Update 6 (21 dec): Great news! Logitech has announced in a forum post that it has introduced an XMPP Beta Program that makes it possible to install a developer firmware version which reinstates the XMPP API as it was, including the security vulnerabilties. Note that installing this version voids your warranty.
Logitech is also working on a new version of the hub firmware that fixes the vulnerabilities. This is great and this restores our trust in Logitech. Thanks Logitech for turning around and working with your users.
The developer-only firmware that reinstates the local XMPP API. Voids warranty if installed.
Tenable, the cyber security firm that discovered the security vulnerabilities, has released a Research Advisory detailing the issues and the disclosure timeline.
Update 7 (21 dec): Even better news! Someone from Harmony posted in our forums and stated that they are now committed to maintaining their local XMPP API.
We will verify with Logitech if this post is official, and if so, we will revert the Home Assistant implementation back to using the XMPP API. Until then, we don’t expect the websocket API that we are using since 0.84.3 to go away or change until we migrate back, so if your Harmony setup works today, don’t change anything. (Verified, it’s from an account connected to a logitech.com email address)
Logitech has disabled the local API of the Harmony Hub with their latest software update (v4.15.206). For privacy and speed it is important that home automation devices communicate locally, without data leaving the network. With the latest update to the Logitech Harmony Hub, this is no longer possible.
We hope that this was an oversight on their end and that it will be reverted shortly. We have reached out to Logitech for a clarification and will update this post when available. Until this is resolved, we no longer recommend buying or using Logitech products.
Update 2 (18 dec): the same employee now created a new post on their forums (we assume for more visibility). Message is still that more details will follow soon.
Update 3 (18 dec): Twitter user @ChadBeattie has discovered that there seems to be a second undocumented local API that is being used by the Logitech Harmony iOS app. Home Assistant developer @ehendrix23 is looking into updating the PyHarmony library to use this. Join #devs_backend on our chat if you want to help with development. We can’t guarantee that it will work, but if we can get it to work, we will do a hot fix release.
Update 4 (18 dec): No word from Logitech yet on the future of the XMPP-based local API. Home Assistant developer @ehendrix23, with the help of @chadcb and other amazing people in the comments to this post, did manage to figure out how the local websocket API works for the Logitech Harmony, which is also used by the Logitech Harmony iOS app. There is now an open pull request for Home Assistant to update the Harmony integration to use it. This PR is currently being tested, and if all works well, will be released as a hot fix on the 19th.
Pull Request by @ehendrix23 to use the local websockets-based API.
Update 5 (19 dec): Logitech has posted an official response on their forums. They claim that they removed the local XMPP API after a report from a third-party cyber security firm. We have been unable to verify if this is true. The XMPP API has been around since at least 2013 and has been widely adopted within smart homes worldwide. In their forum post they write that they are aware it was being used, yet they did not consider giving any form of heads up, proofing to be an unreliable part of our smart homes.
We have no plans to reenable access to private APIs
— Todd Walker (@ToddW_Logitech) December 19, 2018
We will be releasing a hot fix today to migrate our integration to another local API that is being used by their iOS app. Expect it to suffer the same faith at a future point.
Update 6 (19 dec): Home Assistant 0.84.4 has been released with a fix. The Logitech Harmony integration works again (for now?). We switched to their local websocket API.
If you’re using Home Assistant, consider upgrading to 0.84.4 instead of downgrading your hub.
If you have already updated your Harmony Hub to v4.15.206, you have probably noticed that Home Assistant and other products communicating with the local API have stopped working. Don’t worry, it’s (still?) possible to downgrade to a previous version using the following steps (source: Reddit 1, Reddit 2):
- Download the MyHarmony Computer Application.
- Launch the MyHarmony app.
- Before clicking anywhere inside the window:
- Windows users: Press Alt+F9.
- Mac users: Press Fn+Option+F9 or Option+F9 (depending on Mac model, either one will work).
- Scroll the window to find your Harmony model.
- Select “Factory Reset” for the appropriate model. This does not do anything immediately.
- Steps 1-4 will be displayed for completing a Factory Reset. We are only doing Step 1. “Restore” here means “Rollback”.
- Connect your Harmony hub to the PC via micro-USB. Within a few minutes, it will be detected by MyHarmony and display Remote Model, Firmware Version, and Hardware revision. The Restore 1. button will be enabled.
- Click “Restore” and wait. (Now is the first time that it actually describes that it’s a rollback!)
- When it completes, you should be on Firmware Version 4.15.193. Disconnect the hub from the PC and return it to its original location.
And the final, important step: eliminate the ability for the Harmony hub to access these domains, or the internet altogether. I used 1. DD-WRT’s Access Restrictions feature to disable all internet access, because my specific implementation is entirely intranet-based. YMMV.