Control4 Security Certificate Update
May 22, 2018

On May 22, 2018—coinciding with the release of Control4 OS 2.10.2—all past versions of Composer Pro must be manually updated with new security certificates.

Control4 secures remote access to homes using the same technology as online payments, banking and other secure online services: SSL encryption based on a trusted certificate authority. We have moved a new certificate authority provider, requiring new security certificates in our products and tools.

Key facts:

• Customers—Control4 system owners must use the updated Control4 mobile app, already available in the iOS and Android app stores as versions iOS: 2.10.3.9 and Android: 2.10.2.43. (Control4 has notified customers by email of the need to update starting on May 17 with this message.)
• Installed Controllers—Control4 has already updated security certificates on primary controllers that were connected to our cloud infrastructure and “checking in” since May 9, 2018. These new certificates become active starting on Tuesday, May 22.
• Controllers Shipped From Control4
  • All EA-series controllers shipped from Control4 after May 20 already have Control4 OS 2.10.2 (or later) runtime and factory restore image preloaded, including this security certificate update. These controllers bear a sticker indicating OS 2.10.2 is installed.
  • All HC-series controller models ship with a Control4 OS 2.9.1 runtime image that has been updated with the new security certificates. Important: the factory restore image is OS 2.9.1 without the patch applied.
• Customer who use Composer HE—Customers who use Composer HE must update the security certificate on any computers on which they use Composer HE. (Control4 has notified customers by email about how to do this.)

What You Need to Do:

Use this checklist to manage the security certificate update for your organization. Check each box only after you have confirmed the statement is true.

• All Composer Pro users at your business have applied the Composer Pro patch to all of their computers by running ComposerPatch2.exe from the ComposerPatch2.zip downloadable file.
• All Composer Pro users at your business have downloaded the controller security patch software to their computer for use on primary controllers that were not connected to the Internet and “checking in” with Control4 during the period from May 9 - 22, 2018.
• All offline controllers in your inventory (in warehouse, on trucks, or in-transit from Control4 with ship dates prior to May 21) have been updated using the Device Image Updater (further described in the next section).
• All members of your technical team have been trained on when to use the controller update patch (further described in the next section).
• You have identified any customers whose system potentially requires a manual update to the new security certificate during the next site visit.

Train Your Technical Staff for the Following:

• You do not need to update systems to OS 2.10.2 to get the new security certificates. The controller patch software provided will update the security certificate on any primary controller with a runtime image of an earlier version than OS 2.10.2.
• Kb article 2385 shows each of the key symptoms that indicate when Composer or a primary controller does not have the updated security certificate.
• You must re-apply the Composer security patch whenever you install or re-install any version of Composer Pro or Composer HE prior to version 2.10.2.
• You must re-apply the controller security patch software after performing a factory restore on a controller that you plan to use as a primary controller (running Director for a project).
• You do not need to update secondary controllers with the controller security patch software.
• Kb article 2151 explains how to use Device Image Updater v2 to update the runtime OS and factory restore image to OS 2.10.2, which already includes the new security certificate. (Prior versions of Control4 OS do not include the new security certificates, so restoring any version other than OS 2.10.2 would require running the controller patch software for that controller.)
• If a customer’s mobile app stops connecting to their Control4 system, verify that they are using the latest version of the Control4 mobile app.