The joining procedure creates mutual authentication between an end-device and the LoRaWAN network to which it is linked. Two joining procedures are used to connect the end-devices to the servers. There are Activation By Personalization (ABP) and Over-The-Air Activation (OTAA). Among them, OTAA procedure is the more secure. It provides a more flexible and secure way to establish session keys with the network servers. In OTAA, authentication is required for devices using two diferent keys for each device that are generated each time the device joins the network: Network session Key (NwkSKey) and the Application session Key (AppSKey). Using two diferent keys makes it is more dificult to tamper with or read application data, even if one of the keys has been compromised. These keys are generated during the two root keys (NwkKey and AppKey) design. The ABP procedure is not so secure as the end-devices are directly connected to the network without join request and join-accept procedures [ 1 ]. Indeed, instead of key generation during each section, the Network section Key and the App section Key are directly defined and stored in the device. This ABP method presents vulnerabilities. By modifying these keys, communications between the device, the gateway and the network server can be seen or intercepted by anyone if the device is connected to the gateway and Network Server. Let us note that the Network section Key and the Application section Key are generated using the same root Key in LoRaWAN v1.0 whereas in LoRaWAN v1.1 the application root key is diferent from the Network root key. The AppKey and NwkKey are generated using the AES-128-bit encryption method. These keys are specific to each end-device and embedded into the end-device during its fabrication. A Message Integrity Code (MIC) is computed once the encryption is done and is calculated over all the Message Authentication Code (MAC). It ensures the integrity of the message. MAC is used to check the messages and the authentication, ensuring that the integrity of the data has not been altered during transmission. The integrity is protected hop-by-hop. LoRaWAN exploits various methods for generating the MIC depending on the direction of the message, uplink, or downlink [ 4 ]. The MIC check is performed on the data to avoid data tampering without the Network section key (NwkSKey). Table 1 presents the comparison of OTAA and ABP procedures. Three kinds of operation for devices are defined in LoRaWAN: class A, class B, and class C. All end-devices must support class A operation. class A device can not receive signal from the gateway if an uplink transmission has not been yet transmitted. It represents the device class in which the end-device spends more time in sleep mode. Only two receive windows are scheduled for down-link messages reception. Class B device can be regularly joined without a previous uplink transmission. It ofers regularly-scheduled, ifxed-time opportunities for an end-device to receive downlink messages from the gateways, allowing class B enddevices convenient for sensors and actuators monitoring. Class C device can always be joined. It is always listening for downlink messages, unless they are transmitting uplink messages. Like class A device, class C device implements the same two receive windows, but it does not close the second reception window until it sends the next transmission back to the network server. The class C device is a power consuming device compared to the class B device which in turn consumes more energy than the class A device [ 1 ] (cf Fig. 2).

Network security vulnerabilities are weaknesses within the system’s software, hardware, or organizational processes. Their can be either non-physical or physical. The main vulnerabilities of LoRaWAN are: the long times communication induced by Long Range transmission, the coexistence problem of LoRa, and backward compatibility challenges. • Long times communication induced by Long Range transmission Spreading Factor (SF) is a parameter used in spread spectrum modulation techniques like Long Range (LoRa) modulation, to control the spreading of a signal over a wider bandwidth. The larger SF is, the longer the distance the device can receive or transmit. Eight Spreading Factor (SF5, SF6, SF7, SF8, SF9, SF10, SF11 and SF12) are used in LoRa transmissions whereas in LoRaWAN six SF are used (SF7 to SF12). The elapsed time on air of a LoRaWAN messages increases with the Spreading Factor (SF) and then the transmission distance. Indeed, the time on air increases with the symbol transmission time ( ) (1). The symbol transmission time is defined by the formula (2). For a fixed bandwidth, the symbol transmission time increases with the spreading factor value (cf Fig. 3). In particular, symbol duration increases by a factor of 2 from one SF to the next. As shown on this figure, the start frequency (low frequency) is the channel frequency (center frequency) minus the channel bandwidth divided by two. The ifnal frequency (high frequency) is the channel frequency plus the channel bandwidth divided by two. − − = = ℎ 2 × (1) (2) As high SF (up to SF12) is required for the network edge end-devices to communicate with the gateway, a mock device can intercept messages or falsify packets intended for the gateway. Furthermore, there is no time-related information in LoRaWAN packet. As LoRaWAN packet structure does not include any time-based signature or data to validate the time of

the message, this vulnerability is used to employ a wormhole attack. • Coexistence problem of LoRa

LoRa transmission is sensible to interference issues such as interference from Cellular Networks (Global System for Mobile Communications (GSM), Universal Mobile Telecommunications System (UMTS), and Long Term Evolution (LTE)) (which can make less sensitive LoRa receivers, making it hard to receive weak signals) and In-Band and Out-of-Band interference [ 5 ]. In-band interference occurs when other devices operate on the same or adjacent channels, while out-of-band interference comes from strong signals outside the useful band. When LoRa transmissions are performed at the same frequency using the same spreading factor in the same area (In-Band interference), they can interfere with each other. This LoRa physical Layer vulnerability can be exploited for jamming attack as this transmission is performed using unlicensed spectrum. • Backward compatibility challenges

Backward compatibility problems occur when a newer version of a software or hardware system is not able to work with the data or functionality of an older version. In LoRaWAN security case, LoRaWAN v1.1 aims to improve security, but it may be dificult to ensure backward compatibility with devices using earlier versions (v1.0). In fact, the Network Server is responsible for deciding which protocol version to exploit and chooses the highest common version between itself and the End-Device (ED). As LoRaWAN v1.0 presents more security weaknesses than LoRaWAN v1.1, the backward compatibility ofered by the evolved version could constitute a vulnerability. • Jamming attack

Radio Jamming attack consists in disrupting the LoRa radio transmission by transmitting a powerful radio signal in the proximity of application devices. It is possible to jam LoRa messages using well timed malicious transmissions. This attack is usually performed using a dedicated hardware (ie Commercialof-the-shelf (COTS)) to jam LoRa devices. There are no real countermeasures to prevent this attack. But network administrators can easily detect jamming when devices transmitting into the network start to disappear. They may then decide to switch to another frequency in the band to avoid the impact of jamming. • Selective jamming attack

Selective jamming constitutes the most sophisticated and eficient jamming technique which could be effective using a COTS hardware by extending the jammer with additional software to target a specific device address [ 2 ]. Selective jamming only jams selected devices or messages. As other devices or messages on the network are not jammed, it can be much more dificult for the network operator or administrator to decide whether an ED is being jammed, or whether some other technical problem has occurred. Then, the countermeasures available for the classical jamming attack are not possible in the case of selective jamming attack. • Replay attack

Replay attack is performed on security protocol by repeating the available data transmitted by malicious entity Fig. 4). Replay attack is an attack on the security protocol that consists in resending captured messages from the end-devices. Its objective is in the Denial of Service of an end-device This attack is possible using the communication frequencies and channels to snif data from transmission between devices (end-devices and Gateways). Predator may intercept and replay legitimate messages, compromising the network’s security. The use of frame counters process helps LoRaWAN network to know if the message is sent by the gateway instead of a malicious device. Indeed, once the end-device is activated, both frame counters (from the end-device and the gateway) are set to 0, and each message coming from the gateway, or the device increments the counters. By this way, if a message is received with a lower frame counter than the last message, it is ignored. But this process could be exploited by attackers to produce a Denial of Service. • Wormhole attacks

A wormhole attack is an attack which can be performed against a LoRaWAN network. This attack consists in packet snifing and replaying them. One malicious device captures the packets from one device and transmits them to another distant located device to replay the captured packet. The two devices which participate to this attack are the snifer and the jammer. The snifer captures packets and, transmits signal to the jammer informing that it apprehended the packet [ 2 ]. By this way, the packet does not reach the gateway and is still active for validation. This packet could be forwarded to the gateway at any time as there is no time related information in LoRaWAN messages. • Eavesdropping

As already presented, LoRaWAN implements channel confidentiality through AES in counter mode, where the block counter value is exploited as an input. During a counter reset, the key will remain in place, meaning that the block cipher will reconstitute the same key material. An attacker can exploit this comportment to decrypt messages. • Bit-Flipping Attack (Man-in-the-Middle, MitM) LoRaWAN messages are encrypted and carry a MIC. But the encryption and the integrity check are managed at diferent locations inside a message frame. The payload encryption is handled by the Application Server, while the MIC is checked and terminated by the infrastructure provider (Network Server (NS)) [ 6 ]. Then, between the infrastructure provider’s network server and the IoT solution provider’s Application Server (AS), the content can not be checked for integrity and authenticity. An attacker can attempt to intercept anywhere between the NS and the AS. This attack can be achieved through a variety of approaches, ranging from routing-based approach, such as Border Gateway Protocol (BGP) Route hijacking or IP source routing, to physical and link layer-based ones, such as a compromised device on the path [ 7 ]. This attack consists in the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using BGP protocol. • Rogue gateway attack

LoRaWAN gateways are obeying relays and then constitute the weakest link of the network. Any kind of security problem on this node would interrupt communication between the end-devices and the servers. One of the attacks faced by LoRaWAN gateways is the use of a rogue gateway that acts like as a legitimate gateway. One can distinguish two kind of attacks: LoRa class B attack (beacon synchronization Denial of Service (DoS) attack) and Impersonation attack.

– Beacon synchronization DoS attack

This attack is a typical malicious gateway attack that use class B device vulnerability. In LoRaWAN, class B beacons received in downlink transmission are not secured by any methods, indicating that an attacker can deploy a malicious gateway to send counterfeit beacons. The result is that class B enddevices will receive messages in windows outof-sync with the malicious gateway. By sending out beacons randomly a malicious gateway could desynchronize an end device from receiving windows of another gateway. This could cause a denial of service, as the legitimate gateway sends messages when the end device is not receiving. To deal with this attack, a key should be exploited by gateways to authenticate beacons communications. – Impersonation attack

Gateways can also be impersonated to create attacks against end-devices. End-devices can be listened to and their network address can be determined. Furthermore, a triangulation method (minimum 3 gateways are required in this case to perform the intended capturing attack the end-device).

Besides the attacks previously presented, there are also network spoofing attack, selective forwarding attack, sinkhole or blackhole attack ... In the following section, a short literature review of papers about LoRaWAN security is presented.