Slashdot Mirror

← Back to Stories (view on slashdot.org)

Logitech Disables Local Access On Harmony Hubs, Breaks Automation Systems (arstechnica.com)

Posted by BeauHD on from the left-out-in-the-cold dept.

DarkRookie2 shares a report from Ars Technica: Many users of Logitech's Harmony Hub smart home hub and remote were recently met with a nasty surprise. The device's latest firmware update, version 4.15.206, reportedly cuts off local access for Harmony Hubs. As a result, many users who created home automation and smart home systems using third-party APIs haven't been able to control many, and in some cases, all of their connected IoT devices. Logitech began pushing out firmware update 4.15.206 last week, its release notes stating that it addresses security and bug fixes. Users immediately flocked to Logitech's community forms to complain once they realized the systems they built up to control their smart home devices essentially became unresponsive. Users with Homeseer and Home Assistant APIs have reported parts of their systems broken, preventing them from controlling things like smart TVs, sound systems, and more using the Harmony Hub and its remote. In a statement to Ars, a Logitech representative confirmed that local access was removed in the latest Harmony Hub firmware update for security reasons: "The XMPP interface was used as part of the setup process and was pointed out as an insecure communication. We removed that interface as part of an effort to make to improve the Hub security. That interface was never designed to be used by third parties. The reason for the firmware update was to make the Harmony Hub more secure, therefore we do not have an official downgrade option. We recommend that users do not try to prevent the automatic firmware update process. We update the firmware as security issues are discovered, so users preventing the automatic firmware update process would not benefit from these future fixes."

97 of 151 comments (clear)

  1. Glad it's not me by Anonymous Coward · · Score: 1

    Somebody's going to end up hitting these guys pretty hard. Glad I don't have to deal with it.

    1. Re:Glad it's not me by bill_mcgonigle · · Score: 5, Interesting

      Somebody's going to end up hitting these guys pretty hard. Glad I don't have to deal with it.

      Every development plan that consists of "we're talking away features from your IoT device" needs to have "defending the class action lawsuit" in the budget summary.

      Gosh, if Logitech can't understand how to set up XMPP over TLS that tells me to stay far, far, away from any of their networking products.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:Glad it's not me by mattyj · · Score: 1

      I'm guessing that it's not just encryption but the ability of any yahoo to hook up an insecure IoT device to it and inject malicious xml or what have you. They just don't want to deal with that in their ecosystem, which leads me to believe something happened that we don't know about that probably f'ed up their servers/systems/whatever.

      If the XMPP system wasn't designed for that, then why is it there, and why is it not needed now? That's the question that came immediately to mind for me, not people using a device in an unsanctioned way then complaining that the door was closed on it. That's the risk you run playing with open doors you're not supposed to see.

    3. Re:Glad it's not me by Anonymous Coward · · Score: 1

      i know you paid god money for that pacemaker but we are removing the functionality that gets your heart back in rhythm to increase security. Please do not try to skip the updates, we work hard to keep you secure.

    4. Re:Glad it's not me by jenningsthecat · · Score: 1

      Every development plan that consists of "we're talking away features from your IoT device" needs to have "defending the class action lawsuit" in the budget summary.

      Not to mention a line item in that budget to cover cleaning up the mess after hackers take them down hard as payback for their shitty attitude.

      I wouldn't be sorry to see that happen, as long as none of the folks who got stuck with Logitech paperweights gets hurt in the process. I've been anti-Logitech since one of their mouse driver disks installed spyware on my computer many, many years ago. I don't forgive that kind of thing, and I sincerely hope that everyone who's been burned by them follows suit.

      --
      'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
  2. Tell the truth by Anonymous Coward · · Score: 5, Insightful

    We removed the XMPP interface because we're Logitech and we want to force you to use only Logitech products and services so we make the most profit possible

    Fixed that for you, Logitech.

    1. Re:Tell the truth by omnichad · · Score: 3, Interesting

      You forgot this part;

      We also want to decide when EOL is, because we need to be able to force you to buy new hardware when we need the cash

  3. Logitech = shitbags hiding behind a name by Anonymous Coward · · Score: 3, Informative

    Logitech at one time made decent peripherals. Now they are just a 'brand" slapped onto any Chinese made garbage they can find with Indian support. If you buy Logitech you deserve what you get.

    This firmware update is TOTALLY something I would expect from scumbags like them. Release a product and then fuck over all their customers in an attempt to somehow get more money out of them. They will probably return that functionality "for an additional monthly charge" or some horse shit like that.

    What's bad is they don't even seem to care. They broke many of their customers functionality and just give the standard corporate shrug of "well it's for xyz arbitrary reason".

    1. Re:Logitech = shitbags hiding behind a name by coofercat · · Score: 1

      I have a Harmony Hub and remote, and I have to say, it's been generally excellent. It's got high WAF, so high in fact that even visitors can use it without needing a training. It looks good and works well. The only problems I've really had with the whole setup is my satellite box is a crock of shit. Oh, and I did have to put the hub in the cupboard under the stairs where it just about reaches the Amazon box in the garage. That meant a bit of funky wiring up IR emitters and such like. Programming it up is pretty easy too, although there is a bit of a mish-mash between online, desktop app, mobile app and stuff you can do direct on the device.

      I don't use the XMPP feature, or indeed any network-based API on the hub (nor the cloud API, which seems daft to reach a device sat about 3 feet away from me). However, I don't like the idea of taking away features "for the fun of it". At the very least, they should be offering an alternative (as there surely are some - there's an API which presumably can do all the same stuff as the XMPP interface).

      When my device goes to silicon heaven, I'll be sorry to see it go. It's been great for years so far. I'm not sure what alternatives there are for it right now.

    2. Re: Logitech = shitbags hiding behind a name by coofercat · · Score: 1

      I'd imagine that's more a problem for Sonos than Logitech. That said, I can't say I've had any problems with my phone or desktop apps (apart from seemingly endless updates that don't actually do anything). I will say though that my old Samsung Galaxy S5 mini, sat in a dock most of the day does indeed have lots of problems running the sonos app, despite daily reboots and whatnot. Something about leaving the phone on the dock seems to kill phones :-(

    3. Re:Logitech = shitbags hiding behind a name by TJ_Phazerhacki · · Score: 1

      I've enjoyed the Hub as well, but as with most home automation, it works best when you keep it simple, thoughtfully designed, and FAST. I'm frustrated every time I have to log into to Logitech for making changes, and it's noticeably less responsive if I am not on the local network. If they break the super-basic functionality I have it for in the name of adding Alexa or some shit, I'm out.

      --
      Physics is nothing like religion. If it was, we'd have an easier time trying to raise money!
    4. Re: Logitech = shitbags hiding behind a name by CanadianMacFan · · Score: 1

      I have some Sonos Play:1 speakers but I don't use the Sonos apps to play music. On my Mac I use SonoAir to connect to the speakers. I installed the app but I end up having to use the Terminal to go into the app and use the airconnect utility the app uses to connect to the speakers.

      When I first ran airconnect with the default buffers it would have problems similar to what you state. Whatever I was listening to, iTunes or VLC, would cut out and miss parts. At times when it was very bad almost nothing was being played. I increased the buffers to around 10 or 15 seconds and I don't have a problem. It takes a bit before I start to hear something when I music or video begins but that's okay.

      The problem, at least for me, is the network gets congested. Sonos has a product called Boost that creates it's own network for the speakers. I've been been thinking of getting that or connecting the speakers I'm having trouble with to a hub along with the computer using the network cables they came with. Bypassing the wi-fi network should fix the congestion.

  4. Yet another reason not to touch IoT by Bradmont · · Score: 5, Insightful

    This is just another reason to avoid IoT devices altogether. Apart the spying risks and the general lack of security patches, the ability of random companies to, on a whim, render completely inoperable stuff you've paid good money makes a trifecta of user-hostile design. I can stick with old-fashioned wall mounted light switches, thanks.

    1. Re:Yet another reason not to touch IoT by Cyberax · · Score: 4, Insightful

      IoT devices themselves are fine. ZWave or ZigBee light switches don’t depend on whims of a manufacturer. You don’t need to replace them, just replace the hub.

    2. Re:Yet another reason not to touch IoT by Anonymous Coward · · Score: 1

      Sticking with good old-fashioned one-touch capability to switch between input modes on your TV, sound receiver, subwoofer, decoding devices, and lighting on onw-touch, ensuring everything is tuned to your personalized settings?

      Awesome.

      There are good points to IoT and enabled smart devices. It's a tradeoff and the lack of patching, etc, can be managed by deployed these on a segmented and isolated network in your house. All based on your threat model and cost/benefit analysis.

    3. Re:Yet another reason not to touch IoT by markdavis · · Score: 4, Interesting

      >"I can stick with old-fashioned wall mounted light switches, thanks."

      You can use X10, ZWave, whatever with simple controllers or even simple, local computer based connection. The issue is when you buy some "cloud" based device which is controlled by a third-party. But sometimes that can be really difficult to find.

      The problem is that the "masses" want an "easy" and connected "solution". And these solutions seem to always mean a third-party controls your crap and you pay some recurring fee.

      Example- I wanted to set up a security system. I wanted wireless sensors and the ability to send Email and text messages. But I didn't want a "solution". I didn't want a third party. I didn't want recurring fees. I didn't want some company that could brick (or change) my crap without permission. Result? I could find almost NOTHING OUT THERE! Every single platform was based on some "cloud" thing that required them to have access to my equipment and data, and recurring fees. There is some stuff out there without such "features" but they are all very limited, and poorly documented.

    4. Re:Yet another reason not to touch IoT by msauve · · Score: 2

      "IoT devices themselves are fine. ZWave or ZigBee light switches donâ(TM)t depend on whims of a manufacturer. "

      Uh, wha??? IoT is Internet of Things. Neither ZWave nor ZigBee use IP, they are definitely not IoT devices.

      And actual IoT devices are very, very, commonly dependent on a vendor's servers. Wink and SmartThings hubs, Ecobee and Nest thermostats, many cameras, etc. Some will provide basic functions when they've lost contact with the mothership, but full function depends on external services which you can't control.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    5. Re:Yet another reason not to touch IoT by sarren1901 · · Score: 1

      If I was at all interested in having a connected house I would look into openHAB or Home assistant. Both appear to be open source. Pretty sure you could use a raspberry pi for your home automation server quite easily. The same device could also host a vpn service so you can ssh into your home network and screw with your LoT devices if you need to.

      It's all neat stuff and if I had money and time to burn I would probably add those features to my condo but that's only a maybe. LoT is mostly technology I do not need. Sure, some of its neat and I could see the value in it, but only if I rolled my own.

    6. Re:Yet another reason not to touch IoT by Cyberax · · Score: 4, Informative

      ZWave and ZigBee devices along with a hub are typically considered to be IoT. And the hub can be fully offline-capable: Vera, HomeAssistant and OpenHab work perfectly fine offline (obviously without Alexa or Internet-device integration).

    7. Re:Yet another reason not to touch IoT by msauve · · Score: 2

      But, that doesn't solve the problem. For many devices they still need to go through a vendor's cloud service for control - it's not local. E.g., HA will control a Nest or Ecobee, but it does so by talking to the vendor's Internet service, the devices themselves simply do not have local APIs. Home Assistant and openHAB won't help you out if the vendor discontinues support or goes away, or even just has a server failure.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    8. Re:Yet another reason not to touch IoT by Miamicanes · · Score: 3, Interesting

      X10 has been pretty much dead and useless ever since CFLs and LEDs took over. The problem isn't with the X10 protocol per se, but rather with the ASIC used by nearly every X10 module in modern history. Between CFLs with active ballasts & LED drivers, basically every module that has ever existed is now unusable. Even with the relay-based appliance modules, the "local power control" feature STILL fucks them up... EVEN IF you cut the trace that supposedly disables it (it still sends a pulse of current every 10 seconds or so). If I were really determined, I could still get CFLs to work by connecting an incandescent night light in parallel, but I've NEVER seen an X10 module that works properly with LED lights.

      It's a shame, because I literally grew up in an X10 house... my parents had a bunch of X10 modules going all the way back to 1980s Radio Shack, I had two in my college dorm room to control lights that were inconveniently far from the door and my bed, and my collection multiplied after college & especially after I bought a house, only for all of them to become functionally obsolete as I switched to LEDs and even my nightlight work-around ceased to work. X-10 had a good run, only to ultimately get killed off by something not directly related to the standard itself.

    9. Re:Yet another reason not to touch IoT by green1 · · Score: 3, Insightful

      The nice thing with systems like home assistant is that you can choose exactly how much, or how little, integration you need or want with other devices and services.

      I have a home assistant setup on a raspberry pi at home, but it also connects through IFTTT to google assistant, and I can connect through my VPN from my phone or computer anywhere.

      All the "I" of IOT, without the vendor shenanigans.

    10. Re:Yet another reason not to touch IoT by green1 · · Score: 1

      You DO have a hub, it's whatever the zwave adapter is plugged in to.

      That said, I gave up on the absmal zwave stuff on home assistant a while ago, and moved my zwave devices to a vera unit which integrates great with the home assistant setup, and is rock solid reliable.

    11. Re:Yet another reason not to touch IoT by markdavis · · Score: 3, Informative

      X10 does suck, in general. I will agree with you on that. But I use it with quality dimmable LEDs throughout my house and that actually works fine. I am sitting in a room right now with LED track lighting that is dimmed to about 33% with a standard/cheap X10 wall switch. No flicker, no variation in the light, no issues at all, and with no incandescent in the circuit at all. They even dim properly all the way to about 15% brightness or something like that.

      The biggest problem with X10 is that it is too prone for the signal to get blocked or interfered with.

    12. Re:Yet another reason not to touch IoT by Miamicanes · · Score: 1

      Hmmm... that's interesting. I haven't actually tried using the dimmable ones with LCDs... I actually did a huge round of X10 replacements sometime around 2010 when I replaced all of my remaining dimmable/incandescent modules with 3-prong appliance-type modules (usually, in conjunction with a 6" extension cord and a 4w nightlight whose only purpose was to provide a constant resistive load to keep the modules from turning themselves on without actually going all the way and disabling the local power control feature.

      The main issue I had with LED lights is that even the relay-equipped 3-prong appliance modules send a brief power pulse every few seconds (as far as I can tell, cutting the trace doesn't stop it from pulsing power through the bulb, it just makes the ASIC ignore the outcome so the module won't think you toggled the local power switch and turn itself back on), which causes the bulb to visibly flash. I guess now that you mention it, dimmable-type LCDs might actually BE compatible with the older incandescent/dimmable-type X10 controllers. I'm going to have to go dig out the box with the old dimmable/incandescent-type modules and try them :-)

      I'm lucky in the signal area... once I put the X-10 crossover/bridge module on my dryer outlet a few years ago, all of my problems seemed to go away. If I can get the incandescent modules to work, that'll be great news... I have an Elk M1 home automation controller & security system and did a fair amount of programming circa 2013 to add lighting control using their M1-to-X10 bridge (so I could do things like call home, let the answering machine pick up while it eavesdrops, then remotely turn lights on and off).

      I thought about switching to Z-wave or Insteon a couple of years ago, but Insteon's main appeal was cross-compatibility with X-10. If all the X10 gear is moot, Insteon's main selling point goes out the window.... and cost-wise, it's as expensive as Z-wave. Elk's Z-wave module was REALLY expensive, Z-wave switches and light modules were OUTRAGEOUSLY expensive, and reading the horror stories about interoperability between licensed Z-wave devices and generic "Zigbee, but not literally Z-wave" devices just turned me off of the whole thing. And then, right around the point when Z-wave devices started becoming halfway sane price-wise, the tsunami of "wi-fi" control modules arrived. I'll probably go with wi-fi eventually, but only when I'm satisfied that they're interoperable with standards that don't depend upon the continued existence and reliable operation of some vendor's cloud infrastructure that could vanish tomorrow & leave me with yet another collection of paperweights.

    13. Re:Yet another reason not to touch IoT by Tyr07 · · Score: 2

      Got Windows 10?

      They're already doing it. They have literally removed features, such as certain file system support etc from non enterprise versions of windows. It's in the agreement. That's why they were so pushy about getting windows 10 out there.

      By the time the average user figures out what has gone on, it'll be to late. The only languages companies speak is money, and they only way we can truly communicate to them is by not giving them our money. However the average person refuses to be that inconvenienced, so here we are.

    14. Re:Yet another reason not to touch IoT by markdavis · · Score: 1

      >"I'm lucky in the signal area... once I put the X-10 crossover/bridge module on my dryer outlet a few years ago, all of my problems seemed to go away.""

      I am less lucky than you with this. I also put a "filter" on my UPS/computer/AV system. My system just sometimes won't turn on/off certain circuits because something interferes with it and I have to move things around. X10 is positively weak and ancient and inexact.

      >"I thought about switching to Z-wave or Insteon a couple of years ago"

      I did too but the prices were crazy high and I couldn't get the controllers I wanted so I just gave up, waiting for something better. Waited years and years and years. Prices never went down, selection never improved. I had other experiences similar to yours. The market was ready for something simple and effective and affordable with lots of accessories... but it seems everything switched to this damn "smart" crap with fees and third parties. I don't want to control my house from my stupid phone, nor from 100 miles away.

    15. Re:Yet another reason not to touch IoT by Anonymous Coward · · Score: 2, Insightful

      That's not really an internet of things though, considering that they're local wireless technology. But that's the thing, the IntranetOfThings is a wonderful idea. The InternetOfThings is just rent seeking and security holes.

    16. Re:Yet another reason not to touch IoT by dunkelfalke · · Score: 1

      Zigbee light switch compatibility is awful.
      The Hue hub cannot see Tradfri switches, the Tradfri hub cannot see the Lightify switches and so on. Only the lightbulbs kinda sorta interoperate, but not very well.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    17. Re:Yet another reason not to touch IoT by Cyberax · · Score: 1

      Uhm... Don't get IKEA hubs. Get something like Samsung SmartThings. I have lighting switches from 3 different manufacturers and they interoperate just fine.

    18. Re:Yet another reason not to touch IoT by dunkelfalke · · Score: 1

      Not really available in Germany.
      I have two Philips hubs, one Osram hub, one Ikea hub. They all suck, especially Osram.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    19. Re:Yet another reason not to touch IoT by tlhIngan · · Score: 1

      the ability of random companies to, on a whim, render completely inoperable

      The problem is that it was a private API set. Logitech never advertised it as a way to locally control the unit - it just happened to work.

      It just happened that the API set wasn't useful for Logitech and a major security hole so it was closed off.

      That's the problem with private APIs. They have a nasty habit of suddenly disappearing on you.

    20. Re:Yet another reason not to touch IoT by drinkypoo · · Score: 1

      X10 is dumb because it is one way. You can't count on your messages being received, and you also can't check to see if they were. most dimmers don't permit setting brightness, so with them there is no way to get a specific level. All in all, it was amusing when new but never reliable.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    21. Re:Yet another reason not to touch IoT by Gilgaron · · Score: 1

      Have you looked at Synology? I use mine as a media server and backup, but I saw that it had security system features available and you can use it as a private Cloud as well.

    22. Re:Yet another reason not to touch IoT by dAzED1 · · Score: 1

      Lovely theory, and I myself wish I had something available which could turn on my home theatre in an easy way despite it being hidden from view per my wife's demands. The idea though that only doing it from "the cloud" vs doing it local is more secure is about the dumbest thing I've ever heard. It is substantially less secure to not do it locally. There just aren't any devices as advanced as the ones 5y ago, where you could do it all locally. Like seriously, why the fark would I want to turn on my TV when I'm anywhere other than at my house?

    23. Re:Yet another reason not to touch IoT by ixs · · Score: 1

      As the other posters in this thread said: X10 is pretty much dead for other reasons as well. I have never really used X10 much but I've always found it super infuriating to have this noticeable delay between pressing the button and the light actually turning on. It's short enough that it is not causing problems but it is long enough to tell that something is going on.
      The reason for this is just the slow transmission speed of (IIRC) 20bps. That is terribly slow compared to more modern systems such as Z-Wave.

      I never really liked Z-Wave and other protocols though. The technology is fine, but the politics are terrible. It's like every single vendor has decided that they want to own the system and nobody else is allowed to play. Typical example is Philips Hue trying to lock out other vendors such as Osram on their Hub. That was rolled back but it still leaves a bad taste in my mouth.

      Since then I've been looking at giving KNX-RF a go which is a professional (read expensive) smart-home standard originally developed in Europe. https://en.wikipedia.org/wiki/... has the details but the nice thing is that it exists for twin wires, wireless and IP. They had a powerline transmission mode but I think that is dead. What I like the most though is that they seem to have managed the cross-vendor functionality very well. Every switch will work with every actuator and the protocol is fully bi-directional.

      The only annoying thing I found so far is that there's an entry fee of about thousand buck to buy the programming software...

    24. Re:Yet another reason not to touch IoT by Cyberax · · Score: 1

      You most certainly can buy SmartThings for Germany: https://www.samsung.com/de/sma... and I'm pretty sure that Vera also has a hub for the European market. Not sure about Wink.

    25. Re: Yet another reason not to touch IoT by dunkelfalke · · Score: 1

      "Dieses Produkt ist zurzeit bei keinem OnlinehÃndler verfügbar. Bitte versuchen sie es spÃter erneut oder kontaktieren sie uns"

      That means unavailable. They don't sell it in Germany.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    26. Re: Yet another reason not to touch IoT by Cyberax · · Score: 1

      You can buy one from any European store: https://www.amazon.de/SAMSUNG-... - it will work fine in Germany.

    27. Re:Yet another reason not to touch IoT by jaymemaurice · · Score: 1

      I set up my home like this with a DSC panel and Evisalink or whatever it's called.

      The Envisalink emulates an IT100 serial interface to the panel over IP so you can interface it with your own custom software. I wrote a PHP script that would watch the zones and turn on the insteon lights to 10% for 5 minutes when the local weather station's solar radiation index was a certain threshold.
      It would also email me if the garage door was left open with no movement..

      I recently looked at the code and wondered what I ate when I wrote it...

      --
      120 characters ought to be enough for anyone
  5. Ministry of truth-y? by zugmeister · · Score: 5, Funny

    We removed that interface as part of an effort to make to improve the Hub security.

    I am altering the deal. Pray I don't alter it any further.

    1. Re:Ministry of truth-y? by Opportunist · · Score: 1

      Came here for this comment.

      Ain't disappointed.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Ministry of truth-y? by dunkelfalke · · Score: 1

      This deal is getting worse all the time.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  6. If it requires a "cloud" account, you don't own it by Anonymous Coward · · Score: 5, Insightful

    Any device that requires an account on someone else's service doesn't belong to the person who purchased it. It belongs to the service provider.

    How many times do we have to learn this lesson? (Answer: every time, apparently)

  7. Aren't their legal protections? by Actually,+I+do+RTFA · · Score: 3, Insightful

    I wonder what kind of "return as defective" laws are in place.

    --
    Your ad here. Ask me how!
    1. Re:Aren't their legal protections? by green1 · · Score: 1

      Depends on a few things. like when you bought it, and on what continent (north america? forget it, Europe, maybe, see below)

      It's also about what was advertised, if this was simply some APIs that someone discovered but that were never actually advertised by the seller, then you probably don't have much of a leg to stand on. If however it was advertised functionality, then yes, Europeans can probably get a refund, North America doesn't have any concept of consumer protection though, so you'd be out of luck here.

    2. Re:Aren't their legal protections? by AmiMoJo · · Score: 1

      Amazon says first availability was September 2015, although it still on sale. Anyway, EU minimum warranty is 2 years, and most countries go further. In the UK goods must "last a reasonable length of time", and even if you were an early adopter 3 years is way too short for a product like this. Typically computers and TVs are minimum 6 years if it gets to court, more for expensive ones.

      So let's say six years, an early adopter would get a 50% refund, people who bought this year would expect a full refund. The retailer is on the hook for this, not Logitech.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  8. Why would you buy that anyway? by Anonymous Coward · · Score: 2, Insightful

    Maybe because we still lack cheap bulk off-the-shelf Arduino-based devices that can be mounted as light switches, shutter motors, radiator thermostats, switching/dimming power sockets, and various sensors ... all with a simple standardized protocol over a simple two/one-wire long-distance bus. (A MIDI-based one looks like a good choice. DMX maybe, but I don’t know it.)
    Or let them talk to each other over the power sockets. But then they need encryption.

    In any case, NEVER buy anything with a “proprietary” interface. Unless you like being the sub in a S/M relationship, of course.

    1. Re:Why would you buy that anyway? by Pascoea · · Score: 1

      Maybe because we still lack cheap bulk off-the-shelf Arduino-based devices that can be mounted as light switches, shutter motors, radiator thermostats, switching/dimming power sockets, and various sensors

      Good luck getting a UL stamp on anything remotely like that. (Specifically the switches and sockets) And with no UL stamp you're not going to find anybody (in the States anyway) willing to install it in their home.

    2. Re:Why would you buy that anyway? by hawguy · · Score: 1

      Maybe because we still lack cheap bulk off-the-shelf Arduino-based devices that can be mounted as light switches, shutter motors, radiator thermostats, switching/dimming power sockets, and various sensors

      Good luck getting a UL stamp on anything remotely like that. (Specifically the switches and sockets) And with no UL stamp you're not going to find anybody (in the States anyway) willing to install it in their home.

      It shouldn't be too hard to have a 120VAC module with standardized inputs and a 5V output that you can plug your microcontroller of choice into. Then you only need to get the UL listing for the 120VAC switch part. Much like how having a UL listed wall wart avoids the need to get the UL listing for your entire device.

      Though I suspect that the actual market for this is so small that no company would do it.

    3. Re:Why would you buy that anyway? by Miamicanes · · Score: 2

      Adafruit makes something like this -- https://www.adafruit.com/produ...

      It's basically a power strip with relay that's controlled by an optoisolated pair of wires. AFAIK, it's not UL approved, but it's "CPI Tested", for whatever that's worth. One outlet is always-on, one is normally-on, two are normally-off.

    4. Re:Why would you buy that anyway? by Pascoea · · Score: 1

      Interesting device. Found the "source": https://dlidirect.com/products... As best I can tell, "CPI Safety Tested" is a bullshit marketing term. I couldn't find any reference to it anywhere.

    5. Re:Why would you buy that anyway? by Pascoea · · Score: 1

      I'd think it would depend on the intent of the device. If it's something like a "switched" extension cord (this kinda thing) you could get away with just listing the cord. If it's designed to be permanently installed you'd likely have a harder time. Not 100% sure though, my exposure to UL was very minimal, and a long damn time ago.

    6. Re:Why would you buy that anyway? by omnichad · · Score: 2

      "Tested."

      And they don't even say it passed?

    7. Re:Why would you buy that anyway? by Pascoea · · Score: 1

      That's a very good point.

  9. Useless by mydn · · Score: 2

    I was just about to buy one to manage devices at home, but it appears that it is now useless. If I can't do it without "cloud", then fuck you.

    1. Re:Useless by Pascoea · · Score: 1

      Agreed. Kind of frustrating (OK, really frustrating) that my Wink hub does absolutely nothing without an active internet connection. I can see needing to be connected if I want to control something from outside my home, but the fact that it does nothing but consume small amounts of electricity when its internet connection is gone is absurd.

    2. Re:Useless by jerk · · Score: 1

      Check out Hubitat Elevation. I'm in the process of moving from Wink right now. My only gripe so far is needing to buy a Lutron hub for my Caseta switches that Wink had built into the hub. I also run Homebridge on a Raspberry Pi to bring all my devices into the Home app.

  10. Par for the course for Logitech... by msauve · · Score: 5, Informative

    Logitech has a history of screwing their users. Consider that in your future purchasing decisions.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Par for the course for Logitech... by qubezz · · Score: 1

      Like my Logitech Cyberman II 3D controller - bought in 1999, no drivers for any OS after Windows 98.

  11. If this was REALLY about security by sjames · · Score: 4, Informative

    If the update was REALLY about security, they would leave local access and disable phoning home.

    1. Re:If this was REALLY about security by c · · Score: 2

      To be specific, the update is about the security of Logitech's bottom line.

      --
      Log in or piss off.
    2. Re:If this was REALLY about security by green1 · · Score: 1

      This is the truth, but in reality the companies are so delusional that they always think their remote servers are more secure than local access.

      I have a Vera controller at home that has both local and remote access. In the interface there's a "secure mode" that disables local access, but leaves remote access. There's no option to disable remote access (except a firewall on your router). That's not my definition of secure.

    3. Re:If this was REALLY about security by sjames · · Score: 1

      I believe you are correct.

  12. Great by bobstreo · · Score: 1

    your carefully crafted logitech system is now almost as secure as a computer encased in cement and dropped into the ocean at 2 miles out. /s

      I think I'd try to file a return, a credit card charge back or a class action suit. Or all of the above.

  13. Damned either way... by Fringe · · Score: 1
    They are caught in the middle. If they don't remove those "holes", and the units get hacked, they get really bad press.

    If they do close them, influencers get annoyed.

    And they probably don't have the staff, resources or expertise to tighten them up without breaking anything.

    What would you have them do?

    1. Re:Damned either way... by Opportunist · · Score: 1

      Deploy only products they can afford to develop with reasonably enough security to actually stand by them, maybe?

      There is a reason I don't produce medical equipment despite most of it being far from high-tech and the profit margins are very, very sweet.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Damned either way... by Shotgun · · Score: 1

      So should computer makers remove keyboard access to the OS? That is, after all, the biggest security hole to the computer.

      Seriously, removing access in the name of "security" is professional malpractice.

      But anyway, "IoT. The S is for security."

      --
      Aah, change is good. -- Rafiki
      Yeah, but it ain't easy. -- Simba
  14. I don't think that'll work by rsilvergun · · Score: 4, Informative

    there have been several rules that uphold Arbitration agreements in EULA's recently. Congress passed a law making them binding and the SCOTUS upheld the law because Congress passed it. Employees can still sue for violations of various Labor Laws (mostly national ones) but if you're a consumer you're pretty much boned.

    I know I keep harping on about this in various threads, but if we want this to stop we need to vote for candidates who refuse corporate PAC money

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:I don't think that'll work by atriusofbricia · · Score: 1

      there have been several rules that uphold Arbitration agreements in EULA's recently. Congress passed a law making them binding and the SCOTUS upheld the law because Congress passed it. Employees can still sue for violations of various Labor Laws (mostly national ones) but if you're a consumer you're pretty much boned.

      I know I keep harping on about this in various threads, but if we want this to stop we need to vote for candidates who refuse corporate PAC money

      Yeah, it's a shame that a couple of good ideas are bundled up in a package of (in my opinion) absolute crazy.

      --
      I was raised on the command line, bitch

      "Nemo me impune lacesset"

    2. Re:I don't think that'll work by JackieBrown · · Score: 1

      I know I keep harping on about this in various threads, but if we want this to stop we need to vote for candidates who refuse corporate PAC money

      Sure will. If I was a single issue voter

  15. And that's all I have to say about that. by WorBlux · · Score: 2

    https://i.imgflip.com/2pe07r.j...

  16. Personally, I don't like ... by CaptainDork · · Score: 1

    ... APIs.

    It's hard enough tracking telemetries and shit of the single device. When 3rd parties can do a 45 degree drill, it's goddam impossible.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Personally, I don't like ... by drinkypoo · · Score: 1

      You know that the device still has APIs, right? Just one less now.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Personally, I don't like ... by CaptainDork · · Score: 1

      Just one less now.

      And I think that one's adorable.

      --
      It little behooves the best of us to comment on the rest of us.
  17. "the cloud" = you are a sucker by Anonymous Coward · · Score: 5, Insightful

    people using a device in an unsanctioned way then complaining that the door was closed on it. That's the risk you run playing with open doors you're not supposed to see.

    No, that's the risk you run playing with a device that you don't control.

    A better way: MyCroft + devices designed to talk to it.

    Otherwise, live by someone else's cloud, die by someone else's cloud. When you give up control, the entire problem is: you gave up control.

    Stop giving people money to own your ass, and they'll (mostly, except where the government forces them on you) stop owning you.

    1. Re:"the cloud" = you are a sucker by jenningsthecat · · Score: 1

      ^ Absolutely right on - I'd mod you up if I hadn't already commented.

      --
      'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    2. Re:"the cloud" = you are a sucker by swilver · · Score: 1

      I don't see how this can replace a remote.

      Talking to a device isn't exactly quick, if you want to skip through a movie or adjust the volume.

  18. XMPP not secure? by WaffleMonster · · Score: 1

    No fan of XMPP myself due to numerous crummy design choices yet to be fair "Just use TLS" has been a part of the original XMPP protocol since initial RFC some 14 years ago. It's just as secure as anything else so removing XMPP on those grounds is absolutely BS to say the least.

    Never much understood the market for systems like Harmony. Remotes always struck me as way overpriced and underwhelming considering programmable remotes where every last button can be customized cost like $15 and batteries last years.

    These days more bits integrate seamlessly via CEC. Plop a disc into player or turn on a console AVR and TV comes on by themselves and switch inputs automatically. I'm sure there is a lot of crap that can't be managed via CEC or where fancy programmable macros come in handy but I have to believe it's less needed today than it has in the past and the people who invest in systems like these are not the type to take kindly to Logitech's bullshit.

    1. Re:XMPP not secure? by Miamicanes · · Score: 1

      The appeal of Harmony remotes isn't being able to reprogram buttons... it's being able to reprogram buttons that have dynamic labels provided by the adjacent LCD screen.

      The LCD screen is what spares you from having to remember that {some function you might use once in three years} is mapped to {non-obvious button}. It enables you to use the main, logically-arranged buttons for functions you use every day, and still have LCD-labeled buttons for the obscure, little-used functions close at hand (so you don't have to go digging out the original remote, find working batteries, etc) every few months.

      Besides Harmony, the number of companies selling computer-programmable universal remotes that have real buttons, LCD screens, and have programming software that isn't restricted to ONLY their "value added resellers" (burn in hell, UEI) is... well... zero. If you want a LCD display, real buttons, and the ability to program it yourself without being forever dependent upon someone else, your choice is Harmony, Harmony, Harmony, and ... er.... Harmony. There are a few open ones that are entirely LCD touchscreens... but those really suck, because you can't use them by feel with one hand, or without actively diverting your full attention to looking at what's on the display.

      Harmony remotes suck... but they suck less than the alternatives.

      As for CEC... HAHAHAHAHAHAHA(...)HAHAHAHA. That's a good one. Especially insofar as interoperability goes. If the extent of your "Home Theater" system is a TV from Walmart, a crap soundbar, and a Blu-Ray player, CEC might be adequate... if all three are from the same manufacturer, the same product line, and are fairly new. Now try setting up a 4K TV with multiple media sources, a receiver made by someone else with surround-sound speaker setup, and throw in a few "legacy" video sources for good measure. Have fun with CEC. Hell, TV manufacturers still keep finding creative new ways to screw up DISCRETE POWER AND INPUT SELECTION... usually, via things like automatically selecting the most recently-turned-on HDMI source (ok, unless they make the behavior something you CAN'T disable), or by making HDMI input-selection a "dynamic" function (so there's no way to deterministically tell it, "select HDMI input #6, regardless of what (or whether) anything is connected and active on HDMI ports 1-5"). Thankfully, external HDMI switchboxes are cheap... but still, seriously? We've been bitching about dysfunctional TVs with messed up discrete codes for what, 25 years now? And the industry STILL can't manage to get it right?!? It's just insane.

    2. Re:XMPP not secure? by msauve · · Score: 1

      "the number of companies selling computer-programmable universal remotes that have real buttons, LCD screens, and have programming software that isn't restricted to ONLY their "value added resellers" (burn in hell, UEI) is... well... zero."

      You can still find NOS Nevo/Xsight remotes, programming is supported by RemoteMaster.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    3. Re:XMPP not secure? by Kyr+Arvin · · Score: 1

      Also, every open remote system that I've found that can do everything the Harmony can do work on IR. IR sucks, because you shouldn't have to point a remote at a listener. If you have a halfway-nice home theater setup, you're going to have things in cabinets that block IR signals. It should work on RF or Bluetooth, with IR blasters connected to those devices that need it and/or are hidden.

    4. Re:XMPP not secure? by WaffleMonster · · Score: 1

      The LCD screen is what spares you from having to remember that {some function you might use once in three years} is mapped to {non-obvious button}. It enables you to use the main, logically-arranged buttons for functions you use every day, and still have LCD-labeled buttons for the obscure, little-used functions close at hand (so you don't have to go digging out the original remote, find working batteries, etc) every few months.

      I still don't understand the value proposition for "once in three years" outliers you claim exist. In that case why wouldn't you just use local on device controls to adjust configuration? Labels or magic marker are free. Keeping non-replaceable rechargeable batteries charged vs throwing some lithium's in a normal remote and being set for years don't strike me as a better experience.

      It does take a few minutes up-front to program buttons vs picking what you got from a database and having a map created for you.

      As for CEC... HAHAHAHAHAHAHA(...)HAHAHAHA. That's a good one. Especially insofar as interoperability goes. If the extent of your "Home Theater" system is a TV from Walmart, a crap soundbar, and a Blu-Ray player, CEC might be adequate... if all three are from the same manufacturer, the same product line, and are fairly new.

      Now try setting up a 4K TV with multiple media sources, a receiver made by someone else with surround-sound speaker setup, and throw in a few "legacy" video sources for good measure.

      What difference does it make if it's a soundbar or an AVR? It all works exactly the same .. you plug in ARC out from TV to your AVR and TV fully controls the receiver. All codecs from anything appearing on the display is pass-thru to AVR automatically same as cheap sound bar. 4k TVs have better CEC than older pre-4k sets.

      The thing about CEC that makes it superior to anything else is presentation of a coherent unified interface. TV state and source control are always perfectly synchronized.

      If the display is turned off pressing next track button wakes up the display before commands are passed on to underlying source. You can't accidentally secretly control other devices in the background. You can't unpause a DVR, or Blu-ray or change track on an HTPC because the controls only work on source you are actually seeing on the display and in the context on the display where commands are able to be accepted. If you are in a configuration screen or using software on TV then accidentally pressing a media control button does nothing. Way better experience way less complexity way less to screw up.

      Personally never had any issues with CEC that couldn't be fixed with configuration either in the TV or the source. I'm sure plenty of interop issues exist yet I've never experienced anything that couldn't be addressed with configuration. Things are getting better every day.

    5. Re:XMPP not secure? by Miamicanes · · Score: 1

      > In that case why wouldn't you just use local on device controls to adjust configuration?

      Because lots of newer devices barely HAVE local on-device controls anymore. You're lucky to have real buttons for 'toggle power', 'cycle through inputs', 'volume up', 'volume down', 'menu', 'channel up/next', 'channel down/prev'. When you run into some really weird edge case, like 'old DVD that was authored with incorrect flags, so the aspect ratio and/or letterboxing is all fsck'ed up', you have to manually adjust the SD aspect ratio/zoom settings. They're something that you shouldn't have to worry about, and rarely do... but WHEN you do, it kind of sucks if you have to remember that the function was mapped to the button on the universal remote marked 'sleep' (or some other even more obscure function whose button you had to recycle, because there was no button on the universal remote explicitly labeled as 'SD Zoom/Aspect Ratio').

      Of course, some universal remotes DO have buttons labeled for every conceivable function... and usually, those remotes have dozens and dozens of identical tiny buttons with labels that can't easily be read in dim light... or bright light, for that matter (Japanese remotes in particular are bad about this... consumers in Japan apparently LOVE having lots and lots of tiny little identical buttons in neat, orderly rows).

      The problem with asking, "why not just use the original remote for things like that?" is the fact that the original remote is probably buried somewhere, and once you finally DO find it, the likelihood that its batteries are still good (after years of sitting unused, buried under assorted stuff) is low. Add 5-10 minutes to hunt down the right batteries (inevitably, you'll need 3 AAA batteries, and discover you have TWO AAA batteries and a crate of AA batteries). That's the benefit of being able to dig through the remote's LCD menu for those obscure functions... it spares you from having to hunt down the original remote, then go on a second hunt for batteries.

      > What difference does it make if it's a soundbar or an AVR?

      A soundbar is a very, very simplified and dumbed-down peripheral -- it's a single device, connected to a single source via a single cable, with a very limited range of constrained settings. In contrast, an AVR is a lot more open-ended and configurable, in terms of inputs, outputs, AND any processing done to the signals between the two. A really good soundbar is a net improvement over most built-in speakers on a TV, but has nowhere NEAR the capabilities of a good AVR with left, right, center, left-surround, right-surround, left-rear-surround, right-rear-surround, and one or two subwoofers. Since it's physically impossible to get true surround from a single soundbar, that itself eliminates ~70% of the settings and configurations you'd have to deal with when setting up and tweaking surround settings to optimize the setup for your room's inevitably-imperfect sonic environment.

      My point was that a simple, lower-end consumer who buys a select few matched components and has relatively low expectations to begin with might have an easy setup experience with a cheap TV and soundbar from Walmart, but someone who demands at a minimum 5.1 surround with non-absurdly-undersized speakers and wants it tweaked to handle their room's audio characteristics is unlikely to be satisfied with that, and is likely to find CEC to be quite a bit more constraining (and buggy). CEC is the control system of tomorrow. And tomorrow is still quite far away if you're the kind of user who benchmarks his system, owns at least one analyzer, annoys his spouse and/or family and/or friends by insisting upon tweaking the settings for every movie to achieve perfection (when all THEY seemingly want to do is "watch the movie", and don't *care* if the surround timing sounds like it's a bit delayed on the rear-right channel in scene 23).

  19. Remember, folks... by Anonymous Coward · · Score: 1

    ... the "S" in IoT stands for "security".

  20. I love their response... by Mysticalfruit · · Score: 2

    We've carefully considered your needs as a customer and after consulting with our lawyers, our response is "FUCK OFF WANKERS."

    I get it's a security issue, but

    1. Let the users know you're going to be disabling the interface.
    2. Have it be disabled by default and force the user to go through a bunch of loopholes to turn it back on.

    The fact they pulled the rug out from under the users feet is hella shitty.

    Just imagine you've got a vacation house in another state and you're using this solution to control thermostats and lights, etc.

    --
    Yes Francis, the world has gone crazy.
    1. Re:I love their response... by Opportunist · · Score: 1

      A cloud based solution?

      Didn't they say they did this to IMPROVE security?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  21. Re:You asked for it. by Miamicanes · · Score: 4, Interesting

    Some new TVs sold in the US ship with disabled ATSC tuners that require at least a one-time internet connection to enable. Basically, they didn't want to pay the licensing fees for EVERY TV that gets sold, so they negotiated a deal whereby they ship with the ATSC tuner disabled & only have to pay royalties for the tuners that someone explicitly enables.

  22. Internet connected things are not really yours... by Fly+Swatter · · Score: 1

    One firmware update, and bam! your automated house is now a dark soul-less doorstop. The problem is no one will learn from this lesson.

  23. Re:If it requires a "cloud" account, you don't own by scdeimos · · Score: 1

    And yet people apparently love Cisco Meraki products with their "cloud updates."

  24. Dumb users by viperidaenz · · Score: 1

    This is what Logitech does
    They already bricked their old Harmony Link Hub
    https://www.theverge.com/circu...

    If you don't want Logitech to fuck you over, don't buy Logitech products.

  25. Security. Yeah. Right by Opportunist · · Score: 1

    Like they are the first company that gives a rat's ass about the security of their IoT and home automation devices. At least tell a believable story that's not such a blatant and obvious lie.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  26. It's called beta testing by ellbee · · Score: 1

    If a fraction of the community had tried out the new firmware before release, would this have happened?

    --

    You can't fight in here - this is the war room!

  27. could it be by renegade600 · · Score: 1

    wonder if the real reason for the so called security fix, is logitech is not getting a royalty for the third party connections.

  28. Re:Marketing by desdinova+216 · · Score: 1

    but then we wouldn't have as many people for the B ark

  29. Doesn't matter what you're issues are by rsilvergun · · Score: 1

    if your congressman has been bought off they won't vote how you tell them. Nothing matters when your voting for a corrupt politician. You don't matter unless you're giving them huge checks too.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  30. Wider than Logitech by cwsumner · · Score: 1

    This is more than just Logitech, and much older than IOT:

    "Give me all of your money, and I will take care of you forever!"

    Which is an add for "selling yourself into slavery"... 8-{