Logitech Disables Local Access On Harmony Hubs, Breaks Automation Systems (arstechnica.com) 151
DarkRookie2 shares a report from Ars Technica: Many users of Logitech's Harmony Hub smart home hub and remote were recently met with a nasty surprise. The device's latest firmware update, version 4.15.206, reportedly cuts off local access for Harmony Hubs. As a result, many users who created home automation and smart home systems using third-party APIs haven't been able to control many, and in some cases, all of their connected IoT devices. Logitech began pushing out firmware update 4.15.206 last week, its release notes stating that it addresses security and bug fixes. Users immediately flocked to Logitech's community forms to complain once they realized the systems they built up to control their smart home devices essentially became unresponsive. Users with Homeseer and Home Assistant APIs have reported parts of their systems broken, preventing them from controlling things like smart TVs, sound systems, and more using the Harmony Hub and its remote. In a statement to Ars, a Logitech representative confirmed that local access was removed in the latest Harmony Hub firmware update for security reasons: "The XMPP interface was used as part of the setup process and was pointed out as an insecure communication. We removed that interface as part of an effort to make to improve the Hub security. That interface was never designed to be used by third parties. The reason for the firmware update was to make the Harmony Hub more secure, therefore we do not have an official downgrade option. We recommend that users do not try to prevent the automatic firmware update process. We update the firmware as security issues are discovered, so users preventing the automatic firmware update process would not benefit from these future fixes."
Glad it's not me (Score:1)
Somebody's going to end up hitting these guys pretty hard. Glad I don't have to deal with it.
Re:Glad it's not me (Score:5, Interesting)
Somebody's going to end up hitting these guys pretty hard. Glad I don't have to deal with it.
Every development plan that consists of "we're talking away features from your IoT device" needs to have "defending the class action lawsuit" in the budget summary.
Gosh, if Logitech can't understand how to set up XMPP over TLS that tells me to stay far, far, away from any of their networking products.
I don't think that'll work (Score:5, Informative)
I know I keep harping on about this in various threads, but if we want this to stop we need to vote for candidates who refuse corporate PAC money [justicedemocrats.com]
Re: (Score:2)
there have been several rules that uphold Arbitration agreements in EULA's recently. Congress passed a law making them binding and the SCOTUS upheld the law because Congress passed it. Employees can still sue for violations of various Labor Laws (mostly national ones) but if you're a consumer you're pretty much boned.
I know I keep harping on about this in various threads, but if we want this to stop we need to vote for candidates who refuse corporate PAC money [justicedemocrats.com]
Yeah, it's a shame that a couple of good ideas are bundled up in a package of (in my opinion) absolute crazy.
Re: (Score:2)
I know I keep harping on about this in various threads, but if we want this to stop we need to vote for candidates who refuse corporate PAC money [justicedemocrats.com]
Sure will. If I was a single issue voter
Doesn't matter what you're issues are (Score:2)
Re: (Score:2)
I'm guessing that it's not just encryption but the ability of any yahoo to hook up an insecure IoT device to it and inject malicious xml or what have you. They just don't want to deal with that in their ecosystem, which leads me to believe something happened that we don't know about that probably f'ed up their servers/systems/whatever.
If the XMPP system wasn't designed for that, then why is it there, and why is it not needed now? That's the question that came immediately to mind for me, not people using a d
"the cloud" = you are a sucker (Score:5, Insightful)
No, that's the risk you run playing with a device that you don't control.
A better way: MyCroft [mycroft.ai] + devices designed to talk to it.
Otherwise, live by someone else's cloud, die by someone else's cloud. When you give up control, the entire problem is: you gave up control.
Stop giving people money to own your ass, and they'll (mostly, except where the government forces them on you) stop owning you.
Re: (Score:2)
^ Absolutely right on - I'd mod you up if I hadn't already commented.
Re: (Score:2)
I don't see how this can replace a remote.
Talking to a device isn't exactly quick, if you want to skip through a movie or adjust the volume.
Re: (Score:1)
i know you paid god money for that pacemaker but we are removing the functionality that gets your heart back in rhythm to increase security. Please do not try to skip the updates, we work hard to keep you secure.
Re: (Score:2)
Every development plan that consists of "we're talking away features from your IoT device" needs to have "defending the class action lawsuit" in the budget summary.
Not to mention a line item in that budget to cover cleaning up the mess after hackers take them down hard as payback for their shitty attitude.
I wouldn't be sorry to see that happen, as long as none of the folks who got stuck with Logitech paperweights gets hurt in the process. I've been anti-Logitech since one of their mouse driver disks installed spyware on my computer many, many years ago. I don't forgive that kind of thing, and I sincerely hope that everyone who's been burned by them follows suit.
Tell the truth (Score:5, Insightful)
We removed the XMPP interface because we're Logitech and we want to force you to use only Logitech products and services so we make the most profit possible
Fixed that for you, Logitech.
Re:Tell the truth (Score:4, Interesting)
You forgot this part;
We also want to decide when EOL is, because we need to be able to force you to buy new hardware when we need the cash
Logitech = shitbags hiding behind a name (Score:3, Informative)
Logitech at one time made decent peripherals. Now they are just a 'brand" slapped onto any Chinese made garbage they can find with Indian support. If you buy Logitech you deserve what you get.
This firmware update is TOTALLY something I would expect from scumbags like them. Release a product and then fuck over all their customers in an attempt to somehow get more money out of them. They will probably return that functionality "for an additional monthly charge" or some horse shit like that.
What's bad is they don't even seem to care. They broke many of their customers functionality and just give the standard corporate shrug of "well it's for xyz arbitrary reason".
Re: (Score:2)
I have a Harmony Hub and remote, and I have to say, it's been generally excellent. It's got high WAF, so high in fact that even visitors can use it without needing a training. It looks good and works well. The only problems I've really had with the whole setup is my satellite box is a crock of shit. Oh, and I did have to put the hub in the cupboard under the stairs where it just about reaches the Amazon box in the garage. That meant a bit of funky wiring up IR emitters and such like. Programming it up is pr
Re: (Score:2)
Re: (Score:2)
I'd imagine that's more a problem for Sonos than Logitech. That said, I can't say I've had any problems with my phone or desktop apps (apart from seemingly endless updates that don't actually do anything). I will say though that my old Samsung Galaxy S5 mini, sat in a dock most of the day does indeed have lots of problems running the sonos app, despite daily reboots and whatnot. Something about leaving the phone on the dock seems to kill phones :-(
Re: (Score:2)
I have some Sonos Play:1 speakers but I don't use the Sonos apps to play music. On my Mac I use SonoAir to connect to the speakers. I installed the app but I end up having to use the Terminal to go into the app and use the airconnect utility the app uses to connect to the speakers.
When I first ran airconnect with the default buffers it would have problems similar to what you state. Whatever I was listening to, iTunes or VLC, would cut out and miss parts. At times when it was very bad almost nothing was bein
Yet another reason not to touch IoT (Score:5, Insightful)
Re:Yet another reason not to touch IoT (Score:5, Insightful)
Re: (Score:3)
Uh, wha??? IoT is Internet of Things. Neither ZWave nor ZigBee use IP, they are definitely not IoT devices.
And actual IoT devices are very, very, commonly dependent on a vendor's servers. Wink and SmartThings hubs, Ecobee and Nest thermostats, many cameras, etc. Some will provide basic functions when they've lost contact with the mothership, but full function depends on external services whi
Re: (Score:1)
If I was at all interested in having a connected house I would look into openHAB or Home assistant. Both appear to be open source. Pretty sure you could use a raspberry pi for your home automation server quite easily. The same device could also host a vpn service so you can ssh into your home network and screw with your LoT devices if you need to.
It's all neat stuff and if I had money and time to burn I would probably add those features to my condo but that's only a maybe. LoT is mostly technology I do not
Re: (Score:3)
Re:Yet another reason not to touch IoT (Score:5, Informative)
Re:Yet another reason not to touch IoT (Score:4, Insightful)
The nice thing with systems like home assistant is that you can choose exactly how much, or how little, integration you need or want with other devices and services.
I have a home assistant setup on a raspberry pi at home, but it also connects through IFTTT to google assistant, and I can connect through my VPN from my phone or computer anywhere.
All the "I" of IOT, without the vendor shenanigans.
Re: (Score:2, Insightful)
That's not really an internet of things though, considering that they're local wireless technology. But that's the thing, the IntranetOfThings is a wonderful idea. The InternetOfThings is just rent seeking and security holes.
Re: (Score:2)
Zigbee light switch compatibility is awful.
The Hue hub cannot see Tradfri switches, the Tradfri hub cannot see the Lightify switches and so on. Only the lightbulbs kinda sorta interoperate, but not very well.
Re: (Score:2)
Re: (Score:2)
Not really available in Germany.
I have two Philips hubs, one Osram hub, one Ikea hub. They all suck, especially Osram.
Re: (Score:2)
Re: Yet another reason not to touch IoT (Score:2)
"Dieses Produkt ist zurzeit bei keinem OnlinehÃndler verfügbar. Bitte versuchen sie es spÃter erneut oder kontaktieren sie uns"
That means unavailable. They don't sell it in Germany.
Re: (Score:2)
Re: (Score:2)
You DO have a hub, it's whatever the zwave adapter is plugged in to.
That said, I gave up on the absmal zwave stuff on home assistant a while ago, and moved my zwave devices to a vera unit which integrates great with the home assistant setup, and is rock solid reliable.
Re: (Score:1)
Sticking with good old-fashioned one-touch capability to switch between input modes on your TV, sound receiver, subwoofer, decoding devices, and lighting on onw-touch, ensuring everything is tuned to your personalized settings?
Awesome.
There are good points to IoT and enabled smart devices. It's a tradeoff and the lack of patching, etc, can be managed by deployed these on a segmented and isolated network in your house. All based on your threat model and cost/benefit analysis.
Re:Yet another reason not to touch IoT (Score:5, Interesting)
>"I can stick with old-fashioned wall mounted light switches, thanks."
You can use X10, ZWave, whatever with simple controllers or even simple, local computer based connection. The issue is when you buy some "cloud" based device which is controlled by a third-party. But sometimes that can be really difficult to find.
The problem is that the "masses" want an "easy" and connected "solution". And these solutions seem to always mean a third-party controls your crap and you pay some recurring fee.
Example- I wanted to set up a security system. I wanted wireless sensors and the ability to send Email and text messages. But I didn't want a "solution". I didn't want a third party. I didn't want recurring fees. I didn't want some company that could brick (or change) my crap without permission. Result? I could find almost NOTHING OUT THERE! Every single platform was based on some "cloud" thing that required them to have access to my equipment and data, and recurring fees. There is some stuff out there without such "features" but they are all very limited, and poorly documented.
Re:Yet another reason not to touch IoT (Score:4, Interesting)
X10 has been pretty much dead and useless ever since CFLs and LEDs took over. The problem isn't with the X10 protocol per se, but rather with the ASIC used by nearly every X10 module in modern history. Between CFLs with active ballasts & LED drivers, basically every module that has ever existed is now unusable. Even with the relay-based appliance modules, the "local power control" feature STILL fucks them up... EVEN IF you cut the trace that supposedly disables it (it still sends a pulse of current every 10 seconds or so). If I were really determined, I could still get CFLs to work by connecting an incandescent night light in parallel, but I've NEVER seen an X10 module that works properly with LED lights.
It's a shame, because I literally grew up in an X10 house... my parents had a bunch of X10 modules going all the way back to 1980s Radio Shack, I had two in my college dorm room to control lights that were inconveniently far from the door and my bed, and my collection multiplied after college & especially after I bought a house, only for all of them to become functionally obsolete as I switched to LEDs and even my nightlight work-around ceased to work. X-10 had a good run, only to ultimately get killed off by something not directly related to the standard itself.
Re:Yet another reason not to touch IoT (Score:4, Informative)
X10 does suck, in general. I will agree with you on that. But I use it with quality dimmable LEDs throughout my house and that actually works fine. I am sitting in a room right now with LED track lighting that is dimmed to about 33% with a standard/cheap X10 wall switch. No flicker, no variation in the light, no issues at all, and with no incandescent in the circuit at all. They even dim properly all the way to about 15% brightness or something like that.
The biggest problem with X10 is that it is too prone for the signal to get blocked or interfered with.
Re: (Score:2)
Hmmm... that's interesting. I haven't actually tried using the dimmable ones with LCDs... I actually did a huge round of X10 replacements sometime around 2010 when I replaced all of my remaining dimmable/incandescent modules with 3-prong appliance-type modules (usually, in conjunction with a 6" extension cord and a 4w nightlight whose only purpose was to provide a constant resistive load to keep the modules from turning themselves on without actually going all the way and disabling the local power control f
Re: (Score:2)
>"I'm lucky in the signal area... once I put the X-10 crossover/bridge module on my dryer outlet a few years ago, all of my problems seemed to go away.""
I am less lucky than you with this. I also put a "filter" on my UPS/computer/AV system. My system just sometimes won't turn on/off certain circuits because something interferes with it and I have to move things around. X10 is positively weak and ancient and inexact.
>"I thought about switching to Z-wave or Insteon a couple of years ago"
I did too but
Re: (Score:2)
X10 is dumb because it is one way. You can't count on your messages being received, and you also can't check to see if they were. most dimmers don't permit setting brightness, so with them there is no way to get a specific level. All in all, it was amusing when new but never reliable.
Re: (Score:1)
As the other posters in this thread said: X10 is pretty much dead for other reasons as well. I have never really used X10 much but I've always found it super infuriating to have this noticeable delay between pressing the button and the light actually turning on. It's short enough that it is not causing problems but it is long enough to tell that something is going on.
The reason for this is just the slow transmission speed of (IIRC) 20bps. That is terribly slow compared to more modern systems such as Z-Wave.
Re: (Score:2)
Re: (Score:2)
I set up my home like this with a DSC panel and Evisalink or whatever it's called.
The Envisalink emulates an IT100 serial interface to the panel over IP so you can interface it with your own custom software. I wrote a PHP script that would watch the zones and turn on the insteon lights to 10% for 5 minutes when the local weather station's solar radiation index was a certain threshold.
It would also email me if the garage door was left open with no movement..
I recently looked at the code and wondered what I a
Re: (Score:3)
Re: (Score:2)
The problem is that it was a private API set. Logitech never advertised it as a way to locally control the unit - it just happened to work.
It just happened that the API set wasn't useful for Logitech and a major security hole so it was closed off.
That's the problem with private APIs. They have a nasty habit of suddenly disappearing on you.
Re: (Score:2)
Ministry of truth-y? (Score:5, Funny)
We removed that interface as part of an effort to make to improve the Hub security.
I am altering the deal. Pray I don't alter it any further.
Re: (Score:2)
Came here for this comment.
Ain't disappointed.
Re: (Score:2)
This deal is getting worse all the time.
If it requires a "cloud" account, you don't own it (Score:5, Insightful)
Any device that requires an account on someone else's service doesn't belong to the person who purchased it. It belongs to the service provider.
How many times do we have to learn this lesson? (Answer: every time, apparently)
Re: (Score:2)
Aren't their legal protections? (Score:4, Insightful)
I wonder what kind of "return as defective" laws are in place.
Re: (Score:2)
Depends on a few things. like when you bought it, and on what continent (north america? forget it, Europe, maybe, see below)
It's also about what was advertised, if this was simply some APIs that someone discovered but that were never actually advertised by the seller, then you probably don't have much of a leg to stand on. If however it was advertised functionality, then yes, Europeans can probably get a refund, North America doesn't have any concept of consumer protection though, so you'd be out of luck he
Re: (Score:2)
Amazon says first availability was September 2015, although it still on sale. Anyway, EU minimum warranty is 2 years, and most countries go further. In the UK goods must "last a reasonable length of time", and even if you were an early adopter 3 years is way too short for a product like this. Typically computers and TVs are minimum 6 years if it gets to court, more for expensive ones.
So let's say six years, an early adopter would get a 50% refund, people who bought this year would expect a full refund. The
Why would you buy that anyway? (Score:2, Insightful)
Maybe because we still lack cheap bulk off-the-shelf Arduino-based devices that can be mounted as light switches, shutter motors, radiator thermostats, switching/dimming power sockets, and various sensors ... all with a simple standardized protocol over a simple two/one-wire long-distance bus. (A MIDI-based one looks like a good choice. DMX maybe, but I don’t know it.)
Or let them talk to each other over the power sockets. But then they need encryption.
In any case, NEVER buy anything with a “prop
Re: (Score:2)
Maybe because we still lack cheap bulk off-the-shelf Arduino-based devices that can be mounted as light switches, shutter motors, radiator thermostats, switching/dimming power sockets, and various sensors
Good luck getting a UL stamp on anything remotely like that. (Specifically the switches and sockets) And with no UL stamp you're not going to find anybody (in the States anyway) willing to install it in their home.
Re: (Score:2)
Maybe because we still lack cheap bulk off-the-shelf Arduino-based devices that can be mounted as light switches, shutter motors, radiator thermostats, switching/dimming power sockets, and various sensors
Good luck getting a UL stamp on anything remotely like that. (Specifically the switches and sockets) And with no UL stamp you're not going to find anybody (in the States anyway) willing to install it in their home.
It shouldn't be too hard to have a 120VAC module with standardized inputs and a 5V output that you can plug your microcontroller of choice into. Then you only need to get the UL listing for the 120VAC switch part. Much like how having a UL listed wall wart avoids the need to get the UL listing for your entire device.
Though I suspect that the actual market for this is so small that no company would do it.
Re: (Score:3)
Adafruit makes something like this -- https://www.adafruit.com/produ... [adafruit.com]
It's basically a power strip with relay that's controlled by an optoisolated pair of wires. AFAIK, it's not UL approved, but it's "CPI Tested", for whatever that's worth. One outlet is always-on, one is normally-on, two are normally-off.
Re: (Score:2)
Re: (Score:3)
"Tested."
And they don't even say it passed?
Re: (Score:2)
Re: (Score:2)
Useless (Score:2)
Re: (Score:2)
Re: (Score:2)
Check out Hubitat Elevation [hubitat.com]. I'm in the process of moving from Wink right now. My only gripe so far is needing to buy a Lutron hub for my Caseta switches that Wink had built into the hub. I also run Homebridge on a Raspberry Pi to bring all my devices into the Home app.
Par for the course for Logitech... (Score:5, Informative)
Re: (Score:2)
If this was REALLY about security (Score:5, Informative)
If the update was REALLY about security, they would leave local access and disable phoning home.
Re: (Score:3)
To be specific, the update is about the security of Logitech's bottom line.
Re: (Score:2)
I believe you are correct.
Re: (Score:2)
This is the truth, but in reality the companies are so delusional that they always think their remote servers are more secure than local access.
I have a Vera controller at home that has both local and remote access. In the interface there's a "secure mode" that disables local access, but leaves remote access. There's no option to disable remote access (except a firewall on your router). That's not my definition of secure.
Great (Score:2)
your carefully crafted logitech system is now almost as secure as a computer encased in cement and dropped into the ocean at 2 miles out. /s
I think I'd try to file a return, a credit card charge back or a class action suit. Or all of the above.
Damned either way... (Score:2)
If they do close them, influencers get annoyed.
And they probably don't have the staff, resources or expertise to tighten them up without breaking anything.
What would you have them do?
Re: (Score:2)
Deploy only products they can afford to develop with reasonably enough security to actually stand by them, maybe?
There is a reason I don't produce medical equipment despite most of it being far from high-tech and the profit margins are very, very sweet.
Re: (Score:2)
So should computer makers remove keyboard access to the OS? That is, after all, the biggest security hole to the computer.
Seriously, removing access in the name of "security" is professional malpractice.
But anyway, "IoT. The S is for security."
And that's all I have to say about that. (Score:3)
https://i.imgflip.com/2pe07r.j... [imgflip.com]
Just can't feel sorry for anyone... (Score:1)
I just am not able to have any sympathy for people that keep buying these products. This is not news anymore! It is well known and only people intentionally keeping their heads buried are the only ones getting hurt now.
But look on the bright side, this will build up enough to get congress to create a bunch of regulations that benefit big industry though. It's going to be a win-win-lose as usual. You know who the losers are going to be.
Personally, I don't like ... (Score:2)
... APIs.
It's hard enough tracking telemetries and shit of the single device. When 3rd parties can do a 45 degree drill, it's goddam impossible.
Re: (Score:2)
You know that the device still has APIs, right? Just one less now.
Re: (Score:2)
Just one less now.
And I think that one's adorable.
XMPP not secure? (Score:2)
No fan of XMPP myself due to numerous crummy design choices yet to be fair "Just use TLS" has been a part of the original XMPP protocol since initial RFC some 14 years ago. It's just as secure as anything else so removing XMPP on those grounds is absolutely BS to say the least.
Never much understood the market for systems like Harmony. Remotes always struck me as way overpriced and underwhelming considering programmable remotes where every last button can be customized cost like $15 and batteries last year
Re: (Score:2)
The appeal of Harmony remotes isn't being able to reprogram buttons... it's being able to reprogram buttons that have dynamic labels provided by the adjacent LCD screen.
The LCD screen is what spares you from having to remember that {some function you might use once in three years} is mapped to {non-obvious button}. It enables you to use the main, logically-arranged buttons for functions you use every day, and still have LCD-labeled buttons for the obscure, little-used functions close at hand (so you don't h
Re: (Score:2)
You can still find NOS Nevo/Xsight remotes [hifi-remote.com], programming is supported by RemoteMaster [sourceforge.net].
Re: (Score:1)
Also, every open remote system that I've found that can do everything the Harmony can do work on IR. IR sucks, because you shouldn't have to point a remote at a listener. If you have a halfway-nice home theater setup, you're going to have things in cabinets that block IR signals. It should work on RF or Bluetooth, with IR blasters connected to those devices that need it and/or are hidden.
Re: (Score:2)
The LCD screen is what spares you from having to remember that {some function you might use once in three years} is mapped to {non-obvious button}. It enables you to use the main, logically-arranged buttons for functions you use every day, and still have LCD-labeled buttons for the obscure, little-used functions close at hand (so you don't have to go digging out the original remote, find working batteries, etc) every few months.
I still don't understand the value proposition for "once in three years" outliers you claim exist. In that case why wouldn't you just use local on device controls to adjust configuration? Labels or magic marker are free. Keeping non-replaceable rechargeable batteries charged vs throwing some lithium's in a normal remote and being set for years don't strike me as a better experience.
It does take a few minutes up-front to program buttons vs picking what you got from a database and having a map created for
Re: (Score:2)
> In that case why wouldn't you just use local on device controls to adjust configuration?
Because lots of newer devices barely HAVE local on-device controls anymore. You're lucky to have real buttons for 'toggle power', 'cycle through inputs', 'volume up', 'volume down', 'menu', 'channel up/next', 'channel down/prev'. When you run into some really weird edge case, like 'old DVD that was authored with incorrect flags, so the aspect ratio and/or letterboxing is all fsck'ed up', you have to manually adjust
Remember, folks... (Score:1)
... the "S" in IoT stands for "security".
I love their response... (Score:3)
I get it's a security issue, but
1. Let the users know you're going to be disabling the interface.
2. Have it be disabled by default and force the user to go through a bunch of loopholes to turn it back on.
The fact they pulled the rug out from under the users feet is hella shitty.
Just imagine you've got a vacation house in another state and you're using this solution to control thermostats and lights, etc.
Re: (Score:2)
A cloud based solution?
Didn't they say they did this to IMPROVE security?
Internet connected things are not really yours... (Score:2)
Dumb users (Score:2)
This is what Logitech does
They already bricked their old Harmony Link Hub
https://www.theverge.com/circu... [theverge.com]
If you don't want Logitech to fuck you over, don't buy Logitech products.
Security. Yeah. Right (Score:2)
Like they are the first company that gives a rat's ass about the security of their IoT and home automation devices. At least tell a believable story that's not such a blatant and obvious lie.
It's called beta testing (Score:1)
If a fraction of the community had tried out the new firmware before release, would this have happened?
could it be (Score:2)
wonder if the real reason for the so called security fix, is logitech is not getting a royalty for the third party connections.
Wider than Logitech (Score:2)
This is more than just Logitech, and much older than IOT:
"Give me all of your money, and I will take care of you forever!"
Which is an add for "selling yourself into slavery"... 8-{
Re:You asked for it. (Score:5, Interesting)
Some new TVs sold in the US ship with disabled ATSC tuners that require at least a one-time internet connection to enable. Basically, they didn't want to pay the licensing fees for EVERY TV that gets sold, so they negotiated a deal whereby they ship with the ATSC tuner disabled & only have to pay royalties for the tuners that someone explicitly enables.
Re: (Score:2)