Port 1628: LonTalk — The Port That Talks to Buildings

Most Internet traffic flows through ports designed for computers talking to other computers. Port 1628 exists so your office thermostat can talk to your building's HVAC system over the same network.

What Runs on Port 1628

Port 1628 is registered with IANA for lontalk-norm (LonTalk normal)—the LonTalk protocol used in LonWorks building automation systems.¹ Both TCP and UDP use this port.

LonWorks is a control networking platform designed specifically for automation. It controls lighting, HVAC systems, access control, elevators, and industrial equipment in commercial buildings worldwide.²

How LonWorks Works

LonWorks was originally designed to run over specialized media—twisted pair cables, power lines, even fiber optics. Each device on a LonWorks network (a thermostat, a light controller, a valve actuator) could communicate using the LonTalk protocol without needing IP networking.²

Then buildings started standardizing on Ethernet and TCP/IP for everything.

The IP-852 standard (also known as EIA-852 and CEA-852) solved this by allowing LonWorks packets to tunnel through IP networks.³ When a LonWorks device needs to communicate over Ethernet instead of a dedicated control cable, it uses ports 1628 and 1629 to encapsulate LonTalk protocol messages inside UDP or TCP packets.⁴

This means a building can run its entire automation system over the same network infrastructure that carries email and web traffic. The HVAC controller in the basement can talk to temperature sensors on the fifth floor using the existing Ethernet backbone.

The History

Echelon Corporation was founded in February 1988 in Palo Alto, California, and released the LonWorks platform in 1990.⁵ The timing is interesting—1990 was early for networked building automation. Most buildings were still using proprietary control systems that couldn't talk to each other.

LonWorks provided a standard protocol. In 1999, the LonTalk protocol was approved as ANSI standard EIA/CEA-709.1.² It later became an international standard (ISO/IEC 14908).⁶

The technology has outlasted the company. Echelon was acquired by Adesto Technologies in 2018, which was itself acquired by Dialog Semiconductor in 2020. In 2021, Dialog became a subsidiary of Renesas Electronics.⁵ The protocol, meanwhile, continues running in buildings worldwide.

What This Port Carries

When a packet arrives at port 1628, it's likely carrying one of these messages:

• A temperature sensor reporting the current reading to an HVAC controller
• A lighting controller receiving commands from an occupancy sensor
• A building management system querying the status of hundreds of automation devices
• Configuration data being sent to a newly installed actuator or sensor

The traffic is operational—systems monitoring themselves, adjusting themselves, keeping buildings comfortable and efficient. It's not user-facing. You'll never open a browser and point it at port 1628. But if you work in a modern office building, the climate control system keeping you comfortable might be using it.

Security Considerations

LonWorks systems were designed when building automation networks were physically isolated from the Internet. IP-852 brought those systems onto IP networks, which changed the security model.

A LonWorks network exposed to the Internet without proper firewall rules allows potential access to building control systems. An attacker reaching port 1628 could potentially monitor or manipulate building automation functions.⁷

Best practices:

• Isolate building automation networks using VLANs or separate physical networks
• Never expose port 1628 directly to the Internet
• Use firewalls to restrict which devices can communicate with LonWorks controllers
• Monitor traffic on ports 1628-1629 for unexpected patterns
• Implement network access control to prevent unauthorized devices from joining the automation network

Related Ports

Port 1629 — Also used by IP-852 for LonWorks traffic. The IP-852 standard uses both 1628 and 1629 as designated IANA ports, though devices can be configured to use alternative ports if needed.⁴

The Strange Beauty of It

Port 1628 represents a collision of two different worlds. One world—the Internet—was built for information sharing between computers. The other world—building automation—was built for machines controlling physical systems.

The protocol running through this port predates widespread Internet connectivity in buildings. It was designed when "network" meant a dedicated cable running through conduit, not Ethernet everywhere. And yet it adapted. The messages that once traveled over power lines now travel over TCP/IP, using the same infrastructure that carries video calls and cloud storage.

Every time an office building automatically adjusts its temperature zone by zone, or lights dim based on occupancy sensors, there's a decent chance those control signals traveled through port 1628 at some point. The port is invisible to users but essential to the physical comfort of millions of people working in automated buildings.

How to Check Port 1628

To see if anything is listening on port 1628 on your system:

# On Linux or macOS:
sudo lsof -i :1628
# or
sudo netstat -tulpn | grep 1628

# On Windows:
netstat -ano | findstr :1628

If you find something listening on this port and you're not running building automation equipment, investigate. It shouldn't be present on typical workstations or home networks.