Exploring the device

The hub has several services open over 3 ports implementing XMPP, WebSocket, and a custom web API service. The services are all implemented in Lua, which will be discussed later on.

Nmap service scan for Logitech Harmony Hub

You can acquire the hub’s firmware during a device update and open it up fairly quickly. It contains a Linux kernel and squash filesystem with the application code on it. The application code is a large set of compiled Lua files which implement the hub’s services and functionality. You can decompile it using a patched version of the luadec github project to produce very human-readable source code.

Harmony firmware extraction

The application code is implemented in hundreds of well-organized compiled lua files. This code base implements all of the Harmony’s device logic and smart home related functionality. The device logic encompasses everything from authentication and user-management to firmware update and package control. The Harmony hub uses a messaging system, whereby functionality is implemented by handlers in the application code that can be called by Logitech’s remote servers when the user is controlling the hub with the smartphone app. These message handling functions control the life-blood of the device as the hub turns up the thermostat at night and unlocks your door when you get home. Of course, there is a protection mechanism to ensure that only trusted servers can make requests or use the protected message handling functions. The protection mechanism is flawed, however, allowing any remote attacker to bypass the security measures.