Hello, comunitiy!
I am experimenting with Rhasspy and so far I do like the thing. But there is a huge security leak in the API at the moment. Let me explain you as it is step by step:
- I installed Rhasspy on my HA server under hassos as add on. O.k. how to pass commads? I was browsing the community and came accross mobile app, which is pretty nice, by the way thanks to that guy who developed it.
- I installed the Rhasspy mobile app and set it up - now I can pass commands to Rhasspy and train it - great!
- I studdy the thing for 3 days, some issues ofcaurse… Then I decided to open the ports on the rourter to pass commands to rhasspy from the internet - works, great! I can voicecommand from everywhere… But wait, what about the credentials? Where did I put a password or a token in the app? Nowhere! I start digging and understand that RHASSPY REQUIRES NO CREDENTIALS TO ACCESS IT"S SERVICES! So, anyone who knows the por tnumber may install the APP and send commands to my… Home Assisatant! What could be these, who knows… maybe you would want to give voice commands to your security system? Why not…