Slashdot Mirror

← Back to Stories (view on slashdot.org)

Logitech Disables Local Access On Harmony Hubs, Breaks Automation Systems (arstechnica.com)

Posted by BeauHD on from the left-out-in-the-cold dept.

DarkRookie2 shares a report from Ars Technica: Many users of Logitech's Harmony Hub smart home hub and remote were recently met with a nasty surprise. The device's latest firmware update, version 4.15.206, reportedly cuts off local access for Harmony Hubs. As a result, many users who created home automation and smart home systems using third-party APIs haven't been able to control many, and in some cases, all of their connected IoT devices. Logitech began pushing out firmware update 4.15.206 last week, its release notes stating that it addresses security and bug fixes. Users immediately flocked to Logitech's community forms to complain once they realized the systems they built up to control their smart home devices essentially became unresponsive. Users with Homeseer and Home Assistant APIs have reported parts of their systems broken, preventing them from controlling things like smart TVs, sound systems, and more using the Harmony Hub and its remote. In a statement to Ars, a Logitech representative confirmed that local access was removed in the latest Harmony Hub firmware update for security reasons: "The XMPP interface was used as part of the setup process and was pointed out as an insecure communication. We removed that interface as part of an effort to make to improve the Hub security. That interface was never designed to be used by third parties. The reason for the firmware update was to make the Harmony Hub more secure, therefore we do not have an official downgrade option. We recommend that users do not try to prevent the automatic firmware update process. We update the firmware as security issues are discovered, so users preventing the automatic firmware update process would not benefit from these future fixes."

9 of 151 comments (clear)

  1. Tell the truth by Anonymous Coward · · Score: 5, Insightful

    We removed the XMPP interface because we're Logitech and we want to force you to use only Logitech products and services so we make the most profit possible

    Fixed that for you, Logitech.

  2. Yet another reason not to touch IoT by Bradmont · · Score: 5, Insightful

    This is just another reason to avoid IoT devices altogether. Apart the spying risks and the general lack of security patches, the ability of random companies to, on a whim, render completely inoperable stuff you've paid good money makes a trifecta of user-hostile design. I can stick with old-fashioned wall mounted light switches, thanks.

    1. Re:Yet another reason not to touch IoT by Cyberax · · Score: 4, Insightful

      IoT devices themselves are fine. ZWave or ZigBee light switches don’t depend on whims of a manufacturer. You don’t need to replace them, just replace the hub.

    2. Re:Yet another reason not to touch IoT by green1 · · Score: 3, Insightful

      The nice thing with systems like home assistant is that you can choose exactly how much, or how little, integration you need or want with other devices and services.

      I have a home assistant setup on a raspberry pi at home, but it also connects through IFTTT to google assistant, and I can connect through my VPN from my phone or computer anywhere.

      All the "I" of IOT, without the vendor shenanigans.

    3. Re:Yet another reason not to touch IoT by Anonymous Coward · · Score: 2, Insightful

      That's not really an internet of things though, considering that they're local wireless technology. But that's the thing, the IntranetOfThings is a wonderful idea. The InternetOfThings is just rent seeking and security holes.

  3. If it requires a "cloud" account, you don't own it by Anonymous Coward · · Score: 5, Insightful

    Any device that requires an account on someone else's service doesn't belong to the person who purchased it. It belongs to the service provider.

    How many times do we have to learn this lesson? (Answer: every time, apparently)

  4. Aren't their legal protections? by Actually,+I+do+RTFA · · Score: 3, Insightful

    I wonder what kind of "return as defective" laws are in place.

    --
    Your ad here. Ask me how!
  5. Why would you buy that anyway? by Anonymous Coward · · Score: 2, Insightful

    Maybe because we still lack cheap bulk off-the-shelf Arduino-based devices that can be mounted as light switches, shutter motors, radiator thermostats, switching/dimming power sockets, and various sensors ... all with a simple standardized protocol over a simple two/one-wire long-distance bus. (A MIDI-based one looks like a good choice. DMX maybe, but I don’t know it.)
    Or let them talk to each other over the power sockets. But then they need encryption.

    In any case, NEVER buy anything with a “proprietary” interface. Unless you like being the sub in a S/M relationship, of course.

  6. "the cloud" = you are a sucker by Anonymous Coward · · Score: 5, Insightful

    people using a device in an unsanctioned way then complaining that the door was closed on it. That's the risk you run playing with open doors you're not supposed to see.

    No, that's the risk you run playing with a device that you don't control.

    A better way: MyCroft + devices designed to talk to it.

    Otherwise, live by someone else's cloud, die by someone else's cloud. When you give up control, the entire problem is: you gave up control.

    Stop giving people money to own your ass, and they'll (mostly, except where the government forces them on you) stop owning you.