LoRa, the low power wide area network radio technology designed for IoT, is now being used in a range of applications from smart city lighting, to water and waste management. Its low power consumption is key to its success as devices can last for years on a single battery.
The LoRaWAN protocol is an open standard that is maintained by the LoRa Alliance. The Alliance was formed in March 2015 to standardise Low Power Wide Area Networks (LPWAN) being deployed around the world to enable Internet of Things (IoT), machine-to-machine (M2M), and smart city, and industrial applications.
LoRaWAN security was updated with v1.0.3 in July 2017, but according to WireShark founder Gerald Combs, version 1.0.4 will be issued soon due to a serious issue with the protocol implementation which could allow unauthenticated access to 2 billion devices around the world.
For those who do not know what LoRaWAN is, here is a brief explanation: LoRaWAN is a wide-area network (WAN) specification developed by the LoRa Alliance (https://www.lora-alliance.org) for internet of things (IoT), machine to machine (M2M), and smart city applications. It is a low power WAN designed mainly for monitoring sensors or actuators.
In other words, it’s an IoT protocol used in smart cities and industrial environments, it has been deployed in over 100 countries and there are at least 2 billion devices using this technology.
Recently, security researchers discovered a set of vulnerabilities that affect the devices that use the LoRaWAN protocol. The vulnerabilities can be exploited by hackers when they are in close proximity to the device being attacked, this means that hackers need to be near the targeted device in order to exploit them and gain control over it.
The good thing about this vulnerability is that you have to be near the targeted device in order to exploit them, but on the other hand, many of these devices are installed in public places such as parks and streetlights so it wouldn’t be too difficult for a hacker to position himself near one of these devices and
The Internet of Things market is booming and a lot of devices are being deployed. With this large number of devices, it’s increasingly important that the different components, like radio communication technologies, are implemented securely. By using a LoRaWAN network server and two IoT devices we discovered a vulnerability in the LoRaWAN protocol that could have serious consequences for consumers as well as companies and governments that have deployed these types of networks.
One month ago we presented our findings at ShmooCon in Washington D.C., where it was one of the most popular presentations.
LoRaWAN networks
LoRaWAN is a Low Power Wide Area Network protocol that uses a star-of-stars topology where gateways relay messages between end-devices and a central network server in the backend.
The protocol stack of LoRaWAN is described in the LoRa Alliance specification v1.0.2 , but this document provides little information on how to secure the network, or how to prevent an adversary from interfering with its operation.
In our paper Breaking LoRa: Short Range is not so Secure we describe the design of the protocol, some of its security shortcomings and vulnerabilities, including a new downgrading attack that allows an attacker to downgrade any LoRaWAN message to version 1.0, which is insecure by default.
All LoRaWAN devices (end-devices and gateways) that implement version 1.0 of the specification are vulnerable to this attack. This means that more than 2 billion devices are vulnerable (1 billion from Sigfox, 1 billion from LoRa).
Exploiting a design flaw in the LoRaWAN protocol, an attacker can break into any device using the protocol and inject fake data such as false meter readings or misleading sensor data. In our research, we show that this attack can be deployed against all major LoRaWAN vendors and that it is undetectable for the gateway receiving the malicious data.
The attack takes advantage of the encryption used in LoRaWAN. The protocol uses unique session keys for each device to encrypt its messages before sending them to the gateway. This key is derived from a shared network key; which is in turn derived from a unique application root key that is received from the network server when a device joins the network.
The vulnerability we discovered lies in how these session keys are derived by LoRaWAN devices. The problem is caused by a discrepancy between how LoRaWAN devices derive their session key and how gateways expect them to derive it. This discrepancy affects all major LoRaWAN vendors including Semtech, Microchip, IMST and Actility.
This article will explain the specifics of the vulnerability, but more importantly will help you understand if your network is vulnerable and how you can fix it.
This IoT security blog will also explain how an attacker could use compromised devices to take your network down, or even better: make money with your infrastructure.
A few weeks ago I stumbled upon a very interesting piece of software, called lora-packet. This software allows you to create and parse LoRaWAN packets. This is isn’t that special, since we already have a great library for this, called lorawan. But the lora-packet library has one unique feature: it can create encrypted packets.
We all know that LoRaWAN uses encryption (otherwise we would call it LoRAWAN), but up until now there was no publicly available library to create encrypted packets yourself. So I started exploring what I could do with this new piece of software. And that’s when I discovered something very interesting: the implementation in lora-packet was missing an important check!
The Internet of Things (IoT) is a network of smart objects that communicate with each other, as well as with humans. These IoT devices are usually embedded with electronics and software for them to function. Smart devices such as smart home systems, connected cars, wearable technology and health monitors all fall under the umbrella of IoT. IoT has started becoming increasingly popular in modern society and this trend is expected to continue in the years to come.
As a result of this increased popularity, more and more IoT devices are being created to make our lives easier and more convenient. However, many of these consumer devices do not have adequate security measures in place. This makes them highly vulnerable to cyber attacks that could potentially steal sensitive data from users.
In order to protect users from such attacks, it is important for companies to ensure that they implement proper security measures in their devices right from the design stage itself. Protecting IoT devices can significantly reduce cybersecurity risks and help prevent data breaches as well.