Logitech Will Restore Third-Party Harmony Home Automation

After issuing a firmware update that reportedly cut off local access for Harmony Hubs, Logitech says it will offer yet another update to undo the move and restore local network control. The Verge reports: While Logitech originally defended its move to make the Harmony Hub unresponsive to third-party home automation software -- arguing that the private APIs were never meant to be used for anything except setting up the Harmony Hub for the first time, and that keeping them around meant maintaining a security hole -- Logitech has now relented, saying it's "working to provide a solution for those who still want access despite the inherent security risks involved." That solution is basically an about-face: Logitech will undo the change it made in the first place by restoring access to XMPP local controls with a new update, so that third-party home automation software like Home Assistant can see and operate the Hub over your local network. Logitech's calling it a "XMPP beta program" for now, and says it'll make the update available to all Harmony customers in January as well.

Re:Surprised that they didn't turn it into a month

[Alwin+Henseler]

Rates would have to be reasonable, of course. Otherwise a whole cottage industry would pop up of 'home control service assistants' (read: people) that get called to someone's house, just to flip a few buttons and move some thermostat dials. Offering "flush toilet" and "put book back on the shelf" as value-added services.

Ridiculous, right? Never mind - you heard it here first!

Nonsense

[markdavis]

>"arguing that the private APIs were never meant to be used for anything except setting up the Harmony Hub for the first time, and that keeping them around meant maintaining a security hole"

That is just nonsense. If they only thought that then they should have:

1) Told users exactly what they were going to do and why.
2) Turn it off by default after the update.
3) Put in an option in setup to turn it back on, locally only.
4) Document how to turn it on and why/how it could be dangerous.
5) Perhaps add filters or controls to help restrict access when it is on.

Re:Nonsense

[drinkypoo]

If they are not using it any more, then literally removing it means no longer having to support it. Your solution offers Logitech nothing, and means more work for them. I still don't think they should remove it, on the basis that people are using it and they put it in there to begin with, but I understand why they wanted to rip it out completely.

Re:Nonsense

[tlhIngan]

If they are not using it any more, then literally removing it means no longer having to support it. Your solution offers Logitech nothing, and means more work for them. I still don't think they should remove it, on the basis that people are using it and they put it in there to begin with, but I understand why they wanted to rip it out completely.

It also removes a potential security hole - because heck, who knew if that interface was authenticated? Or perhaps the implementation has an overflow bug that lets you take it over? We all say IoT stuff is insecure, so a manufacturer wanting to close off something they didn't use anymore (and didn't advertise as having) means a more secure product. In general, a good thing.

It's not up to Logitech to research that hey, some people have discovered this private interface and used it in their home automation systems. As far as Logitech is concerned, it's a deprecated interface that should be closed off to make the product more secure.

Of course, they probably got surprised at the number of people who were using it - given it wasn't advertised as a product supporting it and decided to perhaps turn it from an unsupported insecure interface into a supported secure one. This will probably take some time to do as now the code has to be audited for security flaws (which probably exist, which is why they removed it instead of fixed it), and the interface properly documented. And secured, to ensure only authorized users can access your home automation system and not some random person on the Internet.

Re:Nonsense

[markdavis]

>"If they are not using it any more, then literally removing it means no longer having to support it. Your solution offers Logitech nothing, and means more work for them"

But they didn't claim they removed it because it was more work for them or was difficult to support or cost them money. They just claim it was a security hole and never meant to be used like that in the first place. Which is silly- I find it impossible they didn't know lots of people were using it, it is probably all over all kinds of forums.

It is bad enough for them to be "mean", worse to be dishonest too.

Re:Nonsense

[omnichad]

They had to have some people on staff whose job or was to figure out how people were really using their products to aid for product development (ok, really they've probably stagnated instead). Just seeing the number of people that integrate with them despite not giving an interface or having a formal partnership should make it plainly obvious. I would be a little surprised of they didn't know exactly what they were doing and had plans to launch a new product where they could officially monetize their integrations

Re:Nonsense

[markdavis]

>"This coming from you is so laughable I can barely believe it. You're the same markdavis that posted in another thread about Firefox doing GOOD for removing old plugin APIs 90% of their users depended and relied on."

Mozilla told us well in advance what they were doing, and it wasn't turning off or removing anything, it was a redesign with replacement. They HAD to do it to move forward with more than just security, but for performance and stability. They didn't overnight just "do away" with addons and wipe their hands of it, but changed the structure carefully. Logitech completely discarded something (total loss of functionality) they knew people were using legitimately, with no notice, and no workaround, and no replacement functionality, and probably more because they were trying to save money on a PAID device.

You are comparing apples to oranges (and doing it anonymously at that) and then calling it hypocrisy.

Re:Nonsense

[rtb61]

Problem is, they knew exactly what people were doing with it and exactly what problems it would cause all those people and what it would cost them and well, they just did not give a fuck, there was gold in them thar hills of rejected product to buy logitech product. I would not trust them here in after. This is what they were quite willing to do to inflate their profits until they were forced to chicken out, cluck, cluck, cluck.

Re:Nonsense

[DeVilla]

...it wasn't turning off or removing anything, it was a redesign with replacement.

Yeah. That's "If you want to keep your doctor / insurance ..." dishonest. There are plenty of once useful extensions for Firefox that don't work and can't work, because the APIs necessary to re-implement them have not been "replaced". I'm getting by, but I hate the web a lot more now than when I could at least make a browser behave in a tolerable fashion.

Re:Nonsense

[markdavis]

I don't disagree that it was painful and that there aren't some still-lingering effects. But it seems most everything useful for most people is still there. I do wish for more UI API's.... I think they will be coming.

Privacy by Design?

[mrwireless]

Removing the ability to control a smart home device form the local network might have gone against the GDPR's "privacy by design" principle. Perhaps their legal team pointed this out?

I suspect/hope that in the future we will see more smart devices that go beyond the "cloud-first" or "cloud-only" control schemes. It should be possible to have a smart home that never connects to the internet. Open Source home automation software like Home Assistant makes this possible.

Re: Surprised that they didn't turn it into a mon

Yeah! I want to hear more about how Angelina spent millions on lawyers to sue brads manager for giving him some girls phone number.

The reason?

[freeze128]

It would be interesting to find out the exact reason that they decided to backtrack. Was it because of the sudden increase in support calls? Was it because their forum almost crashed because everyone was posting about how this sucks? Was it because of a deluge of lawsuits to their legal department?

If we can find out what made Logitech come to their senses, maybe it can be done with other tone-deaf companies.

Re: The reason?

[kiki100]

Turn it off by default after the update https://audacity.onl/ https://findmyiphone.onl/ https://origin.onl/

Re:IoT business model

[omnichad]

All those valuable light switch toggle timings in a massive database. I'm sure someone's really drooling at a chance at getting that. For reasons.

Backward Compatibility

[PhYrE2k2]

This is the bigger issue of backward compatibility. How long should a vendor support a feature they no longer want to support simply because someone is using it?

How much legacy code is in Linux, Windows, and every single program? The bloat, the old compatibility APIs. Sigh.

The coding and API mistakes of the past haunt software forever. Itâ(TM)s why I donâ(TM)t blame vendors for making a major version which breaks compatibility every once in a while.

Re:Backward Compatibility

[drinkypoo]

This is the bigger issue of backward compatibility. How long should a vendor support a feature they no longer want to support simply because someone is using it?

If they don't want to support it, they should bring out a new version, and open source the old one. If the new version if better, then people will use it. If it isn't, then they don't need to bring out a new version, do they?

Re:Backward Compatibility

[DeVilla]

Well, if it was billed as a home automation tool, taking away some automation functionality seems questionable. That API may not be what they meant, but it seems they discovered a market they were accidentally serving. If they are wise they will find a way to continue to serve that market, unless those are users they want to serve. But that comes with a trade-off in lost goodwill.