Slashdot Mirror

← Back to Stories (view on slashdot.org)

Logitech Disables Local Access On Harmony Hubs, Breaks Automation Systems (arstechnica.com)

Posted by BeauHD on from the left-out-in-the-cold dept.

DarkRookie2 shares a report from Ars Technica: Many users of Logitech's Harmony Hub smart home hub and remote were recently met with a nasty surprise. The device's latest firmware update, version 4.15.206, reportedly cuts off local access for Harmony Hubs. As a result, many users who created home automation and smart home systems using third-party APIs haven't been able to control many, and in some cases, all of their connected IoT devices. Logitech began pushing out firmware update 4.15.206 last week, its release notes stating that it addresses security and bug fixes. Users immediately flocked to Logitech's community forms to complain once they realized the systems they built up to control their smart home devices essentially became unresponsive. Users with Homeseer and Home Assistant APIs have reported parts of their systems broken, preventing them from controlling things like smart TVs, sound systems, and more using the Harmony Hub and its remote. In a statement to Ars, a Logitech representative confirmed that local access was removed in the latest Harmony Hub firmware update for security reasons: "The XMPP interface was used as part of the setup process and was pointed out as an insecure communication. We removed that interface as part of an effort to make to improve the Hub security. That interface was never designed to be used by third parties. The reason for the firmware update was to make the Harmony Hub more secure, therefore we do not have an official downgrade option. We recommend that users do not try to prevent the automatic firmware update process. We update the firmware as security issues are discovered, so users preventing the automatic firmware update process would not benefit from these future fixes."

13 of 151 comments (clear)

  1. Tell the truth by Anonymous Coward · · Score: 5, Insightful

    We removed the XMPP interface because we're Logitech and we want to force you to use only Logitech products and services so we make the most profit possible

    Fixed that for you, Logitech.

  2. Re:Glad it's not me by bill_mcgonigle · · Score: 5, Interesting

    Somebody's going to end up hitting these guys pretty hard. Glad I don't have to deal with it.

    Every development plan that consists of "we're talking away features from your IoT device" needs to have "defending the class action lawsuit" in the budget summary.

    Gosh, if Logitech can't understand how to set up XMPP over TLS that tells me to stay far, far, away from any of their networking products.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  3. Yet another reason not to touch IoT by Bradmont · · Score: 5, Insightful

    This is just another reason to avoid IoT devices altogether. Apart the spying risks and the general lack of security patches, the ability of random companies to, on a whim, render completely inoperable stuff you've paid good money makes a trifecta of user-hostile design. I can stick with old-fashioned wall mounted light switches, thanks.

    1. Re:Yet another reason not to touch IoT by Cyberax · · Score: 4, Insightful

      IoT devices themselves are fine. ZWave or ZigBee light switches don’t depend on whims of a manufacturer. You don’t need to replace them, just replace the hub.

    2. Re:Yet another reason not to touch IoT by markdavis · · Score: 4, Interesting

      >"I can stick with old-fashioned wall mounted light switches, thanks."

      You can use X10, ZWave, whatever with simple controllers or even simple, local computer based connection. The issue is when you buy some "cloud" based device which is controlled by a third-party. But sometimes that can be really difficult to find.

      The problem is that the "masses" want an "easy" and connected "solution". And these solutions seem to always mean a third-party controls your crap and you pay some recurring fee.

      Example- I wanted to set up a security system. I wanted wireless sensors and the ability to send Email and text messages. But I didn't want a "solution". I didn't want a third party. I didn't want recurring fees. I didn't want some company that could brick (or change) my crap without permission. Result? I could find almost NOTHING OUT THERE! Every single platform was based on some "cloud" thing that required them to have access to my equipment and data, and recurring fees. There is some stuff out there without such "features" but they are all very limited, and poorly documented.

    3. Re:Yet another reason not to touch IoT by Cyberax · · Score: 4, Informative

      ZWave and ZigBee devices along with a hub are typically considered to be IoT. And the hub can be fully offline-capable: Vera, HomeAssistant and OpenHab work perfectly fine offline (obviously without Alexa or Internet-device integration).

  4. Ministry of truth-y? by zugmeister · · Score: 5, Funny

    We removed that interface as part of an effort to make to improve the Hub security.

    I am altering the deal. Pray I don't alter it any further.

  5. If it requires a "cloud" account, you don't own it by Anonymous Coward · · Score: 5, Insightful

    Any device that requires an account on someone else's service doesn't belong to the person who purchased it. It belongs to the service provider.

    How many times do we have to learn this lesson? (Answer: every time, apparently)

  6. Par for the course for Logitech... by msauve · · Score: 5, Informative

    Logitech has a history of screwing their users. Consider that in your future purchasing decisions.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  7. If this was REALLY about security by sjames · · Score: 4, Informative

    If the update was REALLY about security, they would leave local access and disable phoning home.

  8. I don't think that'll work by rsilvergun · · Score: 4, Informative

    there have been several rules that uphold Arbitration agreements in EULA's recently. Congress passed a law making them binding and the SCOTUS upheld the law because Congress passed it. Employees can still sue for violations of various Labor Laws (mostly national ones) but if you're a consumer you're pretty much boned.

    I know I keep harping on about this in various threads, but if we want this to stop we need to vote for candidates who refuse corporate PAC money

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  9. "the cloud" = you are a sucker by Anonymous Coward · · Score: 5, Insightful

    people using a device in an unsanctioned way then complaining that the door was closed on it. That's the risk you run playing with open doors you're not supposed to see.

    No, that's the risk you run playing with a device that you don't control.

    A better way: MyCroft + devices designed to talk to it.

    Otherwise, live by someone else's cloud, die by someone else's cloud. When you give up control, the entire problem is: you gave up control.

    Stop giving people money to own your ass, and they'll (mostly, except where the government forces them on you) stop owning you.

  10. Re:You asked for it. by Miamicanes · · Score: 4, Interesting

    Some new TVs sold in the US ship with disabled ATSC tuners that require at least a one-time internet connection to enable. Basically, they didn't want to pay the licensing fees for EVERY TV that gets sold, so they negotiated a deal whereby they ship with the ATSC tuner disabled & only have to pay royalties for the tuners that someone explicitly enables.