Logitech disables local access on Harmony Hubs, breaks automation systems [Update]

Update, Dec 21, 2:47pm: In response to customers' frustration, Logitech issued another statement today with instructions on how to enable private local API controls. The company created a new XMPP beta program that will give users access to the local controls that were removed in the most recent Harmony Hub firmware update. Logitech plans to release an official firmware update with XMPP controls in January.

Original story

Many users of Logitech's Harmony Hub smart home hub and remote were recently met with a nasty surprise. The device's latest firmware update, version 4.15.206, reportedly cuts off local access for Harmony Hubs. As a result, many users who created home automation and smart home systems using third-party APIs haven't been able to control many, and in some cases, all of their connected IoT devices.

Logitech began pushing out firmware update 4.15.206 last week, its release notes stating that it addresses security and bug fixes. Users immediately flocked to Logitech's community forms to complain once they realized the systems they built up to control their smart home devices essentially became unresponsive. Users with Homeseer and Home Assistant APIs have reported parts of their systems broken, preventing them from controlling things like smart TVs, sound systems, and more using the Harmony Hub and its remote.

Last night, Logitech responded with an official statement on its forums, saying in part that the firmware update addresses "security vulnerabilities" and that those "undocumented" APIs that some have been using for home automation were never officially supported in the first place. Here's the full statement:

Logitech recently released a firmware update for Harmony hub-based remotes that addressed some security vulnerabilities brought to our attention by a third-party cyber security firm. Logitech takes our customers’ security seriously, and we work diligently to fix these kinds of issues as they’re discovered.

Last week we began rolling out this update. We are aware that some customers using undocumented Harmony APIs for local home control were affected as a side-effect of our closing these vulnerabilities. These private local control APIs were never supported Harmony features. While it is unfortunate that customers using these unsupported features are affected by this fix, the overall security of our products and all of our customers is our priority.

We urge customers to update to this latest firmware, version 4.15.206. Please see this article for complete directions on checking and updating your current firmware version.

Unsurprisingly, this statement wasn't enough to squelch the frustrations of Harmony Hub users missing the removed feature. Those who bought the smart home hub for its local access feature have now been forced into a difficult situation: either start using a smart home system that the Harmony Hub officially supports or buy a new hub that provides local access.

This isn't the first time Logitech has essentially bricked one of its own devices. Late last year, the company announced it would "discontinue service and support" for Harmony Link devices within a few months. Link users were able to control home entertainment and sound systems using the device and its accompanying app, without paying a service or subscription fee.

At the time, Logitech offered a discount to Link customers if they upgraded to the newer Harmony Hub, but many Link users were frustrated that they were being forced to buy a new product while their current system spiraled toward end of life. After intense backlash, Logitech ended up replacing Link devices for free.

Aside from its official statement, Logitech hasn't responded further to the online outrage about the removal of local access. Those who actively use local access on their Harmony Hubs may choose to not upgrade to the latest firmware, while some have already attempted to downgrade to older firmware versions.

Ars has reached out to Logitech for more information and will update this post if a response is received.

Update, Dec 19, 2:51pm ET: A Logitech representative responded to Ars' questions and confirmed that local access was removed in the latest Harmony Hub firmware update for security reasons.

The XMPP interface was used as part of the setup process and was pointed out as an insecure communication. We removed that interface as part of an effort to make to improve the Hub security. That interface was never designed to be used by third parties.

The reason for the firmware update was to make the Harmony Hub more secure, therefore we do not have an official downgrade option. We recommend that users do not try to prevent the automatic firmware update process. We update the firmware as security issues are discovered, so users preventing the automatic firmware update process would not benefit from these future fixes.

Logitech added that it's not currently focused on expanding the number of smart home controls available for the Harmony Hub, but it will "continue to evaluate interesting opportunities." The Harmony cloud API is currently used by Amazon's Alexa, the Google Assistant, SmartThings, IFTTT, and Yonomi, to name a few. Other compatible services can be found on Logitech's website.