Stopping An IoT Debacle Before It Happens
The IoT industry likes to repeat its mistakes.
This week we published a presentation on Slideshare that — despite its wordier-than-normal layout— highlights some fundamental missteps being made in an emerging area of the IoT called LPWAN, which stands for Low Power Wide Area Network. We focus on one technology in particular, LoRa, an excellent radio product built by a $2B silicon company called Semtech. The Semtech folks are smart and make great radios and we like LoRa.
Some of the details about the technology are in the deck — LoRa is basically a new kind of LPWAN radio that uses some not-so-new techniques in some novel ways to achieve multi-kilometer range and a multi-year battery life story. And it sells for under $5, putting it in the wheelhouse of many IoT developers who demand very low cost endpoints. It’s probably the most exciting thing happening in the low power IoT right now, if you can filter out the noise from the cellular industry, which is prematurely hyping their own LoRa competitor(s).
Since LoRa is just a radio, it needs a networking stack in order to run applications. And this is where the IoT deja vue comes in: Semtech seems to be throwing its weight behind some LoRa freeware contributed by IBM Research called LoRaWAN. It’s a cheap, simple networking stack and probably fine for doing a concept test or for a hobbyist’s experiments. But amazingly — for all the reasons we outline in this presentation including security — some developers and even some cellular carriers are throwing caution to the wind and using LoRaWAN in commercial rollouts.
We identify ten problems in all, but in one massive flaw that no doubt stems from a lack of prioritization of security during the design process is over-the-air firmware updates. Running LoRaWAN over LoRa, OTA firmware updates are not an option. Somehow developers — and this is 90’s era IoT — are expected to “manually” update firmware. So if your battery powered temperature tracking endpoint just happens to have a USB connector (rare) and you don’t mind paying a tech to walk over to it (expensive) and “hook in” for the firmware update (not scalable), as a LoRaWAN customer you have nothing to worry about. But your endpoints need a security patch? Good luck! If you think, as we do, that lack of OTA firmware updates is just wireless malpractice, then LoRaWAN is a great example of the IoT industry repeating a security “worst practice” a la ZigBee and others.
We created this presentation to alert developers to the perils of LoRaWAN and to alert them to alternatives including our stuff. But the secondary (or primary depending on your POV) point about stewardship of the IoT can’t be overstated. Debacles like the Philips Hue lightbulb fiasco or the Dyn/Mirai botnet attack give everyday consumer and business users a feeling of IoT security dread. And regulators are getting interested in “helping” out, too.
Hopefully, LoRa doesn’t become another IoT security cautionary tale — it’s young enough to be able to make some mid-course corrections. LoRa is a fine technology at heart, it’s just making — via LoRaWAN — some fixable adolescent goofs.
Hacker Noon is how hackers start their afternoons. We’re a part of the @AMIfamily. We are now accepting submissions and happy to discuss advertising &sponsorship opportunities.
To learn more, read our about page, like/message us on Facebook, or simply, tweet/DM @HackerNoon.
If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!
