Logitech Disables Local Access On Harmony Hubs, Breaks Automation Systems

DarkRookie2 shares a report from Ars Technica: Many users of Logitech's Harmony Hub smart home hub and remote were recently met with a nasty surprise. The device's latest firmware update, version 4.15.206, reportedly cuts off local access for Harmony Hubs. As a result, many users who created home automation and smart home systems using third-party APIs haven't been able to control many, and in some cases, all of their connected IoT devices. Logitech began pushing out firmware update 4.15.206 last week, its release notes stating that it addresses security and bug fixes. Users immediately flocked to Logitech's community forms to complain once they realized the systems they built up to control their smart home devices essentially became unresponsive. Users with Homeseer and Home Assistant APIs have reported parts of their systems broken, preventing them from controlling things like smart TVs, sound systems, and more using the Harmony Hub and its remote. In a statement to Ars, a Logitech representative confirmed that local access was removed in the latest Harmony Hub firmware update for security reasons: "The XMPP interface was used as part of the setup process and was pointed out as an insecure communication. We removed that interface as part of an effort to make to improve the Hub security. That interface was never designed to be used by third parties. The reason for the firmware update was to make the Harmony Hub more secure, therefore we do not have an official downgrade option. We recommend that users do not try to prevent the automatic firmware update process. We update the firmware as security issues are discovered, so users preventing the automatic firmware update process would not benefit from these future fixes."

Re:Glad it's not me

[bill_mcgonigle]

Somebody's going to end up hitting these guys pretty hard. Glad I don't have to deal with it.

Every development plan that consists of "we're talking away features from your IoT device" needs to have "defending the class action lawsuit" in the budget summary.

Gosh, if Logitech can't understand how to set up XMPP over TLS that tells me to stay far, far, away from any of their networking products.

Re:Yet another reason not to touch IoT

[markdavis]

>"I can stick with old-fashioned wall mounted light switches, thanks."

You can use X10, ZWave, whatever with simple controllers or even simple, local computer based connection. The issue is when you buy some "cloud" based device which is controlled by a third-party. But sometimes that can be really difficult to find.

The problem is that the "masses" want an "easy" and connected "solution". And these solutions seem to always mean a third-party controls your crap and you pay some recurring fee.

Example- I wanted to set up a security system. I wanted wireless sensors and the ability to send Email and text messages. But I didn't want a "solution". I didn't want a third party. I didn't want recurring fees. I didn't want some company that could brick (or change) my crap without permission. Result? I could find almost NOTHING OUT THERE! Every single platform was based on some "cloud" thing that required them to have access to my equipment and data, and recurring fees. There is some stuff out there without such "features" but they are all very limited, and poorly documented.

Re:Yet another reason not to touch IoT

[Miamicanes]

X10 has been pretty much dead and useless ever since CFLs and LEDs took over. The problem isn't with the X10 protocol per se, but rather with the ASIC used by nearly every X10 module in modern history. Between CFLs with active ballasts & LED drivers, basically every module that has ever existed is now unusable. Even with the relay-based appliance modules, the "local power control" feature STILL fucks them up... EVEN IF you cut the trace that supposedly disables it (it still sends a pulse of current every 10 seconds or so). If I were really determined, I could still get CFLs to work by connecting an incandescent night light in parallel, but I've NEVER seen an X10 module that works properly with LED lights.

It's a shame, because I literally grew up in an X10 house... my parents had a bunch of X10 modules going all the way back to 1980s Radio Shack, I had two in my college dorm room to control lights that were inconveniently far from the door and my bed, and my collection multiplied after college & especially after I bought a house, only for all of them to become functionally obsolete as I switched to LEDs and even my nightlight work-around ceased to work. X-10 had a good run, only to ultimately get killed off by something not directly related to the standard itself.

Re:You asked for it.

[Miamicanes]

Some new TVs sold in the US ship with disabled ATSC tuners that require at least a one-time internet connection to enable. Basically, they didn't want to pay the licensing fees for EVERY TV that gets sold, so they negotiated a deal whereby they ship with the ATSC tuner disabled & only have to pay royalties for the tuners that someone explicitly enables.

Re:Tell the truth

[omnichad]

You forgot this part;

We also want to decide when EOL is, because we need to be able to force you to buy new hardware when we need the cash