Warning, long message
As (part) author of a packet forwarder I know a thing or two about the software on the average gateway. Most gateways (not the TTN one) are Linux based and from a network point of view have all the security issues associated with a Linux system. Some have a secured Linux implementation, some haven’t (home build ones based on a Raspberry Pi that are not resin.io based might not be secure as none of the popular setup guides mentions securing the gateway.)
The TTN gateway uses a dedicated software build that only runs a packet forwarder, NTP, DHCP client and wireless access point (no operating system). The wireless access point runs when the gateway is not connected to a WLAN which is the case when the gateway is using wired LAN (and in case of software issues). When the access point is running anyone within range can connect to it and attempt to hack the gateway.
The gateway also automatically downloads and installs software from TTN when available, another possible attack vector. (Build an malicious image, reroute DNS and 24 hours later a gateway is compromised)
When it comes to the packet forwarder being hackable thru LoRaWAN, that is very unlikely. The payload data received by the Semtech chipset and some meta data are combined in an IP packet and forwarded to the back-end. The payload data is not processed by the packet forwarder in any way (it can’t process the payload because the encryption keys for the payload are unknown at gateway level). For the reverse path, an IP packet is unwrapped and the data is transmitted at the time and frequency specified in the meta data of that packet (data is encrypted as well so gateway can’t modify/process it)
I’m using a perimeter firewall for my office network with a few systems in a DMZ (mail and web servers), my LoRaWAN gateways (yes multiple) are connected to the internal network. No one will be able to access them from the outside as the firewall will stop that traffic. The risk is someone running software within the network, for instance a malicious website you open on your desktop/laptop that scans the network and compromises any device it is able to possibly including the gateway. I accept that risk at the moment. To mitigate the risk you can connect the gateway (and any other IoT device) to a separate segment, not the DMZ segment as in most cases that will have some system accepting traffic from the open internet (like a mail server or in domestic environment a game server) which is by definition vulnerable.