Sustainability Navigation

Harmony Hub Firmware Update Fixes Vulnerabilities

Comments

168 comments

  • akula1984

    "undocumented" as they may be the homebrew community uses the API (Home Assistant). This sounds like PR speak to make the devices more closed. This will be a bad move on the part of Logitech if it is not addressed - and quickly. Can you imagine who your customers are who sell and influence other buyers of the product? Hint: it is all of the people you have heard from.

     

    Home automation is still in its infancy and will always cater to the enthusiast - while I understand the home hub is designed to make home automation easy in regards to device control for "everyone" let me be clear: we will turn to the competitors and indeed stop recommending Logitech to customers, friends, and employees/coworkers. As Dean0334 posted in another thread "With your above response, you've burned a bridge with many influential communiity (SP) people and the 'hacker/poweruser/installer' community. Enjoy the fallout!. "

     

    My hub will be returned if this isn't fully addressed in the next 24 hours and fixed shortly thereafter. Can you please provide details on the security hole you have patched? And please don't say you can't disclose that info because of security - we all know that is bull.

     

    You may want to read these (numerous) comments on this thread very carefully: https://community.home-assistant.io/t/logitech-harmony-removes-local-api/85523

     

    Thanks for your consideration.

    0
    Comment actions Permalink
  • Joseph5581

    What an unbelievably short sighted decision by Logitech. Your company just lost some of the most loyal customers you have with this move. Rest assured, the future of home automation will prosper in a open, inclusive environment. It will fail your dinky, under performing mess of a walled garden. Have fun falling from the throne.

    0
    Comment actions Permalink
  • shaftedbylogi

    Will you open the cloud API (appropriately authenticated, of course) for us "advanced" users?

    0
    Comment actions Permalink
  • racquemis

    Vulnerability? is just their excuse to get people back to using their cloud services so they have more information they can gather and sell.

    ?

    A local api isn't a vulnerability unless the local network is compromised. It isn't up to you logitech to police peoples home networks.

    ?

    This is a **** decision. Frankly I think you guys are total ****** having done so. The guy who made this decision deserves a shoe thrown at him. ?

    ?

    DON'T FALL FOR THE LIES LOGITECH TELL IN THIS STATEMENT. IT'S TOTALLY FALSE. API REMOVAL DONE TO GET BACK DEPENDENCY ON THEIR SERVERS. ?

    0
    Comment actions Permalink
  • racquemis

    Avoid logitech if your building a smart home.

    They don't respect the community. ?

    0
    Comment actions Permalink
  • vicavila

    Will you be opening up the cloud api to general developers as a replacement for more advanced functionality. It was supposed to be opened up previously but access is still limited to only select partners.

    0
    Comment actions Permalink
  • Bkcberry

    ?This is such BS. Someone with a compromised local network has much bigger problems to worry about than a hacker changing their TV channel. Seriously Logitech get your head out of your *** and reverse this asinine decision.

    ?

    My hub has had it's internet access revoked to prevent losing features that are valuable to me, and it will stay that way until I find another solution that doesn't include Logitech.

    0
    Comment actions Permalink
  • Raz0rf0x

    Goodbye, Logitech.

    You are crippling one of the most powerful remote control solutions available on the market because of a ******** "security" concern.

    ?

    I'll? find another solution that doesn't use anything supported by your company, you are too capricious in your decisions.

    ?

    I blame myself, really. I have thrown away so many of your products that you have failed to adequately support or, like the Link, forced me to throw away because you didn't feel like backing products your customers pay for. I should have learned by now

    ?

    I'm? tired of your ****. Play your numbers game, but I'm no longer supporting a company that doesn't support paying customers.

    0
    Comment actions Permalink
  • xyvyx

    Indeed.. I won't risk investing my time nor money in a Logitech product again knowing they may, on a selfish whim, choose to render it useless with a remotely-pushed firmware update. Me giving a company the ability to update a product in no way entitles them to change the nature of the product I purchased without my consent. This isn't the first time a company has done something like this, but it's about time the FTC leaned-in to help protect consumers from this sort of malicious behavior.

    0
    Comment actions Permalink
  • sihui

    Goodbye Logitech.

    There will be other products from other companies to buy.

    0
    Comment actions Permalink
  • dpembo

    So where is the 'Documented API' now then, after the fanfare announcement a few years back in the tech press?

     

    https://www.myharmony.com/harmony-api

    https://www.myharmony.com/api

     

    all links lead nowhere...

     

    0
    Comment actions Permalink
  • sihui
    mute Am 19.12.2018 um 08:15 schrieb Logitech Community:
    0
    Comment actions Permalink
  • Dan6985

    @Logi_WillWong

    Who (by name) was the 3rd party security firm that found these new vulnerabilities re: XMPP? Logitech identifies FireEye back in April 2018 prior to the May 2018 security fw release (that was warrented) .. but this time it's an unnamed firm?! Bull..

    ?

    I find it difficult to believe that FireEye (a very respected pentesting firm) missed this back in Jan 2018 when they advised Logitech of all your REAL security issues. XMPP has been in your firmware api since the beginning (many years) ... So this very much smells of BS and Logitech architecting / engineering their consumers into illegal data collection by Logitech.

    ?

    Time for a class action suit and force Logitech to show real evidence in open court (rather than your rehtoric statements) for such a ****** decision. Decisions like this.. the CEO not only knows what was done here... But APPROVED it prior to release since it is a significant functionality change that no dev or manager would want to be accountable for... knowing the s$!# storm that would come from this.

    ?

    @?Logi_WillWong - I recommend you escalate above your pay grade as to what is happing here or it's your *$$.

    0
    Comment actions Permalink
  • badgerarc

    Integration with the likes of Home Assistant or any other non-cloud connected local system was the main reason I purchased my harmony hub and Elite remote bundle, only a couple of months ago. Who do I see about getting a full refund?

    0
    Comment actions Permalink
  • Da_Syggy

    Take an example from VELUX - yes, the company that builds windows! They have a device that can act as a hub between home automation and their products (windows/blinds/etc.). This had an undocumented API for some time. They discovered a vulnerablilty and shut it down in a new firmware - but they had a new, FULLY DOCUMENTED API as a replacement. And they DID NOT FORCE customers to upgrade their systems. So whilst the community is working on implementing the new API for home automation users can still use the old (vulnerable) API on their own risk.

    I know, this is a pure offline product and the Harmony ecosystem is cloud based, but still -forcing an update WITHOUT NOTIFICATION with the knowledge that it breaks things for some users is unaccaptable.

    0
    Comment actions Permalink
  • nkitanov

    Actually I will not update my Hub, will just return it for a full refund. And will give 1 star in Amazon for the bad decision of Logitech. There are multiple ways to tackle this "vulnerability" without pissing off the community which relies on you product... I didn't saw such bad management decisions with any product recently! It's just offensive, like saying - "Yeah, I don't care for you".

    0
    Comment actions Permalink
  • Akkunasenbohrer

    IMHO there are much bigger security risks being forced to route the communication between my local smart home server to my Harmony Hub through the cloud.

    I do not want to connect my smart home system to the internet at all!

     

    I see the fire related to open APIs with your keyboard options software in the last days. This has NOTHING to do with harmony hubs and there use in home automation!

     

    You see, this "unofficial" API is used everywhere.. so why not securing it with a simple authentication method? Even Philips managed to do this with their HUE bridges! This is not rocket science!

    Please supply us with a documented secure API providing local access or be at least honest enough to admit, that Logitech want to collect the user data, so everything has to go through Logitech cloud servers.

     

    Or at least provide a stable firmare (4.15.201) which does not update and will work for the next years.

     

    Or is this your life cycle management:

    Switching off the cloud servers as happened with Harmony Link to sell a new hardware generation?

     

    Sorry, my english is not as good as it should be, it's not my mother language.

     

     

    0
    Comment actions Permalink
  • direx_1

    You cannot be serious on this. You are breaking people's workflows at home with a stup*d firmware update! You guys must be joking. Killing working and actively used local APIs under the cover of "security concerns" clearly shows, that you don't understand a bit about security. I trust the cloud much less than the devices on my very own private network.

     

    If this really is due to security concerns (which I doubt), you'd have given people a choice whether they want to enable the local API or not. Even disabling the API by default and letting people re-enable it if required would be fine.

     

    But the way this thing has happened you (Logitech) clearly show how much you disrespect your customers. It's like spitting them right into the face. Don't buy from Logitech again!

    0
    Comment actions Permalink
  • null3711

    harmonyWhat a complete and utter disrespect to your customers Logitech!

     

    But you probably don't need us 💩 .

     

    Since they are not making API access optional (to be selected by the user), I am looking for a alternative. NEVER EVER going to buy Logitech products again and sure as **** will share this with the whole community! 😡

     

    All Logitech christmas presents can be returned. Smart move!

     

    PLEASE SHARE ALTERNATIVES FOR THE LOGITECH **** BELOW!

    0
    Comment actions Permalink
  • peter46361

    Wow Logitech. Have I personally done something to offend you as a company?

     

    Bought a Squeezebox. We all know how that turned out, sits in my pile of shame with my Philips DCC Deck and Sega Saturn.

     

    Bought a Harmony Link. Thankfully, but not after being shamed by the tech press, you did replace it with a Hub for free.....after several mysteriously ignored requests, but I did get it eventually.

     

    Bought a 2nd link with remote because while not perfect, i did get it work after I was able to setup Home Assistant to allow me to send commands without having to trigger an activity to turn on devices while in an activity.

     

    But, now...you guys shut that off. Instead of fixing this supposed security hole, you simply turn off functionality, and your answer? "You shouldn't have been using it anyways"

     

    No Logitech, I shouldn't have been using your products anyways.

     

    0
    Comment actions Permalink
  • pixeye

    Another way to handle this (without much time investment) would have been to make the local API disabled by default, and allowing advanced users to take the insane risk to have their TV controlled by malicious people...

    Or juste make it secure ?

     

    How does your device work now, without internet active connection ?

    Is this even said on the product box ?

     

    Give user choice might be the key for you to make everyone happy and "normal users" more secure ?

    0
    Comment actions Permalink
  • jonluk

    So by far the most expensive remote control I've ever bought now does a fraction of what I bought it for. Good job I hadn't got around to buying some for the other rooms in the house.

    0
    Comment actions Permalink
  • Bohz

    So I think the best solution for everyone would be that you now supply your users with a documented, official (local) API.

    That would be in line with the expectation of productive products for the last couple of years...

    0
    Comment actions Permalink
  • Bkcberry
    Mute On Wed, Dec 19, 2018, 8:45 AM Logitech Community
    0
    Comment actions Permalink
  • itchyitchy

    This is a very bad business decision. And let’s be honest, that’s what it is. The security excuse is a cute one, but no one here is fooled. If Logitech had provided sufficient notice and been honest about their decision, I could’ve probably accepted it, but this move is truly despicable. I will never buy another Logitech product again.

    0
    Comment actions Permalink
  • Patrik Gfeller

    Unfortunately I've to chime in with the other posters - that fimware update basically reduced my remote control to not much more than a brick; as it's main use case was in conjunction with my home automation system (openHAB).

     

    Well - that's going to be very bad publicity for you. As, of course, I won't recommend your products anymore and also make my opinion heard in reviews to make sure people will know how you treat your customers.

    0
    Comment actions Permalink
  • John9173

    +1. I have three Hubs that are now useless paperweights in my home automation setup. And it's not as if I bought these and was "pleasantly surprised" to find an undocumented API; I bought them BECAUSE the API enabled the product to do what I needed. You can argue that you're allowed to change or remove "undocumented" features at will, but I think federal regulators will take a rather dim view of that position. And please don't insult us with your "security" argument. By removing a local API that functions entirely within my firewalled network and forcing API calls to your cloud, you've made me less secure and expanded my attack surface. And for what? So you can collect data about what channels I'm watching that you can sell for marketing purposes? Sad.

    0
    Comment actions Permalink
  • wltng

    Please re-enable the local API, used by a lot of Home Automation products.

    The API gave the Hub added value. Now it is not much more then an IR blaster / paperweight....

    0
    Comment actions Permalink
  • Thierry4569

    Very disapointed by this response and lack of respect for customers. The hub was my last Logitech product. Goodby Logitech!

    0
    Comment actions Permalink

Please sign in to leave a comment.