Slashdot Mirror

← Back to Stories (view on slashdot.org)

Logitech Will Restore Third-Party Harmony Home Automation (theverge.com)

Posted by BeauHD on from the about-face dept.

After issuing a firmware update that reportedly cut off local access for Harmony Hubs, Logitech says it will offer yet another update to undo the move and restore local network control. The Verge reports: While Logitech originally defended its move to make the Harmony Hub unresponsive to third-party home automation software -- arguing that the private APIs were never meant to be used for anything except setting up the Harmony Hub for the first time, and that keeping them around meant maintaining a security hole -- Logitech has now relented, saying it's "working to provide a solution for those who still want access despite the inherent security risks involved." That solution is basically an about-face: Logitech will undo the change it made in the first place by restoring access to XMPP local controls with a new update, so that third-party home automation software like Home Assistant can see and operate the Hub over your local network. Logitech's calling it a "XMPP beta program" for now, and says it'll make the update available to all Harmony customers in January as well.

4 of 42 comments (clear)

  1. Nonsense by markdavis · · Score: 3, Insightful

    >"arguing that the private APIs were never meant to be used for anything except setting up the Harmony Hub for the first time, and that keeping them around meant maintaining a security hole"

    That is just nonsense. If they only thought that then they should have:

    1) Told users exactly what they were going to do and why.
    2) Turn it off by default after the update.
    3) Put in an option in setup to turn it back on, locally only.
    4) Document how to turn it on and why/how it could be dangerous.
    5) Perhaps add filters or controls to help restrict access when it is on.

    1. Re:Nonsense by tlhIngan · · Score: 2

      If they are not using it any more, then literally removing it means no longer having to support it. Your solution offers Logitech nothing, and means more work for them. I still don't think they should remove it, on the basis that people are using it and they put it in there to begin with, but I understand why they wanted to rip it out completely.

      It also removes a potential security hole - because heck, who knew if that interface was authenticated? Or perhaps the implementation has an overflow bug that lets you take it over? We all say IoT stuff is insecure, so a manufacturer wanting to close off something they didn't use anymore (and didn't advertise as having) means a more secure product. In general, a good thing.

      It's not up to Logitech to research that hey, some people have discovered this private interface and used it in their home automation systems. As far as Logitech is concerned, it's a deprecated interface that should be closed off to make the product more secure.

      Of course, they probably got surprised at the number of people who were using it - given it wasn't advertised as a product supporting it and decided to perhaps turn it from an unsupported insecure interface into a supported secure one. This will probably take some time to do as now the code has to be audited for security flaws (which probably exist, which is why they removed it instead of fixed it), and the interface properly documented. And secured, to ensure only authorized users can access your home automation system and not some random person on the Internet.

  2. Privacy by Design? by mrwireless · · Score: 3, Interesting

    Removing the ability to control a smart home device form the local network might have gone against the GDPR's "privacy by design" principle. Perhaps their legal team pointed this out?

    I suspect/hope that in the future we will see more smart devices that go beyond the "cloud-first" or "cloud-only" control schemes. It should be possible to have a smart home that never connects to the internet. Open Source home automation software like Home Assistant makes this possible.

  3. The reason? by freeze128 · · Score: 3, Interesting

    It would be interesting to find out the exact reason that they decided to backtrack. Was it because of the sudden increase in support calls? Was it because their forum almost crashed because everyone was posting about how this sucks? Was it because of a deluge of lawsuits to their legal department?

    If we can find out what made Logitech come to their senses, maybe it can be done with other tone-deaf companies.