The e-magazine for KNX home & building control

Security: safeguarding your customers’ networks

Simon-BuddleBy Simon Buddle, Future Ready Homes.

I’ve been around long enough to know a time when people left their front doors unlocked during the day. People would pop in for a tea and chat, children running between houses to gather up the gang before heading off down to the river or out into the fields to try setting fire to stuff using a magnifying glass. Security, insofar as there was security, was done at a community level – if you weren’t known to people it wouldn’t be long before someone said ‘hello’ and asked what your business was in the neighbourhood.

Nowadays, locking up your house as you leave is done without thought, as part of the process of going out. It is required for the insurance policy to be valid in the event of a claim. The quality and quantity of locks on doors and windows are also prescribed by the insurers. Sadly, today, security for the home is all too important.

Nowadays, locking up your house as you leave is required for the insurance policy to be valid.
Nowadays, locking up your house as you leave is required for the insurance policy to be valid.

Constant threat of attack

If a network is connected to the outside world whether wired or wireless, it is susceptible to hacking. That is a simple fact of life in the digital age. As far back as 2014, the Shenzhen Hotel KNX installation was famously hacked, but as KNX Association reminded us in its response, whilst KNX is inherently secure, ensuring that an installation is totally robust relies on essential security measures being properly considered and implemented.

Right here, it’s important to draw a distinction. In commercial installations it’s easy to see how someone could get access to the bus in the privacy of a room with connected devices within the building. However, in the residential arena, one might have bigger problems trying to access the twisted pair bus cable directly. Nonetheless the importance of securing the system cannot be overstated today.

Staying ahead of the hackers

Any wireless, IoT, or router device is potentially under threat of attack. The KNX Association has been working hard to ensure that the protocol stays up to date and this year has seen great leaps forward. KNX Secure now offers the opportunity to provide secure IP and twisted pair communications. Quoting from the KNX website:

‘KNX Secure meets the highest encryption standards (according to ISO 18033-3, such as AES 128 CCM encryption) in order to effectively prevent attacks on the digital infrastructure of buildings and to achieve the highest level of data protection.’

This needs to be implemented by manufacturers in each device and we’re already seeing some of the bigger players introducing new products with KNX Secure added to them. So, keep an eye out for this new symbol against a product in the ETS catalogue!

Indication in ETS of a device's KNX Secure status.
Indication in ETS of a device’s KNX Secure status.


It has been commonplace for dealers to use port 3671 to access systems remotely, and as I write, there are 17,221 open, according to Any open port is a potential hole into the customer’s system and network. Test a network for open ports using

Global indication of how many times port 3671 is being found open.
Global indication of how many times port 3671 is being found open.

This leads me onto my main point; are your customers’ networks vulnerable to attack and, following on from that, is your business vulnerable should one of your customers become the victim of hacking? I’ve had two recent experiences of hackers phoning into customers’ homes and gaining access to PCs that contain sensitive information. Luckily in both cases, the clients’ banks recognised the subsequent transactions as fraudulent.

There must be two basic steps that we all take to protect our customers and our businesses:

1. Develop a network security policy and testing procedure. This should provide the framework that enables you to deploy a digital infrastructure, test it for vulnerabilities and record the results. It should ensure that firewalls are setup correctly, no devices are placed in the DMZ (Demilitarised Zone), no default passwords are left in place, etc.

2. Broaden your company’s Terms & Conditions to encompass digital security. Whilst I don’t want a customer to be hacked, I also wouldn’t want them to try and hold me responsible if they have downloaded a piece of malware from an email link they were sent.

This is yet another reason for ongoing service and maintenance contracts, helping to keep the network secure in real time by way of reporting new devices, suspicious traffic and keeping routers, wireless access points and the like up to date with the latest firmware and therefore protection.


If we accept that the digital security of our customers’ networks is our responsibility, then our challenge is to ensure we can demonstrate that we are competent to provide safe and secure digital infrastructure, with ongoing support.

This is an important issue for the whole industry, so the more manufacturers implementing KNX Secure in their devices, the easier our jobs become. After all, you wouldn’t leave your house doors open in this day and age, so don’t leave the digital doors open either.

Simon Buddle CEng MIET, is a consultant for Future Ready Homes, a specialist in BMS and ELV services system design.

Share on facebook
Share on twitter
Share on linkedin


LUXA 103 KNX presence detectors

LUXA 103 KNX presence detectors
LUXA 103 presence detectors with a round detection area for individual and open-plan offices, meeting and storage rooms, cellars ...