I’m considering rolling a gateways to cover major New Zealand cities and using the public TTN network so to share coverage for anyone to use.
I’d like to make it real simple for people to be able to add device/ssensors using a phone to scan a QR code or something to add it to their account and monitor smoke alarms, contact sensors, PIR sensors and temperature etc. A easy way for people to set “Away” and “Home” in an alarm style setting.
I’m wondering, by creating an app EUI and then preloading all the sensors into the app so they are registered, (then for users to link to that from a third party system I will create) scan the QR of the EUI to retrieve data from the sensors. Is there any security risk from multiple people in the same app EUI?
Is anyone possibly aware of a system already like this out there to make my life easier?
The plan here is for a not for profit solution.
Hi @icepicknz, I use a number of commercial LoRaWAN sensors in agricultural work. Several of the sensor vendors also have their own analytics platforms. The vendors register all their devices onto their application in the LoRaWAN network. When you buy a sensor you open an account on their analytics platform and install their app on your mobile phone and scan the QR codes on the sensors to claim the sensor. Usually the mobile phone app also uses GPS to locate the sensor.
This works very well and, per your question, I believe the LoRaWAN part is fully secure.
If the QR code holds an EUI, then I assume that’s the DevEUI, not the (possibly shared) AppEUI. But even then: hardware-assigned EUIs are not random, so you’ll surely need some additional security to ensure people can only register and see their own device(s), and not guess the DevEUI of other devices.
For example, use random non-hardware EUIs, or add some signature to the DevEUI in the QR code, or create random non-EUI QR codes and link those to the devices you know. You could even put all OTAA details (DevEUI, AppEUI and AppKey) into the QR code, but then make sure not to put the QR code on the device itself as people tend to leave that in place, exposing the secrets.
While using a single AppEUI indeed works, I feel it would be really nice to allow buyers to use the device without your platform. For that, I’d say that each device needs its own AppEUI. You can add as many AppEUIs to an application as you like. (At least: I don’t think there’s a limit.)
Of course, if a user tells you they want to use the device themselves, then you’d need to remove the AppEUI and the device from the TTN application of your service, and provide them with the DevEUI, AppEUI and AppKey. You could also not pre-register the devices at all, but only register one as soon as they scan the QR code and indicate they want to use your services. (Assuming they did not register the device themselves already.) That would even allow them to register DIY devices, if you’d allow that.