Sharing our statement here - as well as posting in other areas.
Thank you.
Harmony Hub Firmware Update Fixes Vulnerabilities
Logitech recently released a firmware update for Harmony hub-based remotes that addressed some security vulnerabilities brought to our attention by a third-party cyber security firm. Logitech takes our customers’ security seriously, and we work diligently to fix these kinds of issues as they’re discovered.
Last week we began rolling out this update. We are aware that some customers using undocumented Harmony APIs for local home control were affected as a side-effect of our closing these vulnerabilities. These private local control APIs were never supported Harmony features. While it is unfortunate that customers using these unsupported features are affected by this fix, the overall security of our products and all of our customers is our priority.
We urge customers to update to this latest firmware, version 4.15.206. Please see this article for complete directions on checking and updating your current firmware version: Update firmware
I’ve just fired off a tweet to https://twitter.com/ToddW_Logitech. He is the the Senior Manager, Product Marketing (currently Logitech Smart Home / Harmony, previously Logitech Gaming). Let him know how you feel.
FYI, I just tweeted at Todd Walker, asking if they would consider officially documenting the websocket API, and got this response:
I’ll raise this with the team, but we currently have no plans to reenable local control.
…
This makes me believe that the websocket will be shut down, locked with some sort of unobtainable key, etc. in the future and we’ll be going down this road again.
Time for some enterprising entrepreneur to get to work and make a local-focused smart remote solution!
I have a similar fear, if they are serious about security issues with local access this might be the next thing to go! And then we are in a constant battle between their devs and our devs on outsmarting each other.
Why not make a secure, local, well documented API and grab the Home Automation market?
Bingo, 100%. Get ready to have hundreds (thousands?) of users perpetually downgrading their firmware. Unfortunately, monster companies like this have little incentive to change unless they seem a dramatic impact to their revenue.
I’d still love to see what security vulnerability (which was apparently so hazardous that a closed system was vulnerable) was actually fixed by this…
December 2015 Philips Hue did a similar thing, when they locked out all other verndors of zigbee bulbs from their bridge. A couple of days and hundreds of 1-star reviews later they reverted the change.
I own three hubs and about a dozen other product from logitech and I have plenty of time over the holidays. Merry Christmas to you too Logitech
This is quite a sad day. I have two hubs, and have had several Harmony products over the years. What I currently own will be my last. I’ve already removed all references from my automations, and lucky for me there are other integrations for my AV equipment that will allow me to do the basics of what I wanted to do. I can at least detect power on/off of my vizio and sony tvs to trigger lighting scenes. Which is mostly what I was doing anyway. I’ve recommended this brand to so many people over the years, but that will stop. I know in thier mind they are just hurting a small subset, but that subset is very likely responsible for others purchasing their equipment as well. Hopefully we will be able to get updated code that wont be blocked again in the next 6 months.
Edit: If you use the emulated Hue to kick off automations is that local control?
I went back to my Amazon purchase history today and found 6 harmony products purchased over the last 7 years.
I added/revised reviews for all the products and gave them all one star. Copied and pasted the same comments for all. Basically, if you want local API access to your Harmony, you are SOL.
Customer feedback influences my purchases. I hope my reviews will poke Logitech in the eye if a couple of hundred potential customers read them.
Got to fight back anyway we can.
Wow… I sympathize for anyone who had to go through this mess, making local API inaccessible to Home Assistant and other open-source home automation projects that make use of it, including Hubitat (if they have Logitech Harmony integration in place).
I have retweeted so many of people’s complaints about not getting local API to work and I do feel everyone’s pain. I would certainly not provide DNS server IP address and default gateway to my Harmony Hub if I have one. The Harmony Hub will be in a separate subnet with no access to the Internet.
And Logitech not re-enabling local API access is nuts. Undocumented local API access has nothing whatsoever to do with security so long as these devices are in a separate isolated subnet.
i am still on 201, and blocked internet on the hub, now the problem is that the android app is not working anymore on adroid, this is confirmed by other users
so how can we now update settings for activities or buttons? so probably synching is not working anymore
i know websockets will be released soon, but any1 tried already changing buttons/activities with a blocked internet connection?
Hope they change their position on this.
