Security notes for LogicMachine | Logic Machine platform for KNX/EIB, EnOcean, Modbus, DALI, BacNet

Please follow these points to make your installation secure and protected:

1. Do not connect LM to an external IP, use it with a local IP. In this case you will be able to control which ports/services can communicate with LM from outside through your router

2. Always disable unnecessary services – FTP, Remote Diagnostics, Remote services, IP Features in System config

3. Change all passwords. We created the annoying reminder on password change because of this, don’t push the OK button every time. Change all three passwords – FTP/APPs (System config -> Services -> FTP server), admin (System config -> System -> Admin access), remote services (System config -> Services -> Remote Services)

4. Change the default KNX physical address in System config -> Network -> KNX connection

5. Disable KNX/IP features (System config -> Network -> KNX connection) if:

You have finished programming your KNX devices from ETS and this is not needed anymore. This will protect from situation when somebody is in the same LAN and by using ETS it’s very easy to access KNX bus through LM
No IP filter tables are used

6. If you are not sure of your ISP or there is public access, we recommend using HTTPS access to LM instead of HTTP – https://192.168.0.10 (you can block all ports except HTTPS 433 in this case on your router). Do not be afraid if you receive browser warning, because LM uses a self-signed certificate (we cannot use normal certificates because it can only be assigned to a domain, not an IP address). If you are located in a local network and connecting to LM directly, you can stay on port 80/HTTP – in this way the communication will be slightly faster and there will be no browser warnings

7. For external connection to LM we do not recommend using IP port forwarding because all the services and group addresses becomes available in an unsecured form. If you want to use port forwarding, do it only with secure port 443 (HTTPS). The best solution is to use our cloud service as described here: https://openrb.com/logicmachine-cloud-solution/ (you can control only selected group addresses remotely, data exchange between LM/cloud and cloud/client is done in secure encrypted way)

8. If FTP is used, use SSL/TLS . Also, change default FTP/APPs password in System config -> Services -> FTP server

9. If communication between several LMs is required in one building:

By default KNXnet/IP communication is unsecure. If you have any doubts about security of your LAN, enable secure communication and specify encryption key in System config -> Network -> KNX connection. All LMs must have the same key and system clocks must be synchronized. We recommend using a local NTP server for this
Enable TOS (type of service) if your router supports this. This way you can enable prioritization for KNX telegrams (7 – highest priority, 0 – lowest). It means other IP packets will have lower priority over KNX telegrams – KNX telegrams will be always delivered first and then all the rest

10. There are cases when somebody tries to reprogramm KNX devices. We can supply KNX devices that blocks all peer-to-peer telegrams (which are used for device rogramming) while keeping group communication unchanged

Document release data: February 13, 2017