Examining the Legacy BMS LonTalk Protocol

Team82 reviews the legacy LonTalk protocol (CEA-709) and its IP-based extension (CEA-852), describing how the transition from dedicated Neuron chips to IP-based implementations increases attack surface for building management systems (BMS). The report outlines protocol features (network variables, SNVTs), availability of EnOcean/EnOcean GitHub stacks, and the security implications of vendor-specific management packets, noting many Internet-exposed controllers (identified via Censys) that use default MD5 keys or lack protections—creating opportunities for unauthorized access and remote manipulation of HVAC, lighting, and other critical building systems.