? Answers about the security of the LoRa Alliance LoRaWAN protocol
Not long ago, Semtech released a relevant security advisory notice and protocol stack, which maintains an open source LoRaWAN® protocol stack called LoRaMAC-Node for developers to use the LoRaWAN protocol to build devices. It is not the only LoRaWAN protocol stack on the market, other open source or commercial implementations use different code bases. The LoRa protocol stack adopts the authorization method of the MAC-Node protocol stack open source license, so thousands of developers have read the code, raised questions and provided suggestions for improvement. At the same time, Semtech encourages people in the industry to report to Semtech any errors in the code we provide under open source licenses, whether they are security-related or not.Low-power wireless communication In a recent specific instance, the Tencent team found a loophole in the LoRa protocol stack, followed industry consensus guidelines, and quickly fed back the problem to the Semtech team. They alerted us directly, rather than through the public forums, allowing us to quickly develop a fix within two days and release an updated version of the LoRaMAC-Node stack containing the fix after full verification. The vulnerability discovered by the Tencent team is in the LoRaMAC-Node protocol stack, not in the LoRaWAN protocol specification. The LoRaWAN specification is written and maintained by a team of experts from the LoRa Alliance® Technical Committee, putting security and privacy at the heart of the LoRaWAN protocol design from the very beginning. The LoRaWAN specification has also undergone a large number of security reviews, including both the review of the technical committee and the review of several industry-recognized information security companies. The findings of these audits are either considered code improvements bluetooth Module where available, or best practice recommendations. The recently discovered security flaw falls into the category of "denial of service," meaning an attacker could have interfered with a device's connection to the network. However, at no point will the user's data be exposed by this bug (so no privacy breach occurs). Also, the attack cannot be used to take control of the device, inject code into it, or extract secure information from the device. Seamtech has applied for a Common Vulnerabilities List (CVE) entry for this security vulnerability. This is a centralized repository where the largest and most used open source projects on the Internet disclose discovered vulnerabilities, so that users can check for vulnerabilities that may affect the code they are using in one place.