The Things Industries Aims to Simplify LoRaWAN Security with a Global Join Server

The Things Industries, the business side of community-driven LoRaWAN connectivity effort The Things Network, has announced the launch of a global LoRaWAN Join Server it hopes will improve the currently parlous state of security in LoRaWAN implementations.

Earlier this year security specialist IOActive released a white paper and associated toolkit detailing a range of failings in the security of LoRaWAN networks in the wild — all, it appeared, a result of poor implementation procedures and a misguided belief that LoRaWAN's built-in encryption and authentication makes it "secure by default."

"Every technology is just a tool that can be used in good ways and in bad ways. LoRaWAN is nothing different," explains The Things Industries co-founded and chief executive Wienke Giezeman. "When looking at IoT security it is sometimes easy to take short cuts, some of these short cuts are: Re-use of keys; Easy to guess keys; Keys exposed in mail, print or a sticker on the sensor; Not storing the keys on the device properly; In secure hand-over when the devices are passed along the different actors in the value chain. From device maker to distributors to systems integrator to end customer.

"We have created a service that allows you to implement security practices in a scalable and cost effective way to avoid these security mistakes by using our global LoRaWAN Join Server."

The Things Industries' Join Server is an implementation of the LoRa Alliance's Join Server system, which stores root keys and generates session keys for secure transmission separate from the Network Server and Application Server roles. While it's possible to set up your own Join Server, The Things Industries' is hoping that by offering a global server more developers will be encouraged to take advantage of the additional security it offers without needing to be concerned about the configuration and maintenance required to set up their own.

"The Things Industries offers to device makers, module makers and distributors, access to a network agnostic Join Server. This allows for secure end-devices provisioning without network lock-in and knowing beforehand which network the end-user will select," Giezeman elaborates. "No need for keeping several SKUs any longer. Manufacturers only need to provide the keys to the end-device in one safe place. After selling the device, the buyer uses a one-click device claiming procedure to transfer ownership in the Join Server. Subsequently the owner can configure the device to any LoRaWAN compliant network."

The company has confirmed a range of partners on the effort, which is live now for The Things Industries and The Things Network users alongside customers of IoT specialist Senet. The service also supports Microchip's ATECC608A security chip, using the secure element to store pre-provisioned authentication keys for The Things Enterprise Stack.

More information, along with an email address to apply to join the Global Join Server ecosystem, can be found on Giezeman's LinkedIn post.