back to article It's a Christmas miracle: Logitech backs down from Harmony home hub API armageddon

Logitech has backed down from screwing over its smart home Harmony Hub loyalists after an outpouring of anger from customers. Last week, the gizmo manufacturer put out a firmware update for the hub that disabled its external software interfaces (aka its APIs) citing security concerns. But that approach had the impact of …

  1. Jay Lenovo
    Happy

    Joy to the World

    Listening, reacting to your customer's concerns.

    How business should be done.

    1. usbac

      Re: Joy to the World

      It's too bad that Logitech only does it when forced! It should be the default, but the tech industry seems to prefer to kick their customers in the balls first.

      1. Mark 85 Silver badge

        Re: Joy to the World

        Not just tech... seems way too many companies use that same business model.

      2. elvisimprsntr

        Re: Joy to the World

        For example, offering free Hubs to replace their unsupported Link only after customer outrage. Then offering refunds to those who bought a discounted Hub before the free replacement offer, once again only after customer outrage.

        Logitech has never published their products APIs. Maybe this will be a step in that direction.

      3. Ken Moorhouse Silver badge

        Re: the tech industry seems to prefer to kick their customers in the balls first.

        I thought that moving from mice with balls to those without was a good move for Logitech.

        BTW Merry Christmas everyone. Let's hope the news that Donald Trump and Theresa May are hoping to elope together to some remote pacific island is not Fake News.

    2. JohnFen Silver badge

      Re: Joy to the World

      While it's good that Logitech backed down, that certainly is not how business should be done, particularly given that this isn't the first time Logitech has been so heavy-handed. You can bet that something like this will happen again.

      Now Harmony users have a reprieve, and maybe some of them will take the opportunity to find a different solution that doesn't leave them so vulnerable to the whims of of corporate behavior.

    3. Anonymous Coward
      Anonymous Coward

      Re: Joy to the World

      Bad news. The message this sends is that a handful of crybabies can leverage the media to influence companies.

      1. Danny 14 Silver badge

        Re: Joy to the World

        to which people should take the workaround for the time being and look for a more consumer focussed or open source alternative. This isnt the first time logitech has given customers the middle finger

        1. robin thakur 1

          Re: Joy to the World

          Agreed, the message Logitech has been sending users for a long time now is "Thanks for the money, now F*ck you." Harmony hasn't been revisioned in years, still built on ancient software and doesn't support Apple HomeKit. Security has never been a focus for the company for literally years on Harmony, otherwise Homekit would have been simple to implement, so it seems like screwing over its users proved too tempting to avoid in this case.

      2. fidodogbreath Silver badge

        Re: Joy to the World

        The message this sends is that a handful of crybabies paying customers can leverage the media to influence companies that have made arbitrary product decisions which fundamentally change the function and usefulness of the hardware and software that said customers have bought and deployed.

        FTFY.

        In a market economy, customer influence is a feature, not a bug...

      3. Anonymous Coward
        Anonymous Coward

        Re: Joy to the World

        As your local council representative I am must inform you that we are shutting down road access to your residence. We no longer find it financially prudent to maintain your access and beside recent events have show that individually operated automobiles are a security risk.

        Have a nice day!

    4. robin thakur 1

      Re: Joy to the World

      Logitech are utterly sh*t at support, they don't listen to their customers, only when the Register gets involved. Go over to the Logitech Harmony forums and see how many people have asked for full Homekit integration only to be ignored for a number of years, or fobbed off with nothing answers. They haven't cared about Harmony users for years, they do the bare minimum to keep the lights on.

  2. Pascal Monett Silver badge
    Coat

    "customers using undocumented Harmony APIs"

    Funny how that sounds like Logitech had no idea how such a thing could possibly happen. It's almost as if Logitech was begging us to believe that there was some rogue engineer that put an API in place and Logitech wasn't aware of it.

    Because rogue engineers are totally a thing these days, right ?

    1. Anonymous Coward
      Anonymous Coward

      Re: "customers using undocumented Harmony APIs"

      Particularly using xmpp, an open standard for communication, incuding IoT (the first I is pronounced "idi").

      Because internal-use APIs always use public XML-based standard message protocols. Logitech made it sound like someone reverse-engineered a binary or something. Which is "for internal use" by Logitech, even though it's only accessible from the local network.

  3. cornetman

    Firmware enhancements that specifically improve the product that users request, and it makes your customers happy.

    Who knew?

    1. Danny 14 Silver badge

      somewhat niche product that can easily be buried under a lot of negativity. this will also roll into their other products with more bad customer reviews etc. It certainly makes me think twice about logitech stuff and im not on my own.

  4. Shadow Systems Silver badge

    Please forgive my ignorance, but isn't "undocumented API" an oxymoron?

    An API is created by the maker so that 3rd parties can interface with the device or software in such a way as to enable functionality that wasn't envisioned by said maker. Is it not a documented list of "If you do $This then $That happens" commands, "If you send #N volts to $This pin then $ThisAction happens in $ThisOther location", or "Use $This set of pins to enable our device to talk to yours" style bits such that the 3rd parties can make other devices/write other code specificly to interface with the makers stuff?

    If that is the case then how can they claim it was an undocumented API? If it was an API then it had to have been written by the makers of the device/software, thus known, & a selling feature rather than a bug to be taken out later with a chainsaw & extreme prejudice?

    If the devices were sold with that API as a selling point then the removeal of it would be bait & switch would it not?

    *Shrugs in confusion*

    I guess I'm just glad I'm a curmudgeonly old fart that still has to do stuff the archaic way- manually. Research something on the internet? Fire up my desktop 'cuz I ain't got no AlexaCortanaSiriSmartPhonedoohickey to do it for me. Want to make a phone call? Gotta open my flip phone & punch the physical keys 'cuz I ain't got no touchyfeely screenything. Want to go somewhere? Gotta steal a car 'cuz I ain't got no Uberlyftcar2gohailarideinstataxi crap.

    *Shakes a palsied fist*

    Danged whippersnappers anyer newfangled smartypants phones.

    Get offn my laaaaawwwwwn!

    *Cough*

    I'll be going now, it's time for my happy pills... =-)p

    1. JohnFen Silver badge

      Re: Please forgive my ignorance, but isn't "undocumented API" an oxymoron?

      "An API is created by the maker so that 3rd parties can interface with the device or software in such a way as to enable functionality that wasn't envisioned by said maker."

      That is one use for an API. There are other uses, though -- for instance, to provide interfaces that are used by other official components in the same system. Those APIs are often made less robust or provide access to functionality that can't be guaranteed to exist in future releases. That's why they remain undocumented.

      Also, "undocumented" doesn't mean that there is literally no documentation. It means that there is no official publicly released documentation.

      1. Shadow Systems Silver badge

        At JohnFen, re: documentation.

        Thank you for the clarification. For some reason I equated "documentation" as "public documentation" & that threw me. If it wasn't for public use then that makes the picture focus in my mind.

        Enjoy a pint in gratitude, pass the popcorn, & let's ogle the wait staff to imagine their various API's. =-)p

    2. Robert Carnegie Silver badge

      Re: Please forgive my ignorance, but isn't "undocumented API" an oxymoron?

      I don't know the details, but I think perhaps it's that the Harmony Hub may include open source or other imported software that implements this API as well as other functions - but Logitech didn't plan to offer this API or advertise that it was there in their device - although not in its specification?

  5. Dwarf Silver badge

    Logically...with tech ....

    If you make an API available for external use, then you should expect it to be used. I not, then secure it appropriately to prevent its use in other manners. This is not misuse !!

    Note to sales and engineering teams. If you make a technology that people find useful, don't be surprised when they use it and tell others what it can do. This will in turn lead to additional sales and good reviews.

    Conversely, if you make something cool and lock it down to make it unusable, then don't be surprised if people shun your product in favour of the others that do it better and your sales pile into the ground.

    Don't forget that API's are there to allow people to expand products in manners that make them better where the OEM decided it was too much trouble to make the product work properly in the first place.

    The other one-line is that you get what you sow.

    1. Ben Tasker Silver badge

      Re: Logically...with tech ....

      > If you make an API available for external use, then you should expect it to be used. I not, then secure it appropriately to prevent its use in other manners. This is not misuse !!

      I mean, I agree it should have been secured, but there is a counter argument here.

      If you're implementing something that relies on an API that isn't officially supported (i.e. it's not listed in the public documentation) then you should expect that at some point it *will* change or be removed without any notification to customers.

      Using private or internal APIs for your own ends can lead to some fun results and interesting implementations, but by definition they are not made, designed or maintained for your consumption.

      It being exposed at all was one of the bugs they fixed. Them recognising the demand and working on making it available in a more supported manner is also the correct behaviour IMO.

      1. Jamie Jones Silver badge

        Re: Logically...with tech ....

        If I was doing that to access some external web service, etc. then, yes, I'd expect things to change without warning.

        When it's a device I paid for, sitting in my house, I expect the opposite.

        If the API itself was causing a security issue, then if critical, maybe they could have closed it down... However, in that case they should have groveled hugely, and said that the disabled functionality would be restored as soon as possible.

        But no, they said "tough". They only backtracked because of all the fallout.

        So saying "working on making it available in a more supported manner is also the correct behaviour" would be fine, if it wasn't for their initial refusal to do so.

  6. Doctor Syntax Silver badge

    "Hopefully Logitech's New Year resolution will be to forge a closer relationship with its passionate fans and learn that it can make a better product with their help, rather than cut them out."

    An even better resolution would be to start thinking intelligently so it doesn't get into this sort of situation again. They knew what the immediate consequences would have been (stuff would stop working) but didn't think beyond those (customers whose stuff stops working are not happy customers) and further still (unhappy customers are apt to (a) sue and (b) become somebody else's customers instead).

  7. redpawn Silver badge

    Failing Strategy

    How are they going to get their yearly upgrade sales now that there is no promise to brick old kit. Giving in even once shows weakness and users will soon expect products to function for a year and a half to two years. Sales will plummet.

    1. robin thakur 1

      Re: Failing Strategy

      Wait, Logitech update their Harmony remotes yearly now? Every 3 years and you'd be lucky, and they'll still be missing industry standard features like HomeKit.

  8. John Robson Silver badge

    How...

    Do they consider a local API harder to secure than a cloudy one?

  9. Christoph Silver badge

    They seem to now have the correct solution

    That fix is now the right way to handle it. If you find that a facility that customers find useful is a security risk, default it to disabled but allow customers to re-enable it while warning them that this might be a risk.

  10. Hstubbe

    Lesson?

    "And hopefully a lesson for Logitech". Or a lesson for those who think relying on proprietary crap to make their homes "smart" is a smart idea....

  11. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    I'd resolved never to buy another Harmony device again, despite their about face I don't trust them.

  12. John Smith 19 Gold badge
    WTF?

    "Harmony" ? Are you f**king kidding me?

    It's 2018 and mfg are still fitting "hidden" API's to their hardware.

    Either the system needs these calls to run properly (so why are they hidden?) or they don't, so why was any effort spent in writing them in the first place?

    Or was it they didn't mind writing them, but they did mind doing the security testing for them (and then the re-writes if they failed)?

    Possibly a late entrant for the worst named consumer product of 2018.

    1. Ben Tasker Silver badge

      Re: "Harmony" ? Are you f**king kidding me?

      > Either the system needs these calls to run properly (so why are they hidden?) or they don't, so why was any effort spent in writing them in the first place?

      There's a massive difference between required to run properly and must be remotely callable.

      Given they were able to stop the API from being remotely callable, in its entirety, it's probably safe to assume that while the endpoints may be needed, they're only needed for the box itself to call

  13. tin 2

    woot!

    Squeezebox resurrection next please!

    1. J. Cook Bronze badge

      Re: woot!

      That's not likely to happen, sadly.

  14. Cincinnataroo

    An interesting thing is the mindset of the people within Logitech who made this happen and dug their heels in.

    Think about it: They wanted to increase the level of "mindless uncomprehending consumerism" on the planet. Now if the decision makers are actually quite unaware of taking charge of your own life, that might explain their approach. If that is so, they should, maybe, be removed.

    1. Anonymous Coward
      Anonymous Coward

      Wtf you smoking?

  15. Anonymous Coward
    Anonymous Coward

    Maybe if the API's are that much of a concern, they could make a firmware that works for both audiences, the ones who know what they're doing, and the ones who don't. Make it a toggle in the UI, defaulted to off. Have a warning about potential security risks for enabling it, and those who still want to do it can just turn it back on again.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019