EnOcean Secure uses a rolling code (an incremental counter) together with a CMAC (Cipher-based MAC built on AES-128) to authenticate every telegram and block replay attacks, which is critical for security-grade applications such as alarms and wireless locks.
True
EnOcean Secure layers cryptographic protection on top of the standard telegram. A 24 or 32-bit rolling counter is incremented on every transmission, and a CMAC over (data plus counter) is appended using a shared AES-128 key. The receiver only accepts a telegram whose counter is greater than or equal to the next expected value, blocking captured-and-replayed frames. The 16-byte key is exchanged once during the Secure Teach-In. Without Secure mode, the classic EnOcean format is vulnerable to replay attacks, although the 32-bit Device ID still makes random spoofing impractical.
For door locks and alarm sensors, always enable Secure mode end-to-end; mixing one Secure sensor with a non-Secure gateway gives you no protection at all and is the single most common audit failure.
EnOcean bank in preparation
The full EnOcean bank isn't available yet. Drop your email to get notified at launch and grab an early-bird discount.
Join the waitlist →See the 9 other EnOcean practice questions
Related questions
- Which EnOcean radio frequencies are used in Europe, North America and Japan respectively?1. Architecture · Frequenzen
- The most common EnOcean RORG values are RPS (F6, Repeated Switch Telegram, push-buttons), 1BS (D5, 1-Byte Sensor, magnetic contacts), 4BS (A5, 4-Byte Sensor, temperature / CO2 / lux sensors) and VLD (D2, Variable Length Data, modern multi-function devices).2. EEP · Häufige RORG
- A Level 1 EnOcean repeater retransmits every received telegram (extending the range), while a Level 2 repeater also retransmits telegrams already forwarded by other repeaters (allowing wider cascading at the cost of higher loop risk).4. Repeater · Repeater Level 1
- Smart Acknowledge (Smart Ack) is the EnOcean protocol for bidirectional communication with battery-less devices: the sensor registers with a Postmaster (a relay) that buffers commands destined for the sensor and delivers them during the brief listening window that follows each of the sensor's own transmissions.5. Smart Ack · Bidirektionale Kommunikation
- EnOcean is particularly well suited to the retrofit of existing buildings: sensors and buttons can be added without pulling cable or fitting batteries, with a 20+ year service life, making it ideal for heritage buildings or sites that are difficult to rewire.7. KNX integration · Retrofit-Anwendung