It's a Christmas miracle: Logitech backs down from Harmony home hub API armageddon Logitech has backed down from screwing over its smart home Harmony Hub loyalists after an outpouring of anger from customers. Last week, the gizmo manufacturer put out a firmware update for the hub that disabled its external software interfaces (aka its APIs) citing security concerns. But that approach had the impact of …
For example, offering free Hubs to replace their unsupported Link only after customer outrage. Then offering refunds to those who bought a discounted Hub before the free replacement offer, once again only after customer outrage.
Logitech has never published their products APIs. Maybe this will be a step in that direction.
I thought that moving from mice with balls to those without was a good move for Logitech.
BTW Merry Christmas everyone. Let's hope the news that Donald Trump and Theresa May are hoping to elope together to some remote pacific island is not Fake News.
While it's good that Logitech backed down, that certainly is not how business should be done, particularly given that this isn't the first time Logitech has been so heavy-handed. You can bet that something like this will happen again.
Now Harmony users have a reprieve, and maybe some of them will take the opportunity to find a different solution that doesn't leave them so vulnerable to the whims of of corporate behavior.
Agreed, the message Logitech has been sending users for a long time now is "Thanks for the money, now F*ck you." Harmony hasn't been revisioned in years, still built on ancient software and doesn't support Apple HomeKit. Security has never been a focus for the company for literally years on Harmony, otherwise Homekit would have been simple to implement, so it seems like screwing over its users proved too tempting to avoid in this case.
The message this sends is that a handful of crybabies paying customers can leverage the media to influence companies that have made arbitrary product decisions which fundamentally change the function and usefulness of the hardware and software that said customers have bought and deployed.
FTFY.
In a market economy, customer influence is a feature, not a bug...
As your local council representative I am must inform you that we are shutting down road access to your residence. We no longer find it financially prudent to maintain your access and beside recent events have show that individually operated automobiles are a security risk.
Have a nice day!
Logitech are utterly sh*t at support, they don't listen to their customers, only when the Register gets involved. Go over to the Logitech Harmony forums and see how many people have asked for full Homekit integration only to be ignored for a number of years, or fobbed off with nothing answers. They haven't cared about Harmony users for years, they do the bare minimum to keep the lights on.
Funny how that sounds like Logitech had no idea how such a thing could possibly happen. It's almost as if Logitech was begging us to believe that there was some rogue engineer that put an API in place and Logitech wasn't aware of it.
Because rogue engineers are totally a thing these days, right ?
Particularly using xmpp, an open standard for communication, incuding IoT (the first I is pronounced "idi").
Because internal-use APIs always use public XML-based standard message protocols. Logitech made it sound like someone reverse-engineered a binary or something. Which is "for internal use" by Logitech, even though it's only accessible from the local network.
An API is created by the maker so that 3rd parties can interface with the device or software in such a way as to enable functionality that wasn't envisioned by said maker. Is it not a documented list of "If you do $This then $That happens" commands, "If you send #N volts to $This pin then $ThisAction happens in $ThisOther location", or "Use $This set of pins to enable our device to talk to yours" style bits such that the 3rd parties can make other devices/write other code specificly to interface with the makers stuff?
If that is the case then how can they claim it was an undocumented API? If it was an API then it had to have been written by the makers of the device/software, thus known, & a selling feature rather than a bug to be taken out later with a chainsaw & extreme prejudice?
If the devices were sold with that API as a selling point then the removeal of it would be bait & switch would it not?
*Shrugs in confusion*
I guess I'm just glad I'm a curmudgeonly old fart that still has to do stuff the archaic way- manually. Research something on the internet? Fire up my desktop 'cuz I ain't got no AlexaCortanaSiriSmartPhonedoohickey to do it for me. Want to make a phone call? Gotta open my flip phone & punch the physical keys 'cuz I ain't got no touchyfeely screenything. Want to go somewhere? Gotta steal a car 'cuz I ain't got no Uberlyftcar2gohailarideinstataxi crap.
*Shakes a palsied fist*
Danged whippersnappers anyer newfangled smartypants phones.
Get offn my laaaaawwwwwn!
*Cough*
I'll be going now, it's time for my happy pills... =-)p
"An API is created by the maker so that 3rd parties can interface with the device or software in such a way as to enable functionality that wasn't envisioned by said maker."
That is one use for an API. There are other uses, though -- for instance, to provide interfaces that are used by other official components in the same system. Those APIs are often made less robust or provide access to functionality that can't be guaranteed to exist in future releases. That's why they remain undocumented.
Also, "undocumented" doesn't mean that there is literally no documentation. It means that there is no official publicly released documentation.
Thank you for the clarification. For some reason I equated "documentation" as "public documentation" & that threw me. If it wasn't for public use then that makes the picture focus in my mind.
Enjoy a pint in gratitude, pass the popcorn, & let's ogle the wait staff to imagine their various API's. =-)p
I don't know the details, but I think perhaps it's that the Harmony Hub may include open source or other imported software that implements this API as well as other functions - but Logitech didn't plan to offer this API or advertise that it was there in their device - although not in its specification?
If you make an API available for external use, then you should expect it to be used. I not, then secure it appropriately to prevent its use in other manners. This is not misuse !!
Note to sales and engineering teams. If you make a technology that people find useful, don't be surprised when they use it and tell others what it can do. This will in turn lead to additional sales and good reviews.
Conversely, if you make something cool and lock it down to make it unusable, then don't be surprised if people shun your product in favour of the others that do it better and your sales pile into the ground.
Don't forget that API's are there to allow people to expand products in manners that make them better where the OEM decided it was too much trouble to make the product work properly in the first place.
The other one-line is that you get what you sow.
> If you make an API available for external use, then you should expect it to be used. I not, then secure it appropriately to prevent its use in other manners. This is not misuse !!
I mean, I agree it should have been secured, but there is a counter argument here.
If you're implementing something that relies on an API that isn't officially supported (i.e. it's not listed in the public documentation) then you should expect that at some point it *will* change or be removed without any notification to customers.
Using private or internal APIs for your own ends can lead to some fun results and interesting implementations, but by definition they are not made, designed or maintained for your consumption.
It being exposed at all was one of the bugs they fixed. Them recognising the demand and working on making it available in a more supported manner is also the correct behaviour IMO.
If I was doing that to access some external web service, etc. then, yes, I'd expect things to change without warning.
When it's a device I paid for, sitting in my house, I expect the opposite.
If the API itself was causing a security issue, then if critical, maybe they could have closed it down... However, in that case they should have groveled hugely, and said that the disabled functionality would be restored as soon as possible.
But no, they said "tough". They only backtracked because of all the fallout.
So saying "working on making it available in a more supported manner is also the correct behaviour" would be fine, if it wasn't for their initial refusal to do so.
"Hopefully Logitech's New Year resolution will be to forge a closer relationship with its passionate fans and learn that it can make a better product with their help, rather than cut them out."
An even better resolution would be to start thinking intelligently so it doesn't get into this sort of situation again. They knew what the immediate consequences would have been (stuff would stop working) but didn't think beyond those (customers whose stuff stops working are not happy customers) and further still (unhappy customers are apt to (a) sue and (b) become somebody else's customers instead).
This post has been deleted by its author
It's 2018 and mfg are still fitting "hidden" API's to their hardware.
Either the system needs these calls to run properly (so why are they hidden?) or they don't, so why was any effort spent in writing them in the first place?
Or was it they didn't mind writing them, but they did mind doing the security testing for them (and then the re-writes if they failed)?
Possibly a late entrant for the worst named consumer product of 2018.
> Either the system needs these calls to run properly (so why are they hidden?) or they don't, so why was any effort spent in writing them in the first place?
There's a massive difference between required to run properly and must be remotely callable.
Given they were able to stop the API from being remotely callable, in its entirety, it's probably safe to assume that while the endpoints may be needed, they're only needed for the box itself to call
An interesting thing is the mindset of the people within Logitech who made this happen and dug their heels in.
Think about it: They wanted to increase the level of "mindless uncomprehending consumerism" on the planet. Now if the decision makers are actually quite unaware of taking charge of your own life, that might explain their approach. If that is so, they should, maybe, be removed.
Maybe if the API's are that much of a concern, they could make a firmware that works for both audiences, the ones who know what they're doing, and the ones who don't. Make it a toggle in the UI, defaulted to off. Have a warning about potential security risks for enabling it, and those who still want to do it can just turn it back on again.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
