LoRaWAN networks are spreading but security researchers say beware

IOActive security researchers say LoRaWAN networks are vulnerable to cyber-attacks despite boastful claims about the protocol's security features.

LoRaWAN

Security experts have published a report today warning that the new and fast-rising LoRaWAN technology is vulnerable to cyberattacks and misconfigurations, despite claims of improved security rooted in the protocol's use of two layers of encryption.

LoRaWAN stands for "Long Range Wide Area Network." It is a radio-based technology that works on top of the proprietary LoRa protocol. The LoRa protocol was developed to allow companies to connect battery-powered or other low-powered devices to the internet via a wireless connection. LoRaWAN takes the LoRa protocol and allows devices spread across a large geographical area to wirelessly connect to the internet via radio waves.

LoRaWAN is particularly popular with developers of Internet of Things devices. Previously, to connect an IoT or other smart device to the internet, companies had to connect the IoT device to their private internet Wi-Fi network or devices had to ship with a SIM card, allowing the device to use a cellular network to report back to a command server.

LoRaWAN is an alternative to these setups. An IoT device with a LoRaWAN client will broadcast data via radio waves to a nearby LoRaWAN gateway (in most cases, an antenna). The Gateway takes this data and forwards it to an internet server, which then relays the data to an application backend or dashboard.

This type of LoRaWAN setup is often used in the real world. For example, smart parking, smart lighting, traffic management, or weather monitoring devices across a "smart city" use LoRaWAN to report to a central data collection station. Since the protocol works via radio waves instead of relying on Wi-Fi networks or SIM cards, this makes complex IoT setups easier to deploy, as it's easier to install a few radio antennas (gateways) across a small geographical area compared to tens of Wi-Fi routers or thousands of SIM cards.

Due to this low cost approach, LoRaWAN networks are also often used across industrial installations (to report readings from different sensors or SCADA equipment), smart homes (to report alarms, gunshot detections, or home automation tasks across neighborhoods or cities), smart hospitals, smart crop fields, and so on.

But broadcasting data from devices via radio waves is not a secure approach. However, the protocol's creators anticipated this issue. Since its first version, LoRaWAN has used two layers of 128-bit encryption to secure the data being broadcast from devices -- with one encryption key being used to authenticate the device against the network server and the other against a company's backend application.

LoRaWAN scheme

Image: IOActive

In a 27-page report published today, security researchers from IOActive say the protocol is prone to misconfigurations and design choices that make it susceptible to hacking and cyber-attacks.

The company lists several scenarios it found plausible during its analysis of this fast-rising protocol:

  • Encryption keys can be extracted from devices by reverse engineering the firmware of devices that ship with a LoRaWAN module.
  • Many devices come with a tag displaying a QR code and/or text with the device's identifier, security keys, or more.
  • Researchers say the tag is intended to be used in the commissioning process and removed afterward.
  • Some devices may come with hard-coded encryption keys that ship with various open-source LoRaWAN libraries (meant to
    be replaced before deploying the device).
  • Some devices may use easy to guess encryption keys, such as devices, such as AppKey = device identifier + app identifier, or AppKey = app identifier + device identifier.
  • LoRaWAN network servers may be insecure configured or vulnerable to other non-LoRaWAN vulnerabilities, allowing hackers to take over these systems.
  • Vulnerabilities in the protocol design allow for denial of service attack.
  • ... and others

"Organisations are blindly trusting LoRaWAN because it's encrypted, but that encryption can be easily bypassed if hackers can get their hands on the keys - which our research shows they can do in several ways, with relative ease," said Cesar Cerrudo, CTO at IOActive.

"Once hackers have access, there are many things they could potentially do - they could prevent utilities firms from taking smart meter readings, stop logistics companies from tracking vehicles, or prohibit hospitals from receiving readings from smart equipment. In extreme cases, a compromised network could be fed false device readings to cover up physical attacks against infrastructure, like a gas pipeline. Or to prompt industrial equipment containing volatile substances to overcorrect; causing it to break, combust or even explode."

To prevent insecure deployments of LoRaWAN networks, IOActive researchers recommend auditing LoRaWAN devices and networks, but also deploying additional security measures such as monitoring LoRaWAN traffic -- similarly to how companies would treat normal HTTP/HTTPS web traffic.

To aid with the auditing part, the company has released on GitHub an open source LoRaWAN auditing framework named LAF.