Port 20005: OpenWebNet — The Home Automation Port That Became a Router Nightmare

Port 20005 lives a double life. Officially, it's registered with IANA for OpenWebNet, a home automation protocol that controls lights and heating in buildings across Europe. Unofficially, it's remembered as the port that turned millions of home routers into hackable targets.

What Runs Here

OpenWebNet is a communications protocol developed by BTicino (now part of Legrand) around 2000 for managing electrical networks and home automation systems. The protocol allows high-level interaction between remote units and the MyHome domotic (home automation) system.¹

The official IANA registration assigns port 20005 for "OpenWebNet protocol for electric network."² However, in practice, OpenWebNet implementations typically use port 20000 as the default, with 20005 serving as the registered fallback.³

How OpenWebNet Works

OpenWebNet messages are structured with variable-length fields separated by asterisks (*) and terminated with ##. This text-based protocol allows control over:

• Lighting systems
• Heating and climate control
• Electrical load management
• Access control and security
• Integration with KNX and DMX512-A systems via gateways⁴

The protocol is transport-independent—you can connect via Ethernet, RS-232 serial, or USB to a gateway that translates OpenWebNet messages into the Bus SCS commands used by the actual electrical system.⁵

The NetUSB Nightmare

Port 20005 gained notoriety for a different reason: NetUSB.

Many consumer routers from TP-Link, Netgear, D-Link, TRENDnet, and ZyXEL included a kernel module called NetUSB that allowed USB devices connected to the router to be accessed over the network. NetUSB listened on TCP port 20005 on all interfaces—both the internal LAN and the external WAN facing the Internet.⁶

In 2015, security researchers discovered a critical vulnerability: if a connecting computer sent a hostname longer than 64 characters, it triggered a stack buffer overflow in the NetUSB service. This allowed attackers to execute arbitrary code in the kernel—remotely, before authentication, from anywhere on the Internet.⁷

Millions of routers were affected. The vulnerability allowed complete device takeover: an attacker could compromise your router without knowing your password, without being on your network, just by sending malformed packets to port 20005.⁸

The Aftermath

Firmware updates were released by some vendors, particularly TP-Link. Others were slower or never patched their devices. The recommended mitigations were:

1. Update router firmware if available
2. Disable USB file sharing features
3. Add firewall rules to block port 20005 from the WAN side⁹

The NetUSB vulnerability is a reminder that every listening port is a potential attack surface. OpenWebNet itself wasn't the problem—the problem was a completely different service using the same port number with poor security practices.

Security Considerations

If you see port 20005 open on your system:

• On a BTicino/Legrand gateway: Expected behavior for OpenWebNet
• On a home router: Potentially NetUSB—check for firmware updates and consider blocking external access
• Unexpected appearance: Could indicate unauthorized services or remnants of old malware¹⁰

The port has also been associated with various trojans and malware over the years, including references to "Mosucker" and other threats, though these are less common than the NetUSB issue.¹¹

Checking What's Listening

Linux/macOS:

sudo lsof -i :20005
sudo netstat -tulpn | grep 20005

Windows:

netstat -ano | findstr :20005

If you find unexpected services on this port, investigate immediately.

The Registered Port Range

Port 20005 falls in the registered port range (1024-49151). These ports are registered with IANA for specific services, but the registration isn't enforced. Anyone can run any service on these ports—IANA registration is more like a phonebook entry than a security control.

This is why the same port number can serve OpenWebNet home automation in one context and become a router vulnerability vector in another. The number itself has no inherent meaning. It's just a door. What matters is what's behind it.

Why This Port Matters

Port 20005 tells two stories about the Internet:

First story: A European home automation company registers a port number for their protocol in the early 2000s. The protocol works. It controls lights and heating in homes and buildings. It does its job quietly.

Second story: Years later, router manufacturers implement a USB sharing feature that happens to use the same port number. They make a security mistake—listening on all interfaces, poor input validation. That mistake turns millions of devices into targets.

Same port. Different services. Different outcomes.

The Internet is built on ports like this. Most of the time, nothing dramatic happens. Sometimes, a buffer overflow in a kernel module turns a five-digit number into a crisis.

Related Ports

• Port 20000 — Default port for OpenWebNet implementations
• Port 80 — HTTP, often used for router web interfaces
• Port 443 — HTTPS, secure router management
• Port 23 — Telnet, another common router vulnerability vector