Is my data secure with semtech packet forwarder ?
I think it is as LORAWAN has built in encryption. Can somebody please let me know.
What advantages do I have if we use MQTT.
Hi @abhishek2101, a question like “is my data secure…” can only be properly asked and answered after a risk assessment that defines the necessary controls. I suggest that you examine standards such as the ISO/IEC 27000 series. The following link gives a useful introduction https://en.wikipedia.org/wiki/ISO/IEC_27000-series
My opinion is that for R&D and Proof-of-Concept systems with no material risk the Semtech legacy UDP forwarder security is adequate. If a risk assessment shows that there are significant risks then I would not use the Semtech legacy UDP forwarder.
Data is encrypted on the node and decrypted in the back-end. The gateway does not have decryption keys. So the security level of your data is the same for both Semtech legacy protocol and TTN-gateway-connector protocol (Mqtt).
The advantage of the ttn-gateway-connector protocol is that it requires the gateway to ‘log in’ before the back-end accepts data. This means when your application receives data that data is guaranteed to have been forwarded by that gateway. Not by a rogue gateway that hijacked the supposedly unique EUI of a regular gateway. I’ll leave it to the reader to determine if that is a big advantage for their use case…
(For a gateway owner the secure protocol has the advantage no one is able to spoof the gateway, for instance by sending false location information which results in ttnmapper hiding all previously collected data. So for gateway owners I would recommend the more secure protocol)
Hi Tim,
Can you explain why using another packet forwarder on the gateway would make the data more/less secure? Taking into account LoRaWAN is a radio based protocol where anyone can receive the same data a ‘secure’ gateway receives?
Best regards,
Jac
Hi Jac, as per your post, the Semtech legacy UDP forwarder does not have strong authentication. Some packet forwarder products and systems use digital certificates to authenticate the gateways and to enable encryption of the backhaul across the public Internet to prevent sniffing, masquerading, replay, etc.
The risk assessments that I am familiar with from industrial control systems would not support the use of IoT transported over the Semtech legacy UDP/IP forwarder but would support the use of IoT over authenticated and encrypted TCP/IP forwarders.
I have recently been through a LoRaWAN security analysis with a large insurance company and this was an issue in the analysis.
I have a private TTN v3 instance and few gateways registered. How can any gateway other than the ones registered can send the data to my instance ?
If your instance has a public IP and no firewall anyone knowing the IP and port can send data. Semtech legacy protocol does not have any authentication.
Registration of EUI based packet forwarders is just so you can claim it for the console and see stats and packets. Even if you do not register it you can still have it send data to the network (private or community).