Harmony remote - WebSockets vs XMPP security

I’m a bit stuck on what I should do with the following warning regarding the Logitech Harmony remote;

XMPP is not enabled, using web sockets however this might not work with future Harmony firmware updates, please enable XMPP

If I go to harmony app to attempt to enable it reports;

WARNING! By enabling XMPP connection you are disabling a critical security feature required to safeguard you against vulnerabilities. This connection may create an unsecured local access point vulnerable to be hacked. We recommend all users disable this connection.

I’m not exactly sure what the potential security issue I’ll be opening than leaving HA currently to use WebSockets and if they later remove support to WebSockets switch over then?

There was lots of discussion about the XMPP security threat and Harmony’s response a couple of years ago, but here’s an example.

Thanks for that - it would seem like Harmony aren’t going to provide any extra protections on that protocol - and as they haven’t mentioned that websockets are insecure then it seems like unless logitech drop or change the protocol it’s safer to stick with that for the time being.

The strange thing is that you will get error messages from Home Assistant when you enable XMPP.

So what should we do? Enable/disable XMPP/Ignore the message?

Very strange!


There’s a github issue re: the messages with XMPP enabled

I also struggle with this question. If i check the log for HA, i repeatedly get the message that XMPP is not enabled and that using web sockets could cause problems in further Harmony firmware update’s.

So that raises 2 questions, is it really necessary to activate XMPP within the Harmony app, or is this just a warning meaning ‘it can be but we’re not really sure…’

My second question, what would (did) you guys do, who had the same error? Did you activate XMPP and if so, is (are) there steps to consider or follow to ensure it isn’t a backdoor for hackers?

For the moment I will do nothing, because it isn’t clear for me that at a certain point my Harmony Hubs will no longer be accessible via HA and I only use the Harmony Integration for certain automation’s (for example: when the sun sets and someone is watching TV than activate the wall lights at 40% capacity etc…)

I’m on the same boat here… would love to get more guidance on this.

I don’t know for sure - I just read it as Harmony don’t have official support for the WebSockets method and only promised support of XMPP as is (with security issues), the warning I suspect is more that it can be withdrawn by Harmony at any time.

So as no mention of warnings about Security of WebSockets i’ll stick with that and decide what to do if Harmony remove that and force XMPP or see how the community responds and see how Harmony react to that…

Looks like 0.113.3 (https://github.com/home-assistant/core/pull/38360 or difference between 0.25 and 0.26 for aioharmony https://github.com/ehendrix23/aioharmony#release-notes) now only logs the XMPP message when you have debug on - nice to not get the warning any more :slight_smile: