This blog provides details about the security advisory notice regarding versions lower than 4.4.4 of the LoRaMAC-Node™ stack. The associated security advisory notice and stack published by Semtech can be found on Semtech’s GitHub repository.
Semtech maintains an open source LoRaWAN® stack, called LoRaMAC-Node, as a tool for developers building devices using the LoRaWAN protocol. This is not the only LoRaWAN stack on the market, and other open source or commercial implementations exist using entirely different code bases.
The LoRaMAC-Node stack is licensed under an open source license, and as a result benefits from the thousands of developers that have read the code, asked questions and proposed improvements. Semtech is a firm believer in the advantages of open source code due to the large base of contributors and reviewers that utilize the tool for accelerating solution development and constructively identifying areas for improvement, which we may then implement, publish and share with the developer community. Semtech encourages responsible disclosure to Semtech of any bug (security related or not) in code we provide under open source license.
In this specific instance, the Tencent Blade team identified a vulnerability within the LoRaMAC-Node stack and – following accepted best practice – quickly brought this to the attention of the Semtech team. Alerting us directly, rather than via a public forum, enabled us to move rapidly to develop a fix within two days and, after full validation, release LoRaMAC-Node stack version 4.4.4 incorporating the fix.
The vulnerability identified by the Tencent team was within the LoRaMAC-Node stack, not within the LoRaWAN specification itself. The LoRaWAN specification is written and maintained by a group of industry experts who serve on the technical committee of the LoRa Alliance® and has, from its inception, placed security and privacy at the heart of the design of the LoRaWAN protocol. The LoRaWAN specification has also undergone extensive security reviews, both by the technical committee, by security experts who are employed by recognized cybersecurity firms and in external audits. The results of those audits are taken into account either as specification improvements where applicable, or as best practices recommendations. For additional details, I encourage you to download and read the latest LoRa Alliance white paper on security.
The specific security gap identified fell in the “Denial of Service” category, which means an attacker could potentially have interfered during the device-to-network connection process. At no time, however, was the user’s data ever exposed by the bug (and consequently no privacy breach occurred). Furthermore, there was no way to leverage an attack to take control of the device, to inject code in the device or to extract security material from the device.
As a matter of ordinary course, we have requested a Common Vulnerabilities and Exposures (CVE) entry for the bug. This is a centralized repository where the Internet’s biggest and most used open source projects disclose discovered vulnerabilities such that users may review the one that, in this case, possibly affected the code they are using in a single place. Learn more about CVE and responsible disclosure of bugs.
I would like to take this opportunity to thank the Tencent Blade team again for moving so quickly to alert us to this issue and for their contribution to improving the tools available to developers to rapidly develop compelling Internet of Things solutions based on the low power, long range and locationing enabled by LoRaWAN.
Semtech, the Semtech logo and LoRa® are registered trademarks or service marks, of Semtech Corporation or its affiliates.