Port 1911: The Fox Protocol — Where Buildings Talk to the Internet

Port 1911 has no official assignment from IANA. It sits in the registered port range (1024–49151), the middle tier of the port numbering system, where applications can request a consistent home without going through the stricter process for well-known ports below 1024.

But unofficially, port 1911 has a job. And that job controls the temperature, lights, and door locks in buildings you've probably been inside.

The Fox Protocol and Tridium Niagara

The Tridium Niagara Framework is the operating system of smart buildings. Universities use it to manage campus energy. Hospitals use it to control environmental systems. Data centers use it to monitor cooling. It runs on embedded controllers called JACEs (Java Application Control Engines), which talk to a central management workbench over a proprietary protocol called Fox.

Fox's default port is 1911.¹

When a Niagara workbench connects to a JACE controller, it uses port 1911 to exchange configuration, telemetry, and control commands. The protocol was designed for trusted internal networks, where the assumption was that only authorized personnel would ever connect.

That assumption did not age well.

What the FBI Found

In 2015, the FBI issued a warning to industry: port 1911 was showing up on the public Internet, and the Fox protocol had a problem. When you connect to it, it responds with detailed information about the system, including the host's operating system and the installed version of the Niagara Framework, without first asking who you are.²

This isn't a bug. It's a feature, operating exactly as designed, on networks where it was never meant to be reachable from the outside.

A Shodan search around the time of the warning found nearly 20,000 exposed Fox endpoints in the United States alone, belonging to universities, state governments, and communications companies.³ Each one was a building's nervous system, broadcasting its configuration to anyone curious enough to ask.

Tridium has since added TLS support and moved secure connections to port 4911. But the old default persists wherever systems haven't been updated or reconfigured.

How to Check What's Using This Port

If you see port 1911 active on a system, you can check what's listening:

On Linux/macOS:

# Show the process using port 1911
sudo ss -tlnp sport = :1911

# Or with lsof
sudo lsof -i :1911

On Windows:

netstat -ano | findstr :1911

For network-wide discovery:

# Nmap has a dedicated script for the Fox protocol
nmap -p 1911 --script fox-info <target>

That last command is exactly what security researchers (and attackers) use to fingerprint exposed Niagara systems. Nmap's fox-info script will return the station name, host OS, and Niagara version if the system responds.⁴

Why Unassigned Ports Matter

IANA maintains the port registry to prevent conflicts. An assigned port means one application has formally claimed that number and published what it does. An unassigned port is open territory.

What actually runs on unassigned ports is shaped by convention, defaults set by vendors years ago, and the inertia of systems that were never updated. Port 1911 is a good example: no formal assignment, but a real and widespread use that the FBI considered significant enough to warn about.

If you're running a firewall and see port 1911 open to the Internet, you should want to know why.

Related Ports

• Port 4911 — Fox over TLS, the encrypted successor for Niagara Framework connections
• Port 3011 — Used by some older Niagara configurations for web access