{"id":189131,"date":"2026-02-20T08:46:00","date_gmt":"2026-02-20T13:46:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/20\/claroty-team82-warns-of-growing-cybersecurity-risks-in-legacy-lontalk-protocols-across-bms-deployments\/"},"modified":"2026-02-20T08:55:14","modified_gmt":"2026-02-20T13:55:14","slug":"claroty-team82-warns-of-growing-cybersecurity-risks-in-legacy-lontalk-protocols-across-bms-deployments","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/20\/claroty-team82-warns-of-growing-cybersecurity-risks-in-legacy-lontalk-protocols-across-bms-deployments\/","title":{"rendered":"Claroty Team82 warns of growing cybersecurity risks in legacy LonTalk protocols across BMS deployments"},"content":{"rendered":"<p><a href=\"https:\/\/industrialcyber.co\/threat-landscape\/claroty-team82-warns-of-growing-cybersecurity-risks-in-legacy-lontalk-protocols-across-bms-deployments\/\">Claroty Team82 warns of growing cybersecurity risks in legacy LonTalk protocols across BMS deployments<\/a><\/p>\n<p><a href=\"https:\/\/industrialcyber.co\/threat-landscape\/claroty-team82-warns-of-growing-cybersecurity-risks-in-legacy-lontalk-protocols-across-bms-deployments\/\">https:\/\/industrialcyber.co\/threat-landscape\/claroty-team82-warns-of-growing-cybersecurity-risks-in-legacy-lontalk-protocols-across-bms-deployments\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-20 08:46:00<\/a><\/p>\n<p>Source Domain: <a href=\"industrialcyber.co\">industrialcyber.co<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>Claroty\u2019s threat research team, Team82, has uncovered fresh cybersecurity concerns tied to the LonTalk protocol, a foundational communication standard used deep within many building management and automation systems. Originally developed in the 1990s for isolated, serial device networks, LonTalk still exists in legacy BMS (building management systems) deployments even as modern systems migrate toward IP\u2011based architectures. As these older protocols are exposed to enterprise networks and the internet without adequate protection, they introduce a broad attack surface that malicious actors can exploit, especially given documented and undocumented security gaps and the end of dedicated silicon support for core components.\u00a0<\/p>\n<p>Team82\u2019s analysis highlights how the persistence of LonTalk in critical infrastructure such as HVAC (heating, ventilation, and air conditioning), lighting, energy controls, and other facility systems is creating real risk as digital integration accelerates, demanding renewed attention to hardening legacy protocols in operational environments.<\/p>\n<p>\u201cThe LonTalk protocol is versatile, capable of operating over multiple physical topologies using media such as twisted pair wiring, power lines, and radio frequency,\u201d Amir Zaltzman, senior vulnerability researcher at Team82, wrote in the Thursday blog post. \u201cLater implementations standardized LonTalk over IP through the CEA-852 standard. Beyond data exchange, LonTalk provides network management and diagnostic services, enabling integrators to commission devices, assign addresses, monitor node status, and clear error logs directly through the protocol.\u201c<\/p>\n<p>The LonTalk protocol, developed in the early 1990s by Echelon Corp. of Massachusetts, was widely used for device-to-device communication in building automation and management systems, but it has largely been supplanted by the more modern and secure BACnet standard. Despite this, LonTalk remains embedded in many proprietary BMS implementations, creating potential undocumented security risks, particularly as these systems are increasingly connected to IP networks and managed via the cloud. This connectivity introduces new vulnerabilities that can be exploited by hacktivists or criminal actors.\u00a0<\/p>\n<p>LonTalk continues to be relevant to BMS cybersecurity discussions, especially as sectors such as commercial real estate, retail, hospitality, and data centers rely on BMS for critical services like HVAC, lighting, energy management, and security. These systems, now integrated with other smart devices, generate analytics for efficiency, regulatory compliance, and cost reduction. Any disruption to these services due to legacy protocol vulnerabilities is unacceptable, prompting Team82 to research LonTalk\u2019s security weaknesses and its implications as it transitions from serial to IP-based connectivity.<\/p>\n<p>Many legacy LonTalk systems, including sensors and controllers, rely on dedicated integrated circuits called Neuron Chips to implement the physical, network, and application layers of the LonTalk protocol in hardware. The chip combines three local processors (applications, network management, and packet I\/O), an architecture that enables LonWorks devices to communicate, process control logic, and handle network services independently, without relying on external microcontrollers.\u00a0<\/p>\n<p>As Echelon\u2019s company lineage changed several times through acquisitions, the Neuron Chip line was officially declared end-of-life in 2025, marking the end of dedicated LonTalk silicon.\u00a0<\/p>\n<p>LonTalk functionality continues, however, through EnOcean software stacks and network interface products. Modern systems may integrate legacy LonWorks networks into contemporary IoT and edge architectures. EnOcean manages tools for Lon functionality, as well as the interface hardware connecting LonTalk devices to IoT and edge infrastructures. LonMark, meanwhile, maintains the LonTalk and LonWorks standards, including SNVT management, device certification, and interoperability guidelines.<\/p>\n<p>Zaltzman explained that LonTalk is often used to coordinate devices such as HVAC controllers, lighting dimmers, and occupancy sensors from different manufacturers on a single LonWorks network without requiring custom integration. Its widespread adoption and long lifespan make it common in existing infrastructures where full system replacement is costly, allowing it to bridge legacy installations with modern IP-based BMS solutions for smoother migration to newer standards.\u00a0<\/p>\n<p>Devices on a LonTalk network communicate through Network Variables (NVs), which represent data points like temperature, fan speed, or occupancy. NVs can be outputs (NVO) to send data or inputs (NVI) to receive data, and each uses a Standard Network Variable Type (SNVT) to ensure consistent interpretation across devices from different manufacturers.<\/p>\n<p>\u201cThe transition of the legacy LonTalk protocol to the IP layer has significant implications for its applicability. By removing the dependency on the proprietary Neuron chip,\u00a0 LonTalk can now be implemented more flexibly and deployed across a broader range of platforms,\u201d according to Zaltzman. \u201cBeyond replicating the core features of the original protocol, the IP-based standard introduces enhanced capabilities such as device registration and configuration, channel and membership management, and channel statistics monitoring.\u201d<\/p>\n<p>He added that the specification defines vendor-specific packet types that extend control and configuration beyond the baseline CEA-852 standard. \u201cThese privileged commands enable authorized users to manage gateway devices, which often support multiple protocols and whose configuration may influence the entire BMS network. The following sections provide a deeper look at CEA-852 proprietary packet types, exploring how vulnerabilities can be exploited and examining general implementation drawbacks.\u201d<\/p>\n<p>\u201cTo make LonTalk more accessible to developers, EnOcean has released an official GitHub repository containing the LonTalk protocol stack source code for both client and server implementations of the IP-852 standard (explained in detail in the Exploring the CEA-852 Standard section),\u201d Zaltzman identified. \u201cThese sources are compiled into the core libraries that manage LonTalk communication within EnOcean\u2019s i.LON and SmartServer product lines, following EnOcean\u2019s acquisition of Echelon\u2019s product line.\u201d<\/p>\n<p>When conducting a quick search for Internet-accessible LonTalk devices using the CENSYS service, we identified a significant number of exposed controllers, both EnOcean (formerly Echelon) and Loytec devices, that are directly connected to the Internet. Further analysis revealed that many of these devices expose the CEA-852 LonTalk-over-IP service on its default ports (1628 and 1629). In addition, a large portion of these controllers either rely on default MD5 keys when signature-based protection is enabled or do not implement any security mechanisms at all.<\/p>\n<p>\u201cMoving LonTalk to the IP layer with CEA-852 makes BMS networks more flexible and easier to integrate, but also opens new security risks through vendor-specific commands,\u201d Zaltzman said. \u201cIn future reports, we\u2019ll take a closer look at real-world EnOcean and Loytec gateway controllers, examining how these packets operate and uncovering potential weak spots in CEA-852 implementations within modern BMS deployments.\u201d<\/p>\n<p>\t\t\t\t\tAnna Ribeiro\t\t\t\t<\/p>\n<p>\t\t\t\t\tIndustrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.\t\t\t\t<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Claroty Team82 warns of growing cybersecurity risks in legacy LonTalk protocols across BMS deployments https:\/\/industrialcyber.co\/threat-landscape\/claroty-team82-warns-of-growing-cybersecurity-risks-in-legacy-lontalk-protocols-across-bms-deployments\/&#8230;<\/p>\n","protected":false},"author":1,"featured_media":189132,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/industrialcyber.co\/wp-content\/uploads\/2026\/02\/2026.02.20-Claroty-Team82-warns-of-growing-cybersecurity-risks-in-legacy-LonTalk-protocols-across-BMS-deployments.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,27],"class_list":["post-189131","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/189131"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=189131"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/189131\/revisions"}],"predecessor-version":[{"id":189133,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/189131\/revisions\/189133"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/189132"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=189131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=189131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=189131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}