Slashdot Mirror
Logitech Disables Local Access On Harmony Hubs, Breaks Automation Systems (arstechnica.com)
DarkRookie2 shares a report from Ars Technica: Many users of Logitech's Harmony Hub smart home hub and remote were recently met with a nasty surprise. The device's latest firmware update, version 4.15.206, reportedly cuts off local access for Harmony Hubs. As a result, many users who created home automation and smart home systems using third-party APIs haven't been able to control many, and in some cases, all of their connected IoT devices. Logitech began pushing out firmware update 4.15.206 last week, its release notes stating that it addresses security and bug fixes. Users immediately flocked to Logitech's community forms to complain once they realized the systems they built up to control their smart home devices essentially became unresponsive. Users with Homeseer and Home Assistant APIs have reported parts of their systems broken, preventing them from controlling things like smart TVs, sound systems, and more using the Harmony Hub and its remote. In a statement to Ars, a Logitech representative confirmed that local access was removed in the latest Harmony Hub firmware update for security reasons: "The XMPP interface was used as part of the setup process and was pointed out as an insecure communication. We removed that interface as part of an effort to make to improve the Hub security. That interface was never designed to be used by third parties. The reason for the firmware update was to make the Harmony Hub more secure, therefore we do not have an official downgrade option. We recommend that users do not try to prevent the automatic firmware update process. We update the firmware as security issues are discovered, so users preventing the automatic firmware update process would not benefit from these future fixes."
Somebody's going to end up hitting these guys pretty hard. Glad I don't have to deal with it.
We removed the XMPP interface because we're Logitech and we want to force you to use only Logitech products and services so we make the most profit possible
Fixed that for you, Logitech.
Not like the regular moronic dimtards.
Logitech at one time made decent peripherals. Now they are just a 'brand" slapped onto any Chinese made garbage they can find with Indian support. If you buy Logitech you deserve what you get.
This firmware update is TOTALLY something I would expect from scumbags like them. Release a product and then fuck over all their customers in an attempt to somehow get more money out of them. They will probably return that functionality "for an additional monthly charge" or some horse shit like that.
What's bad is they don't even seem to care. They broke many of their customers functionality and just give the standard corporate shrug of "well it's for xyz arbitrary reason".
This is just another reason to avoid IoT devices altogether. Apart the spying risks and the general lack of security patches, the ability of random companies to, on a whim, render completely inoperable stuff you've paid good money makes a trifecta of user-hostile design. I can stick with old-fashioned wall mounted light switches, thanks.
RMS's otherwise insane arguments just make sense.
We removed that interface as part of an effort to make to improve the Hub security.
I am altering the deal. Pray I don't alter it any further.
Any device that requires an account on someone else's service doesn't belong to the person who purchased it. It belongs to the service provider.
How many times do we have to learn this lesson? (Answer: every time, apparently)
I wonder what kind of "return as defective" laws are in place.
Your ad here. Ask me how!
Logitek is pissed because some one blunderfucked their
deal with Polycom/plantronicx
buncha bitches
are you fucking serious? logitek do you really not care about your client/customer base?
Maybe because we still lack cheap bulk off-the-shelf Arduino-based devices that can be mounted as light switches, shutter motors, radiator thermostats, switching/dimming power sockets, and various sensors ... all with a simple standardized protocol over a simple two/one-wire long-distance bus. (A MIDI-based one looks like a good choice. DMX maybe, but I don’t know it.)
Or let them talk to each other over the power sockets. But then they need encryption.
In any case, NEVER buy anything with a “proprietary” interface. Unless you like being the sub in a S/M relationship, of course.
I was just about to buy one to manage devices at home, but it appears that it is now useless. If I can't do it without "cloud", then fuck you.
Logitech has a history of screwing their users. Consider that in your future purchasing decisions.
"National Security is the chief cause of national insecurity." - Celine's First Law
Sure we took away your local access....but we added a new backdoor. Just call us and we can help you reconfigure :O
no interest in IoT luckily
If the update was REALLY about security, they would leave local access and disable phoning home.
your carefully crafted logitech system is now almost as secure as a computer encased in cement and dropped into the ocean at 2 miles out. /s
I think I'd try to file a return, a credit card charge back or a class action suit. Or all of the above.
If they do close them, influencers get annoyed.
And they probably don't have the staff, resources or expertise to tighten them up without breaking anything.
What would you have them do?
there have been several rules that uphold Arbitration agreements in EULA's recently. Congress passed a law making them binding and the SCOTUS upheld the law because Congress passed it. Employees can still sue for violations of various Labor Laws (mostly national ones) but if you're a consumer you're pretty much boned.
I know I keep harping on about this in various threads, but if we want this to stop we need to vote for candidates who refuse corporate PAC money
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
https://i.imgflip.com/2pe07r.j...
For a lot of these folks they are pretty tech savvy, so why bother getting off the shelf pre-packaged systems like this?
I needed a good NAS for home, that I could install custom plugins and have full control to the system (and ensure wasn't phoning home to any vendor) so I built myself a FreeNAS system (I could have just setup a linux server).
Surely there must be other open distros for automation? If there isn't this might be a godo time for folks to get together to write something, come up with an open standard for these LOT devices (that is truly open and not dominated by just Google, or Apple, or whomever).
I just am not able to have any sympathy for people that keep buying these products. This is not news anymore! It is well known and only people intentionally keeping their heads buried are the only ones getting hurt now.
But look on the bright side, this will build up enough to get congress to create a bunch of regulations that benefit big industry though. It's going to be a win-win-lose as usual. You know who the losers are going to be.
... APIs.
It's hard enough tracking telemetries and shit of the single device. When 3rd parties can do a 45 degree drill, it's goddam impossible.
It little behooves the best of us to comment on the rest of us.
Should be illegal. Everyone in marketing should be sent straight to prison.
Corporatism != Free Market
No, that's the risk you run playing with a device that you don't control.
A better way: MyCroft + devices designed to talk to it.
Otherwise, live by someone else's cloud, die by someone else's cloud. When you give up control, the entire problem is: you gave up control.
Stop giving people money to own your ass, and they'll (mostly, except where the government forces them on you) stop owning you.
No fan of XMPP myself due to numerous crummy design choices yet to be fair "Just use TLS" has been a part of the original XMPP protocol since initial RFC some 14 years ago. It's just as secure as anything else so removing XMPP on those grounds is absolutely BS to say the least.
Never much understood the market for systems like Harmony. Remotes always struck me as way overpriced and underwhelming considering programmable remotes where every last button can be customized cost like $15 and batteries last years.
These days more bits integrate seamlessly via CEC. Plop a disc into player or turn on a console AVR and TV comes on by themselves and switch inputs automatically. I'm sure there is a lot of crap that can't be managed via CEC or where fancy programmable macros come in handy but I have to believe it's less needed today than it has in the past and the people who invest in systems like these are not the type to take kindly to Logitech's bullshit.
... the "S" in IoT stands for "security".
We've carefully considered your needs as a customer and after consulting with our lawyers, our response is "FUCK OFF WANKERS."
I get it's a security issue, but
1. Let the users know you're going to be disabling the interface.
2. Have it be disabled by default and force the user to go through a bunch of loopholes to turn it back on.
The fact they pulled the rug out from under the users feet is hella shitty.
Just imagine you've got a vacation house in another state and you're using this solution to control thermostats and lights, etc.
Yes Francis, the world has gone crazy.
Some new TVs sold in the US ship with disabled ATSC tuners that require at least a one-time internet connection to enable. Basically, they didn't want to pay the licensing fees for EVERY TV that gets sold, so they negotiated a deal whereby they ship with the ATSC tuner disabled & only have to pay royalties for the tuners that someone explicitly enables.
One firmware update, and bam! your automated house is now a dark soul-less doorstop. The problem is no one will learn from this lesson.
you are all a potential income source and nothing further.
fuck you for thinking otherwise, really. this is them showing you so.
And yet people apparently love Cisco Meraki products with their "cloud updates."
This is what Logitech does
They already bricked their old Harmony Link Hub
https://www.theverge.com/circu...
If you don't want Logitech to fuck you over, don't buy Logitech products.
Lazy IT administrators who don't want to do any fucking work love them.
Everyone else hates them and thinks it's a completely ignorant idea.
Like they are the first company that gives a rat's ass about the security of their IoT and home automation devices. At least tell a believable story that's not such a blatant and obvious lie.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Nor is your data. Don't buy them, the functionality isn't THAT important. Learn what you need to learn to do these things yourself.
If a fraction of the community had tried out the new firmware before release, would this have happened?
You can't fight in here - this is the war room!
wonder if the real reason for the so called security fix, is logitech is not getting a royalty for the third party connections.
In other words, don't buy Logitech. They don't respect their customers time, and effort, to set this stuff up.
Too bad you paid for it. Suckers
many devices in the recent past have already done this themselves. Sony changed how their PS4 radio link worked so that it was no longer possible to power on the console with a Harmony. Could still do keyboard type interface so still can log out and shut down fine, but when activating my PS4 profile, I have to have the remote and hit the PS button or the system never comes up. Other companies went that route too a year or so ago.
Only way I knew about it, was when it stopped working. Internet searches revealed that people had actually experienced this issue 4 or even 6 months earlier, but even tho my hub and ps4 auto update, somehow they still played nice for a long time.
if your congressman has been bought off they won't vote how you tell them. Nothing matters when your voting for a corrupt politician. You don't matter unless you're giving them huge checks too.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
This is more than just Logitech, and much older than IOT:
"Give me all of your money, and I will take care of you forever!"
Which is an add for "selling yourself into slavery"... 8-{