Home Assistant Companion Android App 2021 Q1 Releases

Hey everyone! It has been quite some time since we last provided an update on all that is new with the Android app. You may have already noticed that we had changed our release versioning to match that of Home Assistant Core. In fact, we will be attempting to align our releases more closely to Core releases. This way we can start supporting brand new features quickly, like the recently released My Home Assistant.

Security Check

As of Home Assistant Core 2021.1.5 some security vulnerabilities were fixed and it is very critical that all users update their instances to at least this version. The app will now do a check every 24 hours to ensure that the instance is at least on the release mentioned in the security alert. This check will be updated anytime a new security alert is issued.

Location Disabled Check

Certain app features that depend on the connected WiFi network (SSID), require the location permission to not only be granted to the app, but also have it enabled on the device. Without this, the app is unable to read the connected SSID, impacting usage of the Internal URL and any WiFi based sensors. Previously, the application would continue to function and silently fail while showing bad data for the sensors. Although the application still worked, certain parts were found to be buggy as a result of the silent failure.

Starting in android-2021.1, the app was showing a prompt before a user was able to interact with the Home Assistant frontend. We received feedback that users found this pop-up to be too intrusive. Starting android-2021.2, this pop-up has been converted to a persistent Android notification with its own notification channel. This allows the user to fully control how it is displayed on the device, including turning the channel off. The new channel name for this notification is Location disabled.

Screenshot of the location disabled notification Screenshot of the location disabled notification.

High Accuracy Mode

High accuracy mode is a new feature in android-2021.2 to allow users to get much faster location updates at the cost of additional battery drain. Background location updates typically get reported every 30 seconds to a few minutes. This new feature allows the user to specify the update interval that defaults to every 5 seconds. When enabled, a persistent notification will be displayed containing some location data. This feature is an enhancement to the Background Location sensor and you can access it from the sensor settings screen. You can also control this feature via a new notification command to enable/disable it on the fly. You can learn more about this feature in the documentation.

Screenshot of the high accuracy mode notification Screenshot of the high accuracy mode notification.

New Sensors

We have several new sensors to welcome to the app, all of which are disabled by default:

  • Active Notifications - The total count of active notifications visible to the user. Attributes will include all notification data.

  • App Data Sensors - Sensors to determine how much data the app has used since the last device reboot.

  • App Importance Sensor - A sensor to determine if the app is in the foreground, background or any other importance level.

  • App Memory Sensor - A sensor to determine how much memory is used by the app.

  • App Usage sensors - Sensors to help users troubleshoot if the app is considered inactive and the current app standby bucket.

  • BLE Transmitter Sensor - A sensor to control whether or not the app is actively sending out a beacon to provide support for services like Room Assistant.

  • Sleep Sensors - Sensors based on a new API provided by Google for devices running the full version. These sensors can be used to determine if the user is sleeping or not. The sensors update when we get data from Google so don’t expect them to update as soon as you fall asleep.

Notification Enhancements

There have been several additions and improvements to notifications:

  • Controlling Bluetooth
  • Broadcast intent command has been updated to allow the user to send intent extras
  • A command to launch activities, see below for more details
  • A new command to launch the application to any dashboard or view without needing to click on anything
  • A new actionable notification type REPLY which will add a reply button to the notification and the response will be sent back in the mobile_app_notification_action event
  • A command to control whether or not the BLE transmitter sensor is enabled

Intents and Activities

We have made several enhancements to further integrate Home Assistant into the Android ecosystem. First and foremost, the Last Update Trigger sensor was updated in 2021.2 to allow users to register for any intent that they want. Intents are a way for applications to communicate with another so they can send data back and forth. In fact the app itself uses many intents provided by Android, which is why certain sensors update faster than others. This means that users can now get data from apps that have an Intent API. You will need to know the intent action string that you wish to register for. Once the intent is received the application will fire an event to Home Assistant as android.intent_received along with the intent action and any extra data provided by the intent. Personally, I am using my Mi Band 5 with the Notify for Mi Band application that sends out intents for when I have fallen asleep, my step count or even my heart rate.

A new notification command was added to allow the user to launch an activity on their android device. This command requires a new permission to be granted in order to launch activities from the background, Draw Over Other Apps. The first attempt to use this notification will take the user to the permission page so the user can grant proper access. It is important to note that if the app is not considered active then this permission page will not show up due to missing permissions. Try to test this with the app open or you can grant the permission manually in your device settings. There are lots of use cases for this feature such as being able to launch Google Maps driving mode or even setting an alarm on your device.

Unfortunately, it is not so straightforward to determine which intents and activities are supported by applications. You really need to know what to look for and there is not much in terms of documentation here from applications. Try reaching out to the developers of your favorite apps to see if they have any intents to consume. We have provided several live examples in the companion documentation. I have also started a new thread in the forums to maintain a list of all that we can find here. I will be trying to keep the first post as up to date as possible.

Other Enhancements

We have also spent time making improvements to all other areas too:

  • Support for links from My Home Assistant
  • Power menu fixes and enhancements including support for vacuum entities
  • Haptic feedback support in the frontend
  • Overriding certain URL types to launch an application or an intent from the frontend
  • 3 finger swipe down gesture to trigger the Quick Bar

3 finger swipe gesture to trigger Quick Bar 3 finger swipe gesture to trigger Quick Bar

Big thank you to everyone involved. Please keep those bug reports and feature requests coming!

Changelogs


2021.3: My Oh My

Home Assistant Core 2021.3! And my oh My Home Assistant!

I’m super excited for this release! 13 Brand new integrations! Z-Wave JS is moving forward with an almost insane development speed; thank you all for jumping into it as well! 🎉

For me, this release is about two things. My Home Assistant and some super slick new UI features for everything related to service calls. What it is; is explained down below, but both are just a leap forward in: making things easier.

My oh my, enjoy this release!

../Frenck

My Home Assistant

Today we present you:

To be more helpful, we often want to link you to a specific page in your Home Assistant instance. However, each Home Assistant instance is hosted at a different URL. Yours might be http://homeassistant.local:8123, or something completely different.

My Home Assistant allows the documentation, forums, chat, weblogs, or any other website, to link you to specific pages in your Home Assistant instance, without knowing the URL of your instance.

The beauty of this? All the data is stored locally in your browser and My Home Assistant only redirects you to pages that provide you with information about your instance or help you start an action. Following a link from My Home Assistant will never make any changes to your instance.

Long story short! We can do a lot of helpful things with this, for example, the following buttons will bring your places on your instance:

But we can make buttons or links to a lot of screen, and even help you start a configuration for adding an integration, import a Blueprint, link to an add-on page, and a lot more!

Screen recording showing how My Home Assistant works Setting up a new integration on your instance, from the documentation using My Home Assistant.

Additionally, we have added a link/badge generator, so you can create your own links, for e.g., adding to a Blueprint on the Blueprint Exchange.

https://my.home-assistant.io/create-link/

Lastly, support for My Home Assistant with our apps is expected to be available soon! Android should be available via an update today and iOS will land soon.

New UI for service calls

This release adds a new user interface for doing service calls!

Screenshot of new call services in the Developer Tools Screenshot of the new UI in the services tab of the Developer Tools.

The UI may look familiar, as it uses the same UI parts as used by the recently introduced Blueprints. This new UI can be found in multiple places, that all have adjusted with a shiny new UI;

Not all service calls will show this slick new UI yet, as the integrations service descriptions need to be adjusted to with this. But, all common ones have been migrated already. Like doing YAML? Well, the good old YAML mode is available as well!

Suggested areas

Areas are becoming more and more useful in Home Assistant, and this release is helping out with putting them to use a bit!

Recently, it became possible to not only assign devices to areas, but entities as well. And now; Integrations can now suggest areas!

This means, if an integration knows about an area/room/location place it is in, it can suggest an area if the device isn’t in one yet. For example, the Hue integration can now suggest an area based on the Hue group it is in.

The following integration will now already suggest areas as of this release:

Fan speeds: 100%

Got an overhaul! Fans now work with speed percentages instead of the previous “low”, “mid”, “high”, “off”. This makes Home Assistant more interoperable with more fan brands and third-party assistants, like HomeKit.

Don’t worry, everything has been implemented with backward compatibility.

Screenshot of automation editor, showing the % fan speeds! Screenshot of automation editor, showing the % fan speeds!

Did you notice in the above screenshot, the automation editor is now wider? The layout has been adjusted to give you more screen real estate when creating automations.

Z-Wave JS update

Also this release the Z-Wave JS team has been very busy. Several new features have been added and many bugs squashed. Below you can read a summary.

We’ve introduced a protocol schema version in the Z-Wave JS server to allow older clients to connect and talk to a newer server. This prevents compatibility issues for the future!

Home Assistant Core 2021.3.0 will require Z-Wave JS server version 1.1.0. If you’re using the official Home Assistant add-on, the integration will automatically update the add-on if an older add-on and server version is encountered. Magic! If you’re not using the Home Assistant add-on to run the server you will need to update the server before updating Home Assistant Core.

You can now automate and change the configuration settings of your devices with the zwave_js.set_config_parameter service and create automations using the new zwave_js.refresh_value service, to update a device that doesn’t automatically refresh itself.

But there is more!

  • Garage doors (barrier) and similar covers can now be controlled.
  • Some heating valves and similar devices that can be set to multiple different values will now show up as number entities.

Flexible & variable automation triggers

We now support the use of variables and (limited) templates in automation triggers! This can be really useful, for example, when making Blueprints for MQTT based automations!

automation:
  trigger_variables:
    room: "living_room"
    node: "ac"
    value: "on"
  trigger:
    - platform: mqtt
      topic: "{{ room ~ '/switch/' ~ node}}"
      payload: "{{ 'state:' ~ value }}"

As shortly mentioned, the template syntax for trigger templates and variables are more limited; read more about this in the limited templates documentation.

Oversettelser i Supervisor panelet

Unless you are in the nordics, that title does not mean much, it’s Norwegian and translates to “Translations in the Supervisor panel”. Yes! We have now added translations in the Supervisor panel. 🎉

If you want to help translate that into your native language, join the frontend team on Localize.

But we did not stop there! Now add-ons can provide translation files for configuration options and network descriptions that are shown in the frontend.

Not enough? You want more? Okay then!

  • The communication between the frontend and the backend now relies on WebSockets, which allows the Supervisor to notify the frontend about changes.
  • For add-on authors, you can now use YAML instead of JSON for your add-ons configuration files.
  • New update dialog that will ask you to take a snapshot before you upgrade core/add-ons.
  • Better hardware support to cover more devices.
  • Passwords and secrets in add-on configurations are checked against known breaches with https://haveibeenpwned.com/

Screenshot of the new update dialog that asks for creating a snapshot Screenshot of the new update dialog that asks for creating a snapshot.

Other noteworthy changes

There is much more juice in this release; here are some of the other noteworthy changes this release:

  • Shelly now supports battery-operated devices, thanks to @thecode!
  • You can now use the color homeassistant as a color_name in your light service calls, just because we can 😎
  • @emontnemery, added support for using alias to virtually any step in scripts/automations. This is really helpful when debugging and documents your sequences as well, as it annotates each step.
  • @emontnemery didn’t stop there, he also added support for enabling/disabling integration configuration entries! So you can, e.g., temporarily disable a whole integration.

Screenshot of disabling an integration entry Screenshot of disabling an integration entry.

  • Thanks to @Nixon506E, you can now set a transition time when activate Hue scenes.
  • In the States tab of the Developer Tools, there is now a small copy to clipboard button with each entity. Thanks, @KTibow!
  • @postlund added support for repeat, shuffle and volume stepping to the media player integration of the Apple TV integration.
  • @larena1 reduced the amount of rendering history charts cause, so that will speed things up! Thanks!
  • We now have a select selector! Great for adding dropdown choices to Blueprints, thanks @EPMatt!
  • @raman325 extended the Universal Media Player with a lot of new capabilities.
  • When adding a new integration, the UI will now show discovered devices for that integration as well! Thanks, @bramkragten!
  • We updated CodeMirror to the latest version, which provided the YAML code editors in our UI. It should now be better, faster and has improved support for mobile devices.

New Integrations

We welcome the following new integrations this release:

New Platforms

The following integration got support for a new platform:

Integrations now available to set up from the UI

The following integrations are now available via the Home Assistant UI:

Release 2021.3.1 - March 5

Release 2021.3.2 - March 5

Release 2021.3.3 - March 8

Release 2021.3.4 - March 12

If you need help…

…don’t hesitate to use our very active forums or join us for a little chat.

Experiencing issues introduced by this release? Please report them in our issue tracker. Make sure to fill in all fields of the issue template.

Read on →

Community Highlights: 10th edition

Oh yeah! This is already the 10th edition of the Home Assistant Community Highlights! Some interesting things popped up around our community, we thought was worth sharing.

Do you want to share something for the next edition? Information on how to share.

./Klaas

Apexcharts Card

Would you like to map data in graphs? Then you should definitely try the new ApexCharts card from RomRider, the graphs in this card are based on the ApexChartsJS and that looks pretty cool.


What you can make with ApexCharts card

If you would like to stay informed of the developments, you could also follow this topic on our forum.

Home Assistant switch panel

Last week, amauryverschooren shared his own version of a HA Switch Plate, so that you can operate your Home Assistant via a physically small touch panel, which you can place in a specific room, for example.


The fysical switch panel

Lovelace dashboard inspiration

Still looking for some new inspiration for your Lovelace dashboards? Last week we came across some beautiful Lovelace dashboards on our Home Assistant subreddit page of swake88. Who knows, there might be something fun for you to make.

You can find here the related Reddit topic.

Home Assistant - Feb 2021

Which card in Lovelace are you most proud of? Share it with us!

Hidden garage

Do you have a vacuum cleaning robot but you don’t know where to place the charging station? Maybe you can hide these behind a plinth, like what ialex87 did.

My vacuum hidden garage under the kitchen from r/homeassistant

Got a tip for the next edition?

Have you seen (or made) something awesome, interesting, unique, amazing, inspirational, unusual or funny, using Home Assistant?

Click here to send us your Community Highlight suggestion.

Also, don’t forget to share your creations with us via Social Media:

See you next edition!


Community Highlights: 9th edition

The 9th edition of the Home Assistant Community Highlights! Some interesting things popped up around our community, we thought was worth sharing.

But before we move on to the highlights of this week, let’s start with a little hooray because yesterday both Pascal Vizeli and I had their birthday!

Hip hip hooray! 🎂🥳

./Klaas

O and would you like to keep track of your birthdays in Home Assistant? Then try this custom integration of Miicroo.

Help each other with any question

Last week, we found a burning question on the Home Assistant subreddit forum from Horror_Fondant_7165. Some paint had gotten on his curtain and he just can’t get the paint stain out of his curtain.

Maybe we can give him some community love and help with his question? 😄

I accidentally got some paint on a curtain in my house, it’s oil paint, how do I get it out without taking my curtain down? from r/homeassistant

DSMR Reader add-on

Good news for those who would like to get started with DSMR Reader! sanderdw has made an add-on so that you can easily use it with Home Assistant. Please note, the add-on is still in an Alpha state.

Screenshot from the DSMR Reader add-on

Laundry card

Would you like to display the state of your smart washing machine (such as an LG ThinQ) in a fun way in Lovelace? Perhaps the example below could inspire you. You can find the Lovelace YAML code here.

Took some trickery but my laundry card is done from r/homeassistant

Got a tip for the next edition?

Have you seen (or made) something awesome, interesting, unique, amazing, inspirational, unusual or funny, using Home Assistant?

Click here to send us your Community Highlight suggestion.

Also, don’t forget to share your creations with us via Social Media:

See you next edition!


Community Highlights: 8th edition

The 8th edition of the Home Assistant Community Highlights! Some interesting things popped up around our community, we thought was worth sharing. But first of all, I would like to introduce myself and say Hello! Because it’s no longer Frenck who writes the community highlights, but a new person.

My name is Klaas Schoute, 25 years old (almost 26 🥳) and living in the Netherlands. Currently, I’m studying interaction technology at the university of applied sciences in Leiden and from this week until the summer I’m doing an internship at Nabu Casa.

In the coming period, I will be working on energy measurements: what ways there are to measure energy, which insights you can gain from it and how you could optimize consumption.

./Klaas

Control your home from a StreamDeck

Especially the streamers “among us” will really enjoy this! There is now a way to operate your Home Assistant using the buttons on a StreamDeck but also display certain sensor values.

How cool is this!

Screenshot from the StreamDeck software

ESPHome update

Quite recently ESPHome has received a new update (1.16.0), with a lot of new hardware support. From now on, you will also be able to expect more frequent updates, as they have adopted a monthly release cycle.

A new release update of ESPHome Click on the picture to see the entire changelog.

Mechanical sculptures

jessecakeindustries shared a nice vintage project on the Home Assistant subreddit and wonders whether there might be a market for these kinds of products. Quite a funny device to remind yourself in certain situations 🙂

Who else would want one in the house?

Is there a market for bespoke home automation components? You may recall I built this interface to our home that speaks, rings, and lights regular alerts. It has tasmota at its heart so is hardware based and easily interfaced with Home Assistant. Is there a market for me to make this kind of thing? from r/homeassistant

Got a tip for the next edition?

Have you seen (or made) something awesome, interesting, unique, amazing, inspirational, unusual or funny, using Home Assistant?

Click here to send us your Community Highlight suggestion.

Also, don’t forget to share your creations with us via Social Media:

See you next edition!


2021.2: Z-Wave... JS!

Dear reader,

Usually, I try to write a small introduction that recaps the release, while putting a bit of my view in it as well. This release, however, I’m struggling to find the right words…

So there is DHCP discovery added, which is super nice! And some really helpful new Blueprint selectors, tons of UI tweaks! But honestly…

Have you heard about Z-Wave JS?!

Well, out of nowhere, a huge bunch of developers came together this month and spat out a completely new, full-blown, fast, slick, sexy, complete, Z-Wave integration! 🤯

So, thanks guys! An achievement beyond words, really; You all rock ❤️

Enjoy the release!

../Frenck

Erik Montnemery joins Nabu Casa

Today, we are proud to announce that Erik Montnemery has joined Nabu Casa to work full-time on the Home Assistant project.

Some of you might know Erik better by his GitHub handle: @emontnemery, or by one of the integrations he works on: Cast, Tasmota and MQTT!

We are excited to have you aboard Erik! Welcome!

Python 3.7 dropped, Python 3.9 supported

Support for Python 3.7 has been removed, raising the minimum Python version you need to run Home Assistant Core to Python 3.8. Python 3.7 was already deprecated since Home Assistant Core 0.116.0.

This is only a concern if you are running Home Assistant Core directly on Python. If you run Home Assistant OS, Supervised or Container, you don’t have to worry about this, as the Home Assistant project takes care of this for you.

However, say hello to: Python 3.9. As of this release, Python 3.9 is fully supported and tested.

Z-Wave JS

This release brings you the Z-Wave JS integration!

A brand new integration for Z-Wave in Home Assistant, full-blown, created in just a month by a bunch of awesome people!

More and more people were concerned about the future of Z-Wave with Home Assistant; meanwhile the Z-Wave JS project was rapidly growing and gathering a large community around it. Long story short: Home Assistant and Z-Wave JS teamed up! And a lot of contributors jumped on the train!

This new integration is based on the same base principles as the OpenZWave integration: It is decoupled from Home Assistant. Instead of MQTT, the Z-Wave JS integration uses a WebSocket connection to a Z-Wave JS server.

This means, in order to use this new integration, you’ll need to run the Z-Wave JS server that sits in between your Z-Wave USB stick and Home Assistant. There are multiple options available for running the Z-Wave JS server, via Docker or manually, and there is also a Home Assistant add-on available.

If you run an installation with a Supervisor, the add-on will even be set up automatically for you.

Current state of Z-Wave JS

The new Z-Wave JS integration is amazingly complete. It supports the following platforms from the start: Binary Sensors, Climate, Covers, Fans, Lights, Locks, Sensors and Switches. Scenes are also supported!

Besides that, it is just blazing fast! ⚡️

While fast-growing, it is a new integration and there is still a lot in progress. Of course, no doubt, there will be bugs. Bugs that will be squashed and handled. Please, be sure to report issues in our issue tracker.

What is left? See our Z-Wave JS integration roadmap for those details.

Thanks to all

Thanks to all of the following people, the Z-Wave JS integration was able to see the light in just a month!

Yes, that is an awful lot of people! Amazing how this all came together and incredible work!

What about the old Z-Wave integration?

The old zwave integration has been based on OpenZWave 1.4, which is really old and does not get any upstream updates anymore. This also means that it is hard for us to keep it in a working state for the upcoming future.

Therefore, as of today, the old Z-Wave is marked as being deprecated.

If one is starting with Home Assistant and Z-Wave, the zwave integration is no longer recommended. For existing users, we recommend migrating to the Z-Wave JS integration. However, don’t panic, zwave is deprecated but not removed yet. We currently have no plans for removing it, unless it can no longer be made to be build for the latest Python

What about the OpenZWave beta integration?

Over a year ago, Home Assistant started working on the OpenZWave integration. Based on OpenZWave 1.6 and the OZW daemon, using MQTT as a transport. This project was promising and something we put a lot of time and effort in.

Unfortunately, the OpenZWave project itself became a bit stale as most of the upstream development is done by a single person: Justin Hammond (Fishwaldo).

Quite a few people were worried about the lesser activity on OpenZWave. Justin has responded on our forum on what is happening in his life and it is sad to read how many people have personally impacted him negatively.

Is OZW Dead - No. I’ll tinker with it, I’ll make changes as time allows, but it will be at my own pace, to scratch my own itches now.

Let us be straight here: OpenZWave is an 11 year-old project, which is used by an incredible amount of systems (besides Home Assistant) in this world, with an even greater track record. So:

Thank you Justin for all you have done in all those years!

The team that was working on the OZW integration have shifted their focus to the new Z-Wave JS integration. We don’t think the OpenZWave integration will make it out of beta. We recommend Home Assistant users migrate to the Z-Wave JS integration.

No more badges in auto generated dashboards

If you are using an auto generated Lovelace dashboard, you probably always had a ton of badges on the top of your dashboard. If there are just a few it works, but as more start to appear, it soon becomes cluttered.

Screenshot of the old badges clutter Screenshot of the old badges clutter that is now gone!

We decided to no longer use badges in the auto generated Lovelace dashboards. Instead, every entity is neatly grouped by area or domain in an entities card.

If you liked the badges, you can always take control of your dashboard and add them.

DHCP Discovery

Home Assistant now listens on your network for devices that request a IP address. Based on those intercepted messages, Home Assistant can now discover integrations for you to use with the discovered devices.

This really powerful addition has been made by @bdraco, and many integrations have quickly enriched their integrations to use this new discovery method.

So as of this release, your Home Assistant might actually find some new devices it can use! Thanks @bdraco!

New Blueprint selectors

For our Blueprint fanatics, some new goodies to the Blueprint has been added this release. Thanks to @thomasloven, we now have two new selectors:

Screenshot of the new text selector Screenshot of the text selectors.

  • An object selector: Shows an YAML editor in the UI.
  • An text selector: Show a single line text input or text area for longer messages in the UI.
  • Blueprint descriptions now support Markdown.

Screenshot of new object selector Screenshot of the object selector, giving a YAML input field.

Cloud text-to-speech settings

Nabu Casa has been offering an amazing text-to-speech service for a while now, yet it was hard to find, and even harder to setup and use.

To fix this, a new settings UI has been added where you can select the default language and gender to use for the text-to-speech service, so you no longer have to attach that to every service call. You can find it in the Home Assistant Cloud panel.

Screenshot of Cloud TTS options Screenshot of Cloud TTS options.

We also added the ability to try the chosen settings right in your browser. Click the try button, enter some text and click play to hear the text being spoken.

Other noteworthy changes

This release has no big new features, but we do have quite a bit of tweaks that are definitely noteworthy to mention.

  • We now give you a clearer reason why your Lovelace card configuration is not supported in the UI editor thanks to @spacegaier.
  • Shelly RGB devices are now fully supported!! Nice @chemelli74!
  • @dmulcahey Added filtering and zoom to node to the ZHA network visualization. Very useful to find you Zigbee network issues.
  • The deCONZ integration added support for logging basic event in the logbook. Nicely done @Kane610.
  • The Tasmota integration is out of beta! Awesome @emontnemery!
  • @spacegaier Added support for themes on the media card.
  • The items in the shopping list card can be ordered using drag & drop! Thanks @ShaneQi!
  • Newly ignored discovered integrations now show a name of the item ignored. This makes it easier to undo that later.
  • @balloob made a new framework that can detect significant changes in entities, allowing to reduce the amount of update we need to send to both Google Assistant and Alexa!
  • Setting up Lutron Caseta was quite a pain, but not anymore! @bdraco added one-touch pairing to the integration set up!
  • If you use light profiles, @Adminiuga is your man. All parameters of a light profile can now be optional and default profiles are always applied.
  • Dropdown helpers (input_select) got some new service capabilities added by @l-mb. They can now cycle through the options, and service calls to jump to the first or last item have been added as well.
  • If you have a Foscam camera, @joe248 added a service to move to PTZ presets.

New Integrations

We welcome the following new integrations this release:

New Platforms

The following integration got support for a new platform:

Integrations now available to set up from the UI

The following integrations are now available via the Home Assistant UI:

Release 2021.2.1 - February 5

Release 2021.2.2 - February 9

Release 2021.2.3 - February 11

If you need help…

…don’t hesitate to use our very active forums or join us for a little chat.

Experiencing issues introduced by this release? Please report them in our issue tracker. Make sure to fill in all fields of the issue template.

Read on →

Security Disclosure 2: vulnerabilities in custom integrations HACS, Font Awesome and others

Attention please read

This blog looks pretty much the same as the security disclosure of yesterday. However, it is a new disclosure, affecting a similar issue. We want to make sure the information is complete.

This is a disclosure about security vulnerabilities found in 3rd party custom integrations. Custom integrations are not created and/or maintained by Home Assistant. Users install them at their own risk. We want to inform you about these because the found vulnerabilities impact the security of your Home Assistant instance.

If you do not use custom integrations, your Home Assistant is not vulnerable. If you do use custom integrations, your instance might be vulnerable if you use one of the impacted integrations.

TL;DR:

  • Multiple custom integrations were found that allowed an attacker to steal any file without logging in. Previously implemented fixes were not sufficient.
  • Upgrade Home Assistant as soon as possible. Home Assistant Core 2021.1.5 added mitigation to prevent the issue from happening.
  • Upgrade the custom integrations to a fixed version or remove them from your installation.
  • If you have used any of the custom integrations with a known vulnerability, we recommend that you update your credentials.

On the morning of Saturday, January 23 2021, the Home Assistant project was informed by security researcher Nathan Brady about a security vulnerability. It provided more insight on the implementation of the fixes done for the previous security vulnerability. We learned that not all custom integrations that implement security patches are sufficient to deflect the problem.

We verified all fixes made to custom integrations that were found to be vulnerable in the previous security disclosure. The conclusion is that some custom integrations are still vulnerable to a directory traversal attack while not being authenticated with Home Assistant. It allows an attacker to access any file without having to log in. This access includes any credentials that you might have stored to allow Home Assistant to access other services.

We have responsibly disclosed these issues to the authors of those custom integrations and worked with them on fixing their integrations.

The following have been found:

Please make sure to also read the previous security disclosure. While this specific security vulnerability might not impact them, you might be impacted by the previously found vulnerability.

Besides working with the custom integration authors, the following actions have been taken to help protect users:

  • Home Assistant released Home Assistant Core 2021.1.5 with extra protection to stop directory traversal attacks before reaching the vulnerable code. This prevents the abuse of all found vulnerabilities.
  • This security disclosure is shared widely and linked from banners on the Home Assistant website and forums.
  • The Home Assistant Supervisor will notify the user when a possible insecure installation is found that uses custom integrations.
  • The Android & iOS Apps are updated to notify the user if their Home Assistant instance is potentially insecure.
  • Nabu Casa updated their feature to limit remote access via Home Assistant Cloud and block instances that run an insecure Home Assistant Core version.
  • An alert has been placed at alerts.home-assistant.io.

Alright, so here we are, a day after our first major security disclosure, disclosing a second one. Surely it is not fun, but we are thankful it got reported responsibly to us. This time we were able to move quickly and got everything updated pretty fast. Therefore, we decided to disclose all information immediately.

I want to emphasize that it’s not allowed to personally harass/attack/insult the developers of these custom integrations. That would be a violation of our Code of Conduct and we will enforce this.

Paulus

FAQ


Has this vulnerability been abused?

We don’t know.


Disclosure: security vulnerabilities in custom integrations HACS, Dwains Dashboard, Font Awesome and others

Attention please read

This is a disclosure about security vulnerabilities found in 3rd party custom integrations. Custom integrations are not created and/or maintained by Home Assistant. Users install them at their own risk. We want to inform you about these because the found vulnerabilities impact the security of your Home Assistant instance.

If you do not use custom integrations, your Home Assistant is not vulnerable. If you do use custom integrations, your instance might be vulnerable if you use one of the impacted integrations.

TL;DR:

  • Multiple custom integrations were found that allowed an attacker to steal any file without logging in.
  • Upgrade Home Assistant as soon as possible. Home Assistant Core 2021.1.3 added extra protections that stops attackers from reaching the vulnerable code in custom integrations.
  • Upgrade the custom integrations to a fixed version or remove them from your installation.
  • If you have used any of the custom integrations with a known vulnerability, we recommend that you update your credentials.

On the morning of Thursday, January 14 2021, the custom integration Home Assistant Community Store (HACS) project was informed by security researcher Oriel Goel about a security vulnerability. It was vulnerable to a directory traversal attack via an unauthenticated webview, allowing an attacker to access any file that is accessible by the Home Assistant process. This access includes any credential that you might have stored to allow Home Assistant to access other services.

We started to research what other custom integrations could be impacted and found several more. We have responsibly disclosed these issues to the authors of those custom integrations and worked with them on fixing their integrations.

The following have been found:

We haven’t been able to get in touch with the authors of the following integration. You should remove this custom integration as soon as possible:

The following integration was discovered to be vulnerable to a variant of the above security vulnerability. It allows for a directory traversal attack but requires the attacker to be authenticated. We have been unable to reach the author:

If you have used any of these custom integrations, we recommend that you update your credentials.

Besides working with the custom integration authors, the following actions have been taken to help protect users:

  • Home Assistant released Home Assistant Core 2021.1.3 with extra protection to stop directory traversal attacks before reaching the vulnerable code. This prevents the abuse of all found vulnerabilities.
  • Home Assistant published a security bulletin strongly urging people to upgrade their Home Assistant instance. This bulletin has been shared widely and linked from banners on the Home Assistant website and forums.
  • The Home Assistant Supervisor will notify the user when a possible insecure installation is found that uses custom integrations.
  • The Home Assistant Companion apps for Android and iOS have been updated to notify the user if their Home Assistant instance is potentially insecure.
  • Nabu Casa emailed the security bulletin to all Home Assistant Cloud subscribers and users on trial.
  • Nabu Casa activated their feature to limit remote access via Home Assistant Cloud and block instances that run an insecure version of Home Assistant.

Look. It sucks that this happened. The custom integrations we have listed are all open source, maintained by volunteers in their spare time. They often work alone on this and that’s why it’s more likely for a bug to go undetected. But more eyes doesn’t guarantee bug-free software either. From time to time, such things will happen to every piece of software.

I want to emphasize that it’s not allowed to personally harass/attack/insult the developers of these custom integrations. That would be a violation of our Code of Conduct and we will enforce this.

As Home Assistant, we could have done more to prepare for this scenario. We are currently exploring adding new opt-in features for users to be notified and allow Home Assistant to take action preemptively to patch vulnerabilities.

Paulus

Edit: 23 January 2021: Additional security vulnerabilities disclosed in this second disclosure post.

FAQ


Why didn’t you release the names of the custom integrations in the first security bulletin?

When we discovered the issues, we disclosed them to the authors of the affected custom integrations and gave them time to fix the problem and release a new version. This is a good and common practice when disclosing security vulnerabilities.

Since some of these custom integrations are quite popular, we also decided to publish a security bulletin to urge Home Assistant users to upgrade their instances. We made sure to include enough information for users to resolve the vulnerability.

Has this vulnerability been abused?

We don’t know.


Security Bulletin

Attention please read

It has come to our attention that certain custom integrations have security issues and could potentially leak sensitive information. Home Assistant is not responsible for custom integrations and you use custom integrations at your own risk.

The latest version of Home Assistant Core has extra protection to help secure your instance.

Update your Home Assistant instance as soon as possible.

To update Home Assistant, click on the Supervisor menu item to see if an update to 2021.1.3 (or newer) is available. If you don’t have the Supervisor menu item, follow the update instructions. Home Assistant 2021.1.3 is still compatible with Python 3.7 and an upgrade is possible.

If you cannot update Home Assistant at this time, we strongly advise you to disable all custom integrations. You can disable your custom integrations by renaming the custom_components folder inside your Home Assistant configuration folder to something else. Please be sure to restart Home Assistant after you’ve renamed it.

If you need additional help with upgrading, we are happy to help you out on our Discord chat server.

We will provide more details about impacted custom integrations in the future.

Paulus

Edit: 15 January 2021: Blog post updated to state 2021.1.3, which added some additional checks.

Edit: 16 January 2021: Blog post updated to remove supervisor reload instructions, as latest version is now generally available. Added note that Python 3.7 is still supported.

Edit: 22 January 2021: More details are now available in the disclosure post.

Edit: 23 January 2021: Additional security vulnerabilities disclosed in this second disclosure post.