Security firm IOActive has published a white paper claiming that LoRaWAN low-power long-range wireless networks are at risk of attack thanks to sadly-common implementation mistakes — and puts forward a selection of open source utilities for finding security flaws.
LoRaWAN networks are growing in popularity, and can now be found operating in almost every country in the world — largely thanks to the standard's low power demands and long-range capabilities, proven by a recent world-record transmission distance competition, ideal for running distributed sensor networks and other Internet of Things (IoT) workloads.
"The LoRaWAN protocol is advertised as having 'built-in encryption' making it 'secure by default,'" IOActive's white paper, released just ahead of the LoRaWAN-specific The Things Conference in Amsterdam later this week, explains. "As a result, users are blindly trusting LoRaWAN networks and not paying attention to cyber security; however, implementation issues and weaknesses can make these networks easy to hack. Currently, cyber security vulnerabilities in LoRaWAN networks are not well known, and there are no existing tools for testing LoRaWAN networks or for detecting cyber attacks, which makes LoRaWAN deployments an easy target for attackers."
IOActive's paper details the security features in the LoRaWAN protocol — including improvements introduced in version 1.1 — before highlighting potential risks and threats, ranging from reverse engineering of captured devices through to offline cracking of LoRaWAN cryptographic keys to allow for anything from denial of service (DoS) attacks to the transmission of fake data. The paper then goes into a range of attack scenarios in LoRaWAN deployments ranging from smart meters to industrial IoT, smart cities, and smart homes.
In mitigation, the company offers an open source package for security auditing and testing of LoRaWAN networks: the LoRaWAN Auditing Framework (LAF). Tools included in the framework offer the ability to send or fuzz uplink packets, proxy TCP and UDP traffic, brute-force AppKeys, craft custom packets, parse received packets, generate session keys, along with data collectors and processors for auditing purposes.