Bthome encryption downgrade (home-assistant#159646)

Co-authored-by: J. Nick Koston <nick@koston.org>
Co-authored-by: J. Nick Koston <nick@home-assistant.io>

Author: dafal

homeassistant/components/bthome/__init__.py

@@ -15,7 +15,7 @@
 )
 from homeassistant.const import Platform
 from homeassistant.core import HomeAssistant
-from homeassistant.helpers import device_registry as dr
+from homeassistant.helpers import device_registry as dr, issue_registry as ir
 from homeassistant.helpers.device_registry import CONNECTION_BLUETOOTH, DeviceRegistry
 from homeassistant.helpers.dispatcher import async_dispatcher_send
 from homeassistant.util.signal_type import SignalType
@@ -36,6 +36,45 @@
 _LOGGER = logging.getLogger(__name__)
 
 
+def get_encryption_issue_id(entry_id: str) -> str:
+    """Return the repair issue id for encryption removal."""
+    return f"encryption_removed_{entry_id}"
+
+
+def _async_create_encryption_downgrade_issue(
+    hass: HomeAssistant, entry: BTHomeConfigEntry, issue_id: str
+) -> None:
+    """Create a repair issue for encryption downgrade."""
+    _LOGGER.warning(
+        "BTHome device %s was previously encrypted but is now sending "
+        "unencrypted data. This could be a spoofing attempt. "
+        "Data will be ignored until resolved",
+        entry.title,
+    )
+    ir.async_create_issue(
+        hass,
+        DOMAIN,
+        issue_id,
+        is_fixable=True,
+        is_persistent=True,
+        severity=ir.IssueSeverity.WARNING,
+        translation_key="encryption_removed",
+        translation_placeholders={"name": entry.title},
+        data={"entry_id": entry.entry_id},
+    )
+
+
+def _async_clear_encryption_downgrade_issue(
+    hass: HomeAssistant, entry: BTHomeConfigEntry, issue_id: str
+) -> None:
+    """Clear the encryption downgrade repair issue."""
+    ir.async_delete_issue(hass, DOMAIN, issue_id)
+    _LOGGER.info(
+        "BTHome device %s is now sending encrypted data again. Resuming normal operation",
+        entry.title,
+    )
+
+
 def process_service_info(
     hass: HomeAssistant,
     entry: BTHomeConfigEntry,
@@ -45,7 +84,26 @@ def process_service_info(
     """Process a BluetoothServiceInfoBleak, running side effects and returning sensor data."""
     coordinator = entry.runtime_data
     data = coordinator.device_data
+    issue_registry = ir.async_get(hass)
+    issue_id = get_encryption_issue_id(entry.entry_id)
     update = data.update(service_info)
+
+    # Block unencrypted payloads for devices that were previously verified as encrypted.
+    if entry.data.get(CONF_BINDKEY) and data.downgrade_detected:
+        if not coordinator.encryption_downgrade_logged:
+            coordinator.encryption_downgrade_logged = True
+            if not issue_registry.async_get_issue(DOMAIN, issue_id):
+                _async_create_encryption_downgrade_issue(hass, entry, issue_id)
+        return SensorUpdate(title=None, devices={})
+
+    if data.bindkey_verified and (
+        (existing_issue := issue_registry.async_get_issue(DOMAIN, issue_id))
+        or coordinator.encryption_downgrade_logged
+    ):
+        coordinator.encryption_downgrade_logged = False
+        if existing_issue:
+            _async_clear_encryption_downgrade_issue(hass, entry, issue_id)
+
     discovered_event_classes = coordinator.discovered_event_classes
     if entry.data.get(CONF_SLEEPY_DEVICE, False) != data.sleepy_device:
         hass.config_entries.async_update_entry(
@@ -150,3 +208,8 @@ async def async_setup_entry(hass: HomeAssistant, entry: BTHomeConfigEntry) -> bo
 async def async_unload_entry(hass: HomeAssistant, entry: BTHomeConfigEntry) -> bool:
     """Unload a config entry."""
     return await hass.config_entries.async_unload_platforms(entry, PLATFORMS)
+
+
+async def async_remove_entry(hass: HomeAssistant, entry: BTHomeConfigEntry) -> None:
+    """Remove a config entry."""
+    ir.async_delete_issue(hass, DOMAIN, get_encryption_issue_id(entry.entry_id))

homeassistant/components/bthome/coordinator.py

@@ -41,6 +41,8 @@ def __init__(
         self.discovered_event_classes = discovered_event_classes
         self.device_data = device_data
         self.entry = entry
+        # Track whether we've already logged the encryption downgrade this session.
+        self.encryption_downgrade_logged = False
 
     @property
     def sleepy_device(self) -> bool:

homeassistant/components/bthome/manifest.json

@@ -20,5 +20,5 @@
   "dependencies": ["bluetooth_adapters"],
   "documentation": "https://www.home-assistant.io/integrations/bthome",
   "iot_class": "local_push",
-  "requirements": ["bthome-ble==3.16.0"]
+  "requirements": ["bthome-ble==3.17.0"]
 }

homeassistant/components/bthome/repairs.py

@@ -0,0 +1,65 @@
+"""Repairs for the BTHome integration."""
+
+from __future__ import annotations
+
+from typing import Any
+
+from homeassistant import data_entry_flow
+from homeassistant.components.repairs import RepairsFlow
+from homeassistant.core import HomeAssistant
+from homeassistant.helpers import issue_registry as ir
+
+from . import get_encryption_issue_id
+from .const import CONF_BINDKEY, DOMAIN
+
+
+class EncryptionRemovedRepairFlow(RepairsFlow):
+    """Handle the repair flow when encryption is disabled."""
+
+    def __init__(self, entry_id: str, entry_title: str) -> None:
+        """Initialize the repair flow."""
+        self._entry_id = entry_id
+        self._entry_title = entry_title
+
+    async def async_step_init(
+        self, user_input: dict[str, Any] | None = None
+    ) -> data_entry_flow.FlowResult:
+        """Handle the initial step of the repair flow."""
+        return await self.async_step_confirm()
+
+    async def async_step_confirm(
+        self, user_input: dict[str, Any] | None = None
+    ) -> data_entry_flow.FlowResult:
+        """Handle confirmation, remove the bindkey, and reload the entry."""
+        if user_input is not None:
+            entry = self.hass.config_entries.async_get_entry(self._entry_id)
+            if not entry:
+                return self.async_abort(reason="entry_removed")
+
+            new_data = {k: v for k, v in entry.data.items() if k != CONF_BINDKEY}
+            self.hass.config_entries.async_update_entry(entry, data=new_data)
+
+            ir.async_delete_issue(
+                self.hass, DOMAIN, get_encryption_issue_id(self._entry_id)
+            )
+
+            await self.hass.config_entries.async_reload(self._entry_id)
+
+            return self.async_create_entry(data={})
+
+        return self.async_show_form(
+            step_id="confirm",
+            description_placeholders={"name": self._entry_title},
+        )
+
+
+async def async_create_fix_flow(
+    hass: HomeAssistant, issue_id: str, data: dict[str, Any] | None
+) -> RepairsFlow:
+    """Create the repair flow for removing the encryption key."""
+    if not data or "entry_id" not in data:
+        raise ValueError("Missing data for repair flow")
+    entry_id = data["entry_id"]
+    entry = hass.config_entries.async_get_entry(entry_id)
+    entry_title = entry.title if entry else "Unknown device"
+    return EncryptionRemovedRepairFlow(entry_id, entry_title)

homeassistant/components/bthome/strings.json

@@ -117,5 +117,21 @@
         "name": "UV Index"
       }
     }
+  },
+  "issues": {
+    "encryption_removed": {
+      "fix_flow": {
+        "abort": {
+          "entry_removed": "The device has been removed"
+        },
+        "step": {
+          "confirm": {
+            "description": "The BTHome device **{name}** was configured with encryption but is now broadcasting unencrypted data. Data from this device is being ignored until this is resolved.\n\nIf you disabled encryption on the device, select **Submit** to remove the encryption key and resume receiving data.\n\nIf you did not disable encryption, someone may be attempting to spoof your device. Do not submit this form and the unencrypted data will continue to be ignored.",
+            "title": "Remove encryption key for {name}"
+          }
+        }
+      },
+      "title": "Encryption disabled on {name}"
+    }
   }
 }