The IoT industry likes to repeat its mistakes. This week we published a presentation on that — despite its wordier-than-normal layout— highlights some fundamental missteps being made in an emerging area of the IoT called LPWAN, which stands for Low Power Wide Area Network. We focus on one technology in particular, , an excellent radio product built by a $2B silicon company called . The Semtech folks are smart and make great radios and we like LoRa. Slideshare LoRa Semtech Some of the details about the technology are in the deck — LoRa is basically a new kind of LPWAN radio that uses some not-so-new techniques in some novel ways to achieve multi-kilometer range and a multi-year battery life story. And it sells for under $5, putting it in the wheelhouse of many IoT developers who demand very low cost endpoints. It’s probably the most exciting thing happening in the low power IoT right now, if you can filter out the noise from the cellular industry, which is prematurely hyping their own LoRa competitor(s). Since LoRa is just a radio, it needs a networking stack in order to run applications. And this is where the IoT deja vue comes in: Semtech seems to be throwing its weight behind some LoRa freeware contributed by IBM Research called LoRaWAN. It’s a cheap, simple networking stack and probably fine for doing a concept test or for a hobbyist’s experiments. But amazingly — for all the reasons we outline in this presentation including security — some developers and even some cellular carriers are throwing caution to the wind and using LoRaWAN in commercial rollouts. We identify ten problems in all, but in one massive flaw that no doubt stems from a lack of prioritization of security during the design process is over-the-air firmware updates. Running LoRaWAN over LoRa, OTA firmware updates are not an option. Somehow developers — and this is 90’s era IoT — are expected to “manually” update firmware. So if your battery powered temperature tracking endpoint just happens to have a USB connector (rare) and you don’t mind paying a tech to walk over to it (expensive) and “hook in” for the firmware update (not scalable), as a LoRaWAN customer you have nothing to worry about. But your endpoints need a security patch? Good luck! If you think, as we do, that lack of OTA firmware updates is just wireless malpractice, then LoRaWAN is a great example of the IoT industry repeating a security “worst practice” a la ZigBee and others. We created this to alert developers to the perils of LoRaWAN and to alert them to alternatives including . But the secondary (or primary depending on your POV) point about stewardship of the IoT can’t be overstated. Debacles like the lightbulb fiasco or the botnet attack give everyday consumer and business users a feeling of IoT security . And are getting interested in “helping” out, too. presentation our stuff Philips Hue Dyn/Mirai dread regulators Hopefully, LoRa doesn’t become another IoT security cautionary tale — it’s young enough to be able to make some mid-course corrections. LoRa is a fine technology at heart, it’s just making — via LoRaWAN — some fixable adolescent goofs. — Pat Burns is how hackers start their afternoons. We’re a part of the family. We are now and happy to opportunities. Hacker Noon @AMI accepting submissions discuss advertising &sponsorship To learn more, , , or simply, read our about page like/message us on Facebook tweet/DM @HackerNoon. If you enjoyed this story, we recommend reading our and . Until next time, don’t take the realities of the world for granted! latest tech stories trending tech stories
