Today I—likely—stumbled upon a major security leak in my home automation setup.
Scenario
I installed the ha bridge github project on my Raspberry Pi, mainly to see what it can do. I literally just followed the first few steps, downloading and starting the habridge. To my great surprise my Logitech Harmony Hub seems to freely share all his information with the new bridge. I have not entered any credentials whatsoever. The only thing I provided was the Harmony's IP address and a bogus device name (i.e. my hub has actually another display name for all Logitech and Alexa purposes).
Not only does the Hub share information about all configured devices, it also allows those activities to be triggered freely. I tested it, they work splendid.
I have looked in both the desktop program as well as the mobile app. Neither seems to offer any way to activate any security options.
When I look into the log of the habridge it even shows that the Harmony apparently broadcasts everything that happens. The activities that can be seen there (minus cropped ID) were triggered by the Harmony App. There's also a heartbeat that tells my habridge immediately when the Hub is offline.
Question
Is there any way to secure that Hub besides packaging it back up and sending it back to wherever insecure devices come from?
