Update to accessing Harmony Hub’s local API via XMPP
Hello folks,
I am here with an update regarding Harmony XMPP access.
Back in December 2018, Harmony released a firmware update that addressed several security vulnerabilities - including disabling access to the Hub’s local API via XMPP. After hearing the frustrations from some members of our community, we paused on our firmware update while we assessed the situation. An optional firmware, version 4.15.210, was then created and uploaded onto a MyHarmony tool that allowed for manual installation. This version allowed access to XMPP only for those that wanted it and understood the potential risks of the use of the option. Ultimately we decided to continue this support and make this access available as an opt-in option for firmware versions going forward.
We’re pleased to announce that beginning with firmware version 4.15.250 and Harmony app version 5.6 for iOS and Android, the option to enable XMPP can now be found in the mobile app settings. We plan to roll out this new firmware starting this Friday, February 15, 2019.
Note: See this article on how to check which firmware version you are on - https://support.myharmony.com/how-to-update-your-firmware
By default, Harmony firmware will keep XMPP disabled. For those of you already using the special firmware version 4.15.210 with XMPP access, when your hub upgrades to 4.15.250, you can easily re-enable it by:
• Perform a sync from your LCD screen based Harmony remote, by going to Menu > Settings > Sync Remote, or
• From your Harmony app, go to: Menu > Harmony Setup > Add/Edit Devices & Activities > Remote & Hub > Enable XMPP
You will not need to use the cumbersome firmware update process as you did in December. If you experience any issues, please let us know. Going forward, future firmware updates will respect your current setting, so this should be a one-time action on your part. Should you encounter any issues, please let us know here.
DISCLAIMER:
By enabling XMPP connection you are disabling a critical security feature required to safeguard you against vulnerabilities. This connection may create an unsecured local access point vulnerable to be hacked. We recommend all users disable this connection.
By enabling the XMPP connection, you expressly assume risks and exposures to your network and all connected devices. Further, enabling this connection and/or making unauthorized modifications to Logitech software, you void all warranty and agree to hold Logitech harmless from any claim arising from your use of this product and in no event shall Logitech be liable for any direct, indirect, punitive, incidental, special or consequential damages arising out of or connected with the use or misuse of any of its products.
-
This seems a little extreme: "By enabling the XMPP connection ... enabling this connection ... you void all warranty"
I understand that you are not liable if I have an insecure network and someone hacks and bricks my hub, but surely you should still cover any hardware faults if I am not hacked? What about the remotes linked to the hubs?
-
@William Wong? @Joe Roberts? is correct. That seems like some very extreme warnings. I appreciate you guys adding XMPP back in, but it would be nice if Logitech actually embraced our community a bit more and worked with the integration developers to give everyone a secure system which allows users to integrated their hubs into their Home Automation systems
-
@Joe Roberts? @Frank Thompson? as per the Magnuson-Moss Warranty Act of 1975 manufacturers can't void a hardware warranty simply for software modifications, unless the software modification is directly the cause of hardware failure.
I surmise the copy of that disclaimer is their legal team making it completely explicit that they aren't going to provide support for this feature beyond including it.
And hey - I'm fine with that. The reality is some users don't need it, and opening it up without basic network security could be a security issue. It's a completely unsecured API, I get it. (As long as the port isn't accessible to the WAN, there's no issue unless a bad actor is already on your network.) In a perfect world they work with the HA communities to provide a secure system, but the implemented solution is a very welcome compromise.
I created the first thread on the API closure here (😇) and I've been saying from the beginning, the most straightforward thing to do to ensure security and keep power users happy is to add an option to turn on XMPP with a disclaimer, but leave disabled by default. So from my position, I'm exeedingly glad they did exactly that - and honestly went the extra mile by providing the dev firmware so that people could get up and running in the interim.
SO, my well earned thank you goes out to the Harmony team - thanks for announcing this change in advance as well, (and I hope you'll duly announce any other changes to the API before they're rolled out in the future. 😬 )
-
Just in case anyone uses the Unique ID stored on the hub like I did in my implementation. .250 changed it from a format of xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (regex: [a-z=0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}) to xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (regex: [a-z]{40})
I use the Unique ID to keep track of the hubs in my application. It's not necessary, but I don't like to depend on IP or Name. So far UniqueID has been steady for me except when you factory reset the hub (which is expected). This if the first time I've noticed a change in the format and/or value from a firmware update.
-
Didn't work for me.
I had working a system when I went to bed and got up to one not working. Followed the instructions to enable XMPP. Which didn't work.
So tried a downgrade to 210 that was working and found that no longer works either.
So upgraded to 250 again, disabled XMPP then re-enabled it again and still not working.
Setup is Harmonyhub plugin in Homebridge in Docker on a Synology NAS and Apple HomePod.
-
Update
I've just been into the Home app on my iPad and found duplicate switches for all my Harmony activities but in a different room and "they work" while my original switches don't work.
So I think the next step will be delete Homebridge from Homekit to remove all switches the set it all up again.
-
I'm using the Homebridge-harmonyhub plugin
https://www.npmjs.com/package/homebridge-harmonyhub
I've removed Homebridge from my Home app. Deleted the Harmony app from my iPad
set everything up again and I'm still getting 2 switches for each activity, one that works and the other doesn't.
Homebridge is identifying my 10 activities but when I add Homebridge into Homekit it says 2 accessories giving me 20 switches.
Any suggestions gratefully received.
-
Well I've tried as much as I can.
Deleted the Harmony app from my iPad.
Deleted then recreated the Docker container for Homebridge and set up everything again.
But I'm still getting 2 switches in Homekit for each activity. One that works and one that doesn't.
Its as if the Homebridge-Harmonyhub plugin is seeing 2 instances of the Harmony hub, one that works with XMPP and one that doesn't.
I know its working but having a load non working switches is annoying so I'm being to think the harmony is not worth the effort.
Maybe dump it and get a Broadlink RM WiFi/IR/RF which has a Homebridge plugin
-
Fixed the duplicate switches problem.
When I deleted the Docker container it left behind the Homebridge folder.
Removed homebridge from the Homekit app. Stopped it deleted contents of persist and accessories folder. Restarted and added back into Homekit.
All OK now, but I could do without having to redo things whenever a firmware update is pushed out.
-
@Michael Bell? chances are your "settings" were left behind and as I mentioned above Logitech change the unique id format and length. I would guess the developer, like myself, uses the Unique ID to store settings for a given hub (as IP or name could change) You might want to let the developer of your integration plugin know to account for that. I had to do some behind the scenes in my implementation to map the old IDs to the new ones as the hubs were updated.
-
Thats all fine and dandy, BUT ...
It would be prudent, now that the XMPP API became "official" at least to the extent that if it sets the world on fire, no one can blame big "L", to at least provide a change log when you DO change something. The update has broken at least half-dozen integrations, Athom Homey (detects the hub but no devices / activities returned), Hombebridge (as per above), etc.
We do appreciate that you have listened, but it would be nice to be in the loop and not to wake up to the fact that the firmware has been updated automatically and all of the sudden stuff no longer works ...
Cheers,
TBP
-
Well got up again this morning to not working again.
In fairness nothing todo with the update. It was caused by an interruption on my WAN causing the Harmony hub to lose connection so Homebridge lost its connection to the harmony.
The obvious solution is to make the Harmony hub Homekit compatible but I'm not holding my breath on that happening.
Please sign in to leave a comment.
Comments
40 comments