Security of the SimplySnap system begins with physical security. The SimplySnap site controller provides a recovery mechanism for resetting the default password and factory defaulting the entire system, so physical access to these buttons should be limited to authorized personnel only.
New features and security enhancements are provided in SimplySnap software updates multiple times a year. Synapse recommends upgrading your system regularly to maintain a secure device.
SimplySnap uses commercial-grade, industry-standard encryption for all of its network communication. Specific details are provided in the table below.
802.11 b/g/n Wi-Fi Access Point, 2.4 GHz
UI (over Wi-Fi or LAN)
802.15.4 Mesh, 2.4 Ghz
SimplySnap offers several local connections to deliver its lighting control services:
- The SimplySnap UI is delivered via a web interface. The UI is always available over the Wi-Fi interface, and can also be available from the LAN over the Ethernet interface (when connected). To provide the UI, the system must be able to receive inbound connections on TCP port 443 (HTTPS). SimplySnap also accepts connections on TCP port 80 (HTTP), but will then automatically redirect to port 443.
- The SimplySnap system will respond to ICMP echo (ping) requests.
- The SimplySnap system will accept inbound SSH connections on TCP port 22. This connection is for Synapse internal use only and is not available for use by SimplySnap customers.
- The SimplySnap system will respond to DHCP requests on the Wi-Fi interface using UDP port 67.
- The SimplySnap system is listening on TCP port 9999 but will only accept inbound connections from the SSRA server.
SimplySnap offers several services for internet-enabled installations:
- SimplySnap Remote Access (SSRA) - SSRA is an optional service which allows a system administrator to access the UI of the SimplySnap system via the internet. The SimplySnap system must be able to establish outbound connections to vpn.simplysnap.snaplighting.com on UDP port 1196 to connect to the remote access server.
- Email Notifications - SimplySnap can send notifications (also known as alarms or alerts) via email. The SimplySnap system must be able to establish outbound connections to lighting-email.snapcloud.net on TCP port 443 to connect to the email server.
- Remote Troubleshooting and Upgrades - Customer Support may occasionally need to perform remote troubleshooting or remote upgrades of the SimplySnap system. The SimplySnap system must be able to establish outbound connections to tunnel.snap-lighting.com on TCP port 22 for Customer Support to contact the system. In SimplySnap 4.0 and later, this remote connection is enabled by default but can be disabled by the system administrator.
- NTP - the SimplySnap system will attempt to sync its local clock to a Network Time Protocol (NTP) server by connecting to UDP port 123 on either ntp.ubuntu.com or time.nist.gov.
A "secure password" is long (at least 12 characters) and not easily guessed. (For example, don't use information like your name or birthday or anniversary.) A combination of letters, numbers, and symbols is recommended.
SimplySnap versions prior to 3.3 have a single username and password. Synapse recommends changing these values from the defaults to more secure values at the time of commissioning.
In SimplySnap 3.3 and later, the system supports multiple users, each with their own password. Synapse recommends changing the administrator password from the default to a more secure value at the time of commissioning. Synapse also recommends creating secure passwords when each new user is created. SimplySnap 3.3 and later will enforce password complexity requirements.
A button is available on the side of the unit to reset the administrator password. For more details on this operation, please consult the User Guide available at help.synapse-wireless.com/Lighting/. For this reason, physical security of the site controller is paramount.
For site controllers manufactured with SimplySnap 4.0 and later, the default administrator password is printed on a label on the side of the unit. For site controllers manufactured prior to SimplySnap 4.0, the default administrator password is given in the User Guide.
In SimplySnap 3.3 and later, the Wi-Fi SSID and password are configurable. Synapse recommends changing the Wi-Fi password from the default to a new, secure value at the time of commissioning.
For SSRA, Synapse recommends changing the Wi-Fi password from the default to a new, secure value when you log in the first time.
A button is available on the side of the unit to factory default the entire system, including the Wi-Fi password. For more details on this operation, please consult the User Guide. For this reason, physical security of the site controller is paramount.
For site controllers manufactured with SimplySnap 4.0 and later, the default Wi-Fi password is printed on a label on the side of the unit. For site controllers manufactured prior to SimplySnap 4.0, the default Wi-Fi password is given in the User Guide.
If the SimplySnap system is connected to an active Ethernet network, by default the system will attempt to retrieve an IPv4 address assignment using DHCP. You can determine which IP address is assigned via DHCP to the device by connecting to the Wi-Fi interface and viewing the Config page(s).
The recommended method for assigning an unchanging IP address to the system is to configure the DHCP server always serve the same IP address to the system (for example, by using a DHCP host pool or address reservation in your router). For more information, please consult your router or DHCP server.
In SimplySnap 4.0 and later, the Ethernet interface can also be configured with a static IP address, netmask, default gateway, and DNS server(s). A button is available on the side of the unit to factory default the entire system, including the Ethernet settings. For more details on this operation, please consult the User Guide. For this reason, physical security of the site controller is paramount.
When the SimplySnap system is connected to a LAN, the user interface should be accessible to all devices on that LAN segment. The LAN can also be configured to isolate the SimplySnap system on a separate LAN segment (typically referred to as a VLAN) that allows internet connectivity but limits access to/from other LAN segments. For information about how to configure the LAN in this manner, please consults your switch or router documentation. When the LAN is configured in this way, SSRA may be required to allow access to the UI of the system from devices on other segments of the LAN. The SimplySnap system cannot accept tagged VLAN traffic and must receive traffic without 802.1q tags.
The Ethernet interface of the SimplySnap system cannot be disabled. If a LAN connection is not desired, Synapse recommends not connecting an Ethernet cable to the system.
The 802.11 b/g/n 2.4 GHz Wi-Fi access point built into the SimplySnap site controller provides a mechanism for delivering the UI without requiring wired Ethernet. If Ethernet is also connected, the SimplySnap system will not allow traffic to be bridged in either direction between the Wi-Fi interface and the Ethernet interface.
The access point uses WPA2-PSK authentication. In SimplySnap 3.3 and later, the Wi-Fi SSID and password are configurable. However, the SimplySnap system does not support disabling SSID broadcast while leaving the Wi-Fi access point interface enabled. In SimplySnap 3.3 and later, this Wi-Fi access point can be disabled. Synapse recommends disabling the Wi-Fi interface if Wi-Fi access is not required. However, disabling the Wi-Fi interface may make troubleshooting (ie, LAN connectivity) more difficult.
The SimplySnap system does not support using Wi-Fi in client mode to connect to an existing WLAN.
The SimplySnap system is available with an optional integrated Verizon cellular modem. This cell modem can provide the system an internet connection for situations where a LAN connection is not available or not desired. Although you can connect the system to a LAN via the Ethernet port, the system will not use the LAN unless a cellular connection cannot be established. If the LAN is also connected, the SimplySnap system will not allow traffic to be bridged in either direction between the cellular interface and the LAN interface; in addition, the system will prefer routing IP traffic to the cell network over the LAN network. If present, the cellular connection cannot be disabled on the SimplySnap system; however, the cellular interface will not be functional unless the device is activated on a Verizon data plan.
The SimplySnap site controller uses an 802.15.4 mesh network operating at 2.4 GHz to interact with the wireless lighting controllers in the system. The mesh network interface is required for proper lighting control system operation and cannot be disabled. For more details on selecting the proper mesh radio channel, please consult the User Guide. The mesh network is capable of using AES-128 for encrypting the mesh network. By default, encryption is disabled on the mesh network to facilitate initial commissioning. Synapse strongly recommends enabling encryption on the mesh network once commissioning is complete.