Slashdot Mirror

← Back to Stories (view on slashdot.org)

Logitech Disables Local Access On Harmony Hubs, Breaks Automation Systems (arstechnica.com)

Posted by BeauHD on from the left-out-in-the-cold dept.

DarkRookie2 shares a report from Ars Technica: Many users of Logitech's Harmony Hub smart home hub and remote were recently met with a nasty surprise. The device's latest firmware update, version 4.15.206, reportedly cuts off local access for Harmony Hubs. As a result, many users who created home automation and smart home systems using third-party APIs haven't been able to control many, and in some cases, all of their connected IoT devices. Logitech began pushing out firmware update 4.15.206 last week, its release notes stating that it addresses security and bug fixes. Users immediately flocked to Logitech's community forms to complain once they realized the systems they built up to control their smart home devices essentially became unresponsive. Users with Homeseer and Home Assistant APIs have reported parts of their systems broken, preventing them from controlling things like smart TVs, sound systems, and more using the Harmony Hub and its remote. In a statement to Ars, a Logitech representative confirmed that local access was removed in the latest Harmony Hub firmware update for security reasons: "The XMPP interface was used as part of the setup process and was pointed out as an insecure communication. We removed that interface as part of an effort to make to improve the Hub security. That interface was never designed to be used by third parties. The reason for the firmware update was to make the Harmony Hub more secure, therefore we do not have an official downgrade option. We recommend that users do not try to prevent the automatic firmware update process. We update the firmware as security issues are discovered, so users preventing the automatic firmware update process would not benefit from these future fixes."

30 of 151 comments (clear)

  1. Tell the truth by Anonymous Coward · · Score: 5, Insightful

    We removed the XMPP interface because we're Logitech and we want to force you to use only Logitech products and services so we make the most profit possible

    Fixed that for you, Logitech.

    1. Re:Tell the truth by omnichad · · Score: 3, Interesting

      You forgot this part;

      We also want to decide when EOL is, because we need to be able to force you to buy new hardware when we need the cash

  2. Logitech = shitbags hiding behind a name by Anonymous Coward · · Score: 3, Informative

    Logitech at one time made decent peripherals. Now they are just a 'brand" slapped onto any Chinese made garbage they can find with Indian support. If you buy Logitech you deserve what you get.

    This firmware update is TOTALLY something I would expect from scumbags like them. Release a product and then fuck over all their customers in an attempt to somehow get more money out of them. They will probably return that functionality "for an additional monthly charge" or some horse shit like that.

    What's bad is they don't even seem to care. They broke many of their customers functionality and just give the standard corporate shrug of "well it's for xyz arbitrary reason".

  3. Re:Glad it's not me by bill_mcgonigle · · Score: 5, Interesting

    Somebody's going to end up hitting these guys pretty hard. Glad I don't have to deal with it.

    Every development plan that consists of "we're talking away features from your IoT device" needs to have "defending the class action lawsuit" in the budget summary.

    Gosh, if Logitech can't understand how to set up XMPP over TLS that tells me to stay far, far, away from any of their networking products.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  4. Yet another reason not to touch IoT by Bradmont · · Score: 5, Insightful

    This is just another reason to avoid IoT devices altogether. Apart the spying risks and the general lack of security patches, the ability of random companies to, on a whim, render completely inoperable stuff you've paid good money makes a trifecta of user-hostile design. I can stick with old-fashioned wall mounted light switches, thanks.

    1. Re:Yet another reason not to touch IoT by Cyberax · · Score: 4, Insightful

      IoT devices themselves are fine. ZWave or ZigBee light switches don’t depend on whims of a manufacturer. You don’t need to replace them, just replace the hub.

    2. Re:Yet another reason not to touch IoT by markdavis · · Score: 4, Interesting

      >"I can stick with old-fashioned wall mounted light switches, thanks."

      You can use X10, ZWave, whatever with simple controllers or even simple, local computer based connection. The issue is when you buy some "cloud" based device which is controlled by a third-party. But sometimes that can be really difficult to find.

      The problem is that the "masses" want an "easy" and connected "solution". And these solutions seem to always mean a third-party controls your crap and you pay some recurring fee.

      Example- I wanted to set up a security system. I wanted wireless sensors and the ability to send Email and text messages. But I didn't want a "solution". I didn't want a third party. I didn't want recurring fees. I didn't want some company that could brick (or change) my crap without permission. Result? I could find almost NOTHING OUT THERE! Every single platform was based on some "cloud" thing that required them to have access to my equipment and data, and recurring fees. There is some stuff out there without such "features" but they are all very limited, and poorly documented.

    3. Re:Yet another reason not to touch IoT by msauve · · Score: 2

      "IoT devices themselves are fine. ZWave or ZigBee light switches donâ(TM)t depend on whims of a manufacturer. "

      Uh, wha??? IoT is Internet of Things. Neither ZWave nor ZigBee use IP, they are definitely not IoT devices.

      And actual IoT devices are very, very, commonly dependent on a vendor's servers. Wink and SmartThings hubs, Ecobee and Nest thermostats, many cameras, etc. Some will provide basic functions when they've lost contact with the mothership, but full function depends on external services which you can't control.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    4. Re:Yet another reason not to touch IoT by Cyberax · · Score: 4, Informative

      ZWave and ZigBee devices along with a hub are typically considered to be IoT. And the hub can be fully offline-capable: Vera, HomeAssistant and OpenHab work perfectly fine offline (obviously without Alexa or Internet-device integration).

    5. Re:Yet another reason not to touch IoT by msauve · · Score: 2

      But, that doesn't solve the problem. For many devices they still need to go through a vendor's cloud service for control - it's not local. E.g., HA will control a Nest or Ecobee, but it does so by talking to the vendor's Internet service, the devices themselves simply do not have local APIs. Home Assistant and openHAB won't help you out if the vendor discontinues support or goes away, or even just has a server failure.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    6. Re:Yet another reason not to touch IoT by Miamicanes · · Score: 3, Interesting

      X10 has been pretty much dead and useless ever since CFLs and LEDs took over. The problem isn't with the X10 protocol per se, but rather with the ASIC used by nearly every X10 module in modern history. Between CFLs with active ballasts & LED drivers, basically every module that has ever existed is now unusable. Even with the relay-based appliance modules, the "local power control" feature STILL fucks them up... EVEN IF you cut the trace that supposedly disables it (it still sends a pulse of current every 10 seconds or so). If I were really determined, I could still get CFLs to work by connecting an incandescent night light in parallel, but I've NEVER seen an X10 module that works properly with LED lights.

      It's a shame, because I literally grew up in an X10 house... my parents had a bunch of X10 modules going all the way back to 1980s Radio Shack, I had two in my college dorm room to control lights that were inconveniently far from the door and my bed, and my collection multiplied after college & especially after I bought a house, only for all of them to become functionally obsolete as I switched to LEDs and even my nightlight work-around ceased to work. X-10 had a good run, only to ultimately get killed off by something not directly related to the standard itself.

    7. Re:Yet another reason not to touch IoT by green1 · · Score: 3, Insightful

      The nice thing with systems like home assistant is that you can choose exactly how much, or how little, integration you need or want with other devices and services.

      I have a home assistant setup on a raspberry pi at home, but it also connects through IFTTT to google assistant, and I can connect through my VPN from my phone or computer anywhere.

      All the "I" of IOT, without the vendor shenanigans.

    8. Re:Yet another reason not to touch IoT by markdavis · · Score: 3, Informative

      X10 does suck, in general. I will agree with you on that. But I use it with quality dimmable LEDs throughout my house and that actually works fine. I am sitting in a room right now with LED track lighting that is dimmed to about 33% with a standard/cheap X10 wall switch. No flicker, no variation in the light, no issues at all, and with no incandescent in the circuit at all. They even dim properly all the way to about 15% brightness or something like that.

      The biggest problem with X10 is that it is too prone for the signal to get blocked or interfered with.

    9. Re:Yet another reason not to touch IoT by Tyr07 · · Score: 2

      Got Windows 10?

      They're already doing it. They have literally removed features, such as certain file system support etc from non enterprise versions of windows. It's in the agreement. That's why they were so pushy about getting windows 10 out there.

      By the time the average user figures out what has gone on, it'll be to late. The only languages companies speak is money, and they only way we can truly communicate to them is by not giving them our money. However the average person refuses to be that inconvenienced, so here we are.

    10. Re:Yet another reason not to touch IoT by Anonymous Coward · · Score: 2, Insightful

      That's not really an internet of things though, considering that they're local wireless technology. But that's the thing, the IntranetOfThings is a wonderful idea. The InternetOfThings is just rent seeking and security holes.

  5. Ministry of truth-y? by zugmeister · · Score: 5, Funny

    We removed that interface as part of an effort to make to improve the Hub security.

    I am altering the deal. Pray I don't alter it any further.

  6. If it requires a "cloud" account, you don't own it by Anonymous Coward · · Score: 5, Insightful

    Any device that requires an account on someone else's service doesn't belong to the person who purchased it. It belongs to the service provider.

    How many times do we have to learn this lesson? (Answer: every time, apparently)

  7. Aren't their legal protections? by Actually,+I+do+RTFA · · Score: 3, Insightful

    I wonder what kind of "return as defective" laws are in place.

    --
    Your ad here. Ask me how!
  8. Why would you buy that anyway? by Anonymous Coward · · Score: 2, Insightful

    Maybe because we still lack cheap bulk off-the-shelf Arduino-based devices that can be mounted as light switches, shutter motors, radiator thermostats, switching/dimming power sockets, and various sensors ... all with a simple standardized protocol over a simple two/one-wire long-distance bus. (A MIDI-based one looks like a good choice. DMX maybe, but I don’t know it.)
    Or let them talk to each other over the power sockets. But then they need encryption.

    In any case, NEVER buy anything with a “proprietary” interface. Unless you like being the sub in a S/M relationship, of course.

    1. Re:Why would you buy that anyway? by Miamicanes · · Score: 2

      Adafruit makes something like this -- https://www.adafruit.com/produ...

      It's basically a power strip with relay that's controlled by an optoisolated pair of wires. AFAIK, it's not UL approved, but it's "CPI Tested", for whatever that's worth. One outlet is always-on, one is normally-on, two are normally-off.

    2. Re:Why would you buy that anyway? by omnichad · · Score: 2

      "Tested."

      And they don't even say it passed?

  9. Useless by mydn · · Score: 2

    I was just about to buy one to manage devices at home, but it appears that it is now useless. If I can't do it without "cloud", then fuck you.

  10. Par for the course for Logitech... by msauve · · Score: 5, Informative

    Logitech has a history of screwing their users. Consider that in your future purchasing decisions.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  11. If this was REALLY about security by sjames · · Score: 4, Informative

    If the update was REALLY about security, they would leave local access and disable phoning home.

    1. Re:If this was REALLY about security by c · · Score: 2

      To be specific, the update is about the security of Logitech's bottom line.

      --
      Log in or piss off.
  12. I don't think that'll work by rsilvergun · · Score: 4, Informative

    there have been several rules that uphold Arbitration agreements in EULA's recently. Congress passed a law making them binding and the SCOTUS upheld the law because Congress passed it. Employees can still sue for violations of various Labor Laws (mostly national ones) but if you're a consumer you're pretty much boned.

    I know I keep harping on about this in various threads, but if we want this to stop we need to vote for candidates who refuse corporate PAC money

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  13. And that's all I have to say about that. by WorBlux · · Score: 2

    https://i.imgflip.com/2pe07r.j...

  14. "the cloud" = you are a sucker by Anonymous Coward · · Score: 5, Insightful

    people using a device in an unsanctioned way then complaining that the door was closed on it. That's the risk you run playing with open doors you're not supposed to see.

    No, that's the risk you run playing with a device that you don't control.

    A better way: MyCroft + devices designed to talk to it.

    Otherwise, live by someone else's cloud, die by someone else's cloud. When you give up control, the entire problem is: you gave up control.

    Stop giving people money to own your ass, and they'll (mostly, except where the government forces them on you) stop owning you.

  15. I love their response... by Mysticalfruit · · Score: 2

    We've carefully considered your needs as a customer and after consulting with our lawyers, our response is "FUCK OFF WANKERS."

    I get it's a security issue, but

    1. Let the users know you're going to be disabling the interface.
    2. Have it be disabled by default and force the user to go through a bunch of loopholes to turn it back on.

    The fact they pulled the rug out from under the users feet is hella shitty.

    Just imagine you've got a vacation house in another state and you're using this solution to control thermostats and lights, etc.

    --
    Yes Francis, the world has gone crazy.
  16. Re:You asked for it. by Miamicanes · · Score: 4, Interesting

    Some new TVs sold in the US ship with disabled ATSC tuners that require at least a one-time internet connection to enable. Basically, they didn't want to pay the licensing fees for EVERY TV that gets sold, so they negotiated a deal whereby they ship with the ATSC tuner disabled & only have to pay royalties for the tuners that someone explicitly enables.