Hi, I’m a beginner with Lora just playing around with my own gateway setup.
OTAA seems like it’s obviously the slickest way to go, however I’m not sure I completely understand whether it’s secure.
AFAICT, there can’t be any shared secret between the LoRa node and server ahead of time, and keys are generated by exchanging the AppKey, AppEUI, DevEUI and nonces generated by the node and server “over the air”. I haven’t seen anything to say that these data are in any way encrypted in transit.
Therefore if a device performs an Over the Air join, and an eavesdropped is monitoring that channel, is it possible for that eavesdropped to learn the device secrets and / or NwSKey and AppSKey?
If so, this seems like a potential security concern for new devices joining the network or if devices can be forced to re-join (or re-join periodically based on implementation).