Logitech’s Christmas Story

A very seasonal story has unfolded in the home automation community, with Logitech playing the part of Scrooge…

Just before Christmas, Logitech released an update for their Harmony Hub devices that broke the local API used by third party home automation software. Specifically, they disabled a local API that Home Assistant was using to communicate with the hub.

It soon became apparent that this was not an accident. Logitech had found a security hole with the local XMPP API in question and decided to simply disable it. Initially they took the stance that the local API was never officially supported and that the security concerns forced them to remove it.

You can argue that a vulnerability that could only be exploited if the attacker already had access to your local network isn’t critical. If your wifi is compromised, the Harmony Hub would be the least of your worries, but it’s hard to blame Logitech for being cautious.

The problem was that the change broke integration with home automation systems such as Home Assistant, and there was an uproar.

Many of the complaints centred around the argument that local control is vital for home automation devices. Things go wrong with cloud services and the last thing you want is to lose control of your home devices when that happens.

Philips understand that, as this tweet demonstrates:

They get it right with their Hue products. The cloud component is a useful add-on to enable remote control of your lights, but when you’re at home the app communicates directly with the hub over your local network. You’re not reliant on a cloud service and therefore not at risk if either the service or your internet connection suffers an outage.

To be fair to Logitech, though, their hubs have a second local API that was still operational. Removing the XMPP API did not necessarily imply that all connections were going through the cloud. Logitech just chose not to document the other API and make it available to third party developers. Work had already started on reverse engineering that API for use with Home Assistant.

For open source home automation enthusiasts, the issue went beyond local control via the official apps. Home automation is about being able to integrate multiple devices, and that requires open and documented APIs. There is also the more philosophical argument that we should have full control over the devices we have purchased, and not rely on the original vendor as a gatekeeper to control our homes.

For a while it looked like Logitech were standing firm in the face of the criticism… and then a Christmas miracle occurred…

They relented, and reinstated the original API with a promise to fix the security issues and fully support it. Records do not show whether they were visited by three ghosts. Perhaps the Ghost of Future Sales was responsible.

Either way, users were happy and Logitech could bask in the warm glow of praise for actually listening to their customers and responding positively to their concerns. In the space of around a week they went from being the villain to being one of the good guys. Tiny Tim can now control his Harmony Hub without relying on the internet and everyone is happy.

It’s a perfect story for Christmas – now we just have to watch Logitech to make sure they follow through on their promises…

in Home Automation

Add a Comment

Your email address will not be published. All comments will be reviewed.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts