There's gotta be a way...the phone apps update immediately. Activities initiated from the remote have to broadcast something...just a matter of finding it.
1 Like
If this requires no authentication then I don't think they will leave it as is now that it's out there, specially if the move to block the known API was intentional... Likely will take them long as they will need to update the apps but it sucks to waste a lot of time on a solution that will probably not last... I would wait to see what is their official response before spending a lot of time on it...
Funny that they had this security hole right there and no one would have known if they had not closed the API...
There's no sign-in required on the Harmony phone app to be able to control a hub as long as you're on the same network. I can go to my stepmom's house and control her Harmony hub from my phone as long as I'm on her wifi. I'd think that as long as this is possible, local control of some sort without authentication will stay available. Unless they are planning to change this too?
Mmm, didn't realize that, if that's the case then any official answer that involves the word Security is mayor BS...
Here is what they said...posted at your link
Hi everyone,
Sharing our statement here - as well as posting in other areas.
Thank you.
Harmony Hub Firmware Update Fixes Vulnerabilities
Logitech recently released a firmware update for Harmony hub-based remotes that addressed some security vulnerabilities brought to our attention by a third-party cyber security firm. Logitech takes our customers’ security seriously, and we work diligently to fix these kinds of issues as they’re discovered.
Last week we began rolling out this update. We are aware that some customers using undocumented Harmony APIs for local home control were affected as a side-effect of our closing these vulnerabilities. These private local control APIs were never supported Harmony features. While it is unfortunate that customers using these unsupported features are affected by this fix, the overall security of our products and all of our customers is our priority.
We urge customers to update to this latest firmware, version 4.15.206. Please see this article for complete directions on checking and updating your current firmware version: https://support.myharmony.com/how-to-update-your-firmware
Only on the local lan though since we are trying to connect via the lan. But you do need to know the hub ID and the IP of the hub to execute the commands.
You would be surprised at how many of these smart home devices actually have no security for local lan control. They just leave the security up to the lan manager.
1 Like
This is not surprising, but it's disappointing that they would roll it out without any advance notice. They have to be aware that a lot of people are using this API. It may be small beans as a percentage of their entire user base, but I'd bet it's in the thousands.
But wasn't the other API they closed lan only too? How can they say that one was closed for security reasons when they have this?
I wonder if this change is in response to this finding? It sounds like it was fixed earlier this year, but maybe somehow related?
Every solution I've seen for the hub up until this point has always had cloud requirements. I wonder if the security fix was to protect their cloud information.
It seems like this local control was stumbled upon by somebody sniffing the app traffic. It opens up a whole new world of connectivity options. If they officially documented it and let us integrate it they would probably sell a lot more.
Something tells me the security mindedness came as a result of this...even though it was for different hardware.
1 Like
So looking at this further I don't think it will be easy to integrate directly.
The hub ID can be found with a simple httpPost call. That was easy. However the communication is all done through websockets which hubitat doesn't support.
I could create a node server and handle the communication that way. But too much work for something that may or may not be around long.
So just going to keep an eye on it for now and see if anything more comes up.
1 Like
There is an alternate websocket port still available - used by the Logitech apps. Home Assistant have already updated their Harmony plugin to support this in 0.84.4
Of course Logitech might close that too in an update.
As per the message above ....
Didn't the other local API that they just closed down require a separate webserver as well?
I did that...it's SUPER easy. Someone has already done all the heavy lifting too.
Works with all the Hubduino drivers. (Hubduino = ST_Anything)
1 Like
Thanks for sharing this @Ryan780...when I get some extra time on my hands, I'll probably give it a shot.
As another option there is also the project below. I haven't read through Ryan's link in detail so I can't say what's different about the 2 projects (the fact that his uses ST_Anything definitely peaks my interest). One great aspect is that the mdhiggins project can control Roku devices through the LAN as well.
I started building this into an app so I could easily build macros (works great) but found it difficult and time consuming to make user friendly. As a result it's been on the back burner for a few months now. I may have to tackle it again now that I know support for Lan control of Harmony with HE is now all but dead in the water.
1 Like
HomeAssistant has updated to the websockets solution, with the following statements:
"We will be releasing a hot fix today to migrate our integration to another local API that is being used by their iOS app. Expect it to suffer the same faith at a future point."
"Home Assistant 0.84.4 has been released with a fix. The Logitech Harmony integration works again (for now?). We switched to their local websocket API."
So...websockets works, but it sounds like HA is not confident that it won't be closed at some point as well. Bummer. What is Logitech doing? They are not accepting any more "official" integrations, and they are closing down local APIs....are they trying to get out of the home automation market? I don't get it.
FWIW, the author of KuKuHarmony says here he is going to try to adapt to the websockets API:
They are taking the same route as other vendors like Lutron where they are only doing cloud to cloud integrations and only working with "The Big Names". It will be interesting to see where this ends though....
Looks like the one you posted accepts HTTP calls, which could work. I will say the the Hubduino IR integrates pretty seamlessly with no other software or rules needed. Even maintains device state "on/off" as long as you don't use another remote to turn it on or off. I also have it set up to use two different IR bulbs for the one in my bedroom, one for the TV and one for the stereo. And if you're familiar with Hubduino it is extremely easy. The writeup on the ST forum is excellent. The software the guy posted for grabbing the IR codes from your remote actually worked better than the one on the adafruit website. The adafruit version wouldn't capture for my Onkyo receiver but his did on the first try. So, I would definitely try that part at least no matter which you go with.
I am extremely happy with mine. They have been rock solid. The only hick-ups I've experiences have been user or hub-induced (sending commands too close together because 2 rules fired, that kind of thing)
