=Paper=
{{Paper
|id=Vol-3789/Paper1
|storemode=property
|title=IoT using LoRaWAN: a Security Analysis
|pdfUrl=https://ceur-ws.org/Vol-3789/Paper1.pdf
|volume=Vol-3789
|authors=Anne-Carole Honfoga,Michel Dossou,Véronique Moeyaert
|dblpUrl=https://dblp.org/rec/conf/cita2/HonfogaDM24
}}
==IoT using LoRaWAN: a Security Analysis==
https://ceur-ws.org/Vol-3789/Paper1.pdf
IoT using LoRaWAN: a security analysis⋆
Anne-Carole Honfoga1,2,∗,† , Michel Dossou2,† and Véronique Moeyaert1,†
1
Electromagnetism and Telecommunications Department, Faculty of Engineering (FPMs), University of Mons, Mons, Belgium
2
Research unit in photonics and wireless communications, LETIA/EPAC University of Abomey-Calavi, Abomey-Calavi, Benin
Abstract
Internet of Things (IoT) refers to the process of connecting cyber-physical objects to the Internet, enabling the exchange of data
over wireless communication networks with limited human intervention. These communication networks use licensed spectrum or
unlicensed spectrum. Instead of licenced spectrum used by Narrowband Internet of things (NB-IoT) and Long-Term Evolution for
Machines (LTE-M), SigFox, MIoTy, and Long Range Wireless Area Network (LoRaWAN) employ unlicenced spectrum for communication
between the network entities. Among wireless networks using unlicensed spectrum, LoRaWAN is the most used network in many
applications (smart farming, smart building, smart metering) but its presents several vulnerabilities. This paper studies the LoRaWAN
threats, malicious attacks and mitigation against attacks.
Keywords
IoT, LoRa, LoRaWAN, Network Security, Vulnerability, Attack
1. Introduction These advantages allow LoRaWAN to be considered as the
technology that is improving the operations of many in-
Internet of Things (IoT) is an essential element that has dustrial sectors (e.g. agriculture, environment) as a large-
revolutionized the Information and Communication Tech- scale remote monitoring is then possible. However, like
nology sector (ICT). Over the past decade, it has been the any computer network, and particularly wireless network,
focus of much academic and industrial interest, with the this technology suffers from many security problems that
purpose of making buildings, cities, agriculture and envi- can be defined following the three security criteria: avail-
ronment smart. This technology refers to the process of ability, integrity and confidentiality. Many specifications of
connecting cyberphysical objects (machines) to the Inter- LoRaWAN have been published since its development by
net, enabling the exchange (sending and receiving) of data Semtech Corporation [2]. The security of these technologies
over wireless communication networks with limited human has been improved with the specification version. Indeed,
intervention. These machines are embedded devices which the first version presents more vulnerabilities than the latest
present characteristics such as a low energy consumption, version 1.1.
a low computing power, a small size, a small price and a This paper reviews LoRaWAN attacks, vulnerabilities and
capacity to communicate within a wireless network. There security measures. It provides a short review and an analy-
are many wireless communication networks classified in sis of LoRaWAN robustness and gives perspectives about
terms of energy consumption and communication range. In the robustness improvement. The outline of the paper is pre-
terms of energy consumption, they can be divided into low sented as follows: the theoretical background is described
power communication (NFC – Near Field Communication, (§II), the literature review is presented (§III), the paper is
RFID – Radio Frequency Identifier, Z-Wave, Zigbee, BLE finalized by the conclusion (§IV).
– Bluetooth Low Energy, LTE-M – Long Term Evolution-
Machine, NB-IoT – Narrowband IoT, SigFox and LoRaWAN)
and high-power communication technologies (Bluetooth, 2. Theoretical background
Wi-Fi – Wireless Fidelity, 3G, 4G and 5G). Regarding the
communication coverage, there are short range communi- 2.1. Introduction to LoRaWAN
cation networks (< 1km) (e.g. NFC, RFID, Wi-Fi, Bluetooth,
Before explaining the behaviour of LoRaWAN protocol, let
BLE, Z-Wave and Zigbee) and long-range communication
us compare LoRaWAN to the LoRa (Long Range) modula-
networks (1-15 km) (3G, 4G, 5G, LTE-M, NB-IoT, Sigfox, and
tion. LoRa is the modulation type used between two LoRa
LoRaWAN) [1].
devices or between a LoRa device and a gateway (cf Fig.
LoRaWAN is a low cost, low power and long-range com-
1). The LoRaWAN term is employed when end-devices can
munication network that is developed to fill a gap in IoT
communicate with the LoRaWAN servers. LoRaWAN is the
communications. Using this technology belonging to Low
extended version of LoRa technology which connects end-
Power Wide Area Networks (LPWAN), sensors or actuators
devices to the network server. It includes LoRa modulation
can send signals over 5 km in urban areas and up to 15 km
that operates at the physical layer of the network. Fig. 1
in sub-urban areas. Instead of licenced spectrum used by
shows the LoRaWAN topology.
LoRaWAN’s main competitors (a.k.a other LPWANs) like
LoRaWAN network includes three sub networks. There
NB-IoT and LTE-M, LoRaWAN employs unlicenced spec-
is the LoRa radio frequency network presenting a star topol-
trum for communication between the network entities [1].
ogy, the backhaul network connecting Gateways and Net-
Cotonou’24: Conférence Internationale des Technologies de l’Information work Servers using Mesh topology or partial Mesh topology
et de la Communication de l’ANSALB, June 27–28, 2024, Cotonou, BENIN and the backhaul network connecting Network Servers with
⋆
You can use this document as the template for preparing your publica- Join and Application Servers. Beside the two servers (Net-
tion. We recommend using the latest version of the ceurart style. work Server and Application Server) used in LoRaWAN
∗
Corresponding author.
† v1.0, a new server called Join Server is added in LoRaWAN
These authors contributed equally.
Envelope-Open anne-carole.honfoga@umons.ac.be (A. Honfoga)
v1.1 to manage the OTAA (Over the Air Activation) pro-
Orcid 0000-0002-0550-2611 (A. Honfoga) cedure more securely. The Join Server has been added in
© 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License
Attribution 4.0 International (CC BY 4.0).
the network to orchestrate in a more secure way the join-
CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
� Table 1
Comparison of end-devices activation procedures
OTAA ABP
End-device companies The commissioning pro-
generate fundamental cess is simplified and then
provisioning parameters. less secure.
Secure keys can be re- End-devices and Keys are
freshed regulary. Then customized during manu-
high-level, tamper-proof facturing.
Figure 1: Network architecture of LoRaWAN v1.1 [3] security options are acces-
sible.
End devices can stock var- End-devices become di-
ing procedure used by end-devices (LoRa devices) to join ious ”identities” to change rectly operational upon
the network. Also, LoRaWAN v1.1 integrated roaming and network and operator dy- powering up.
mobility techniques for the end-devices by employing extra namically and securely
over their lifetime.
servers called Join Server (JS), forwarding Network Server
(fNS), serving Network Server (sNS).
2.1.2. Device classes: A, B and C
2.1.1. End-devices joining procedures
Three kinds of operation for devices are defined in Lo-
The joining procedure creates mutual authentication be-
RaWAN: class A, class B, and class C. All end-devices must
tween an end-device and the LoRaWAN network to which
support class A operation. class A device can not receive
it is linked. Two joining procedures are used to connect
signal from the gateway if an uplink transmission has not
the end-devices to the servers. There are Activation By Per-
been yet transmitted. It represents the device class in which
sonalization (ABP) and Over-The-Air Activation (OTAA).
the end-device spends more time in sleep mode. Only two
Among them, OTAA procedure is the more secure. It pro-
receive windows are scheduled for down-link messages re-
vides a more flexible and secure way to establish session
ception. Class B device can be regularly joined without a
keys with the network servers. In OTAA, authentication
previous uplink transmission. It offers regularly-scheduled,
is required for devices using two different keys for each
fixed-time opportunities for an end-device to receive down-
device that are generated each time the device joins the
link messages from the gateways, allowing class B end-
network: Network session Key (NwkSKey) and the Appli-
devices convenient for sensors and actuators monitoring.
cation session Key (AppSKey). Using two different keys
Class C device can always be joined. It is always listening
makes it is more difficult to tamper with or read application
for downlink messages, unless they are transmitting uplink
data, even if one of the keys has been compromised. These
messages. Like class A device, class C device implements
keys are generated during the two root keys (NwkKey and
the same two receive windows, but it does not close the sec-
AppKey) design. The ABP procedure is not so secure as the
ond reception window until it sends the next transmission
end-devices are directly connected to the network without
back to the network server. The class C device is a power
join request and join-accept procedures [1]. Indeed, instead
consuming device compared to the class B device which in
of key generation during each section, the Network section
turn consumes more energy than the class A device [1] (cf
Key and the App section Key are directly defined and stored
Fig. 2).
in the device. This ABP method presents vulnerabilities. By
modifying these keys, communications between the device,
the gateway and the network server can be seen or inter-
cepted by anyone if the device is connected to the gateway
and Network Server. Let us note that the Network section
Key and the Application section Key are generated using
the same root Key in LoRaWAN v1.0 whereas in LoRaWAN
v1.1 the application root key is different from the Network
root key. The AppKey and NwkKey are generated using
the AES-128-bit encryption method. These keys are spe-
cific to each end-device and embedded into the end-device
during its fabrication. A Message Integrity Code (MIC) is
computed once the encryption is done and is calculated over
all the Message Authentication Code (MAC). It ensures the
integrity of the message. MAC is used to check the mes-
sages and the authentication, ensuring that the integrity of Figure 2: Power consumption and downlink capabilities [1]
the data has not been altered during transmission. The in-
tegrity is protected hop-by-hop. LoRaWAN exploits various
methods for generating the MIC depending on the direction
of the message, uplink, or downlink [4]. The MIC check 2.2. Security Analysis
is performed on the data to avoid data tampering without LoRaWAN security challenges are related to different parts
the Network section key (NwkSKey). Table 1 presents the of the network. The main parts are the network entities
comparison of OTAA and ABP procedures. (gateways, servers, and end-devices), the key distribution
methods, the network implementation, and the roaming
�techniques integrated in LoRaWAN v1.1, and the backward the message, this vulnerability is used to employ a
compatibility challenges. In this section, LoRaWAN vulner- wormhole attack.
abilities and attacks are presented. • Coexistence problem of LoRa
LoRa transmission is sensible to interference issues
2.2.1. LoRaWAN vulnerabilities such as interference from Cellular Networks (Global
System for Mobile Communications (GSM), Univer-
Network security vulnerabilities are weaknesses within the sal Mobile Telecommunications System (UMTS), and
system’s software, hardware, or organizational processes. Long Term Evolution (LTE)) (which can make less
Their can be either non-physical or physical. The main sensitive LoRa receivers, making it hard to receive
vulnerabilities of LoRaWAN are: the long times communica- weak signals) and In-Band and Out-of-Band inter-
tion induced by Long Range transmission, the coexistence ference [5]. In-band interference occurs when other
problem of LoRa, and backward compatibility challenges. devices operate on the same or adjacent channels,
• Long times communication induced by Long while out-of-band interference comes from strong
Range transmission signals outside the useful band. When LoRa trans-
Spreading Factor (SF) is a parameter used in spread missions are performed at the same frequency using
spectrum modulation techniques like Long Range the same spreading factor in the same area (In-Band
(LoRa) modulation, to control the spreading of a sig- interference), they can interfere with each other.
nal over a wider bandwidth. The larger SF is, the This LoRa physical Layer vulnerability can be ex-
longer the distance the device can receive or trans- ploited for jamming attack as this transmission is
mit. Eight Spreading Factor (SF5, SF6, SF7, SF8, SF9, performed using unlicensed spectrum.
SF10, SF11 and SF12) are used in LoRa transmissions • Backward compatibility challenges
whereas in LoRaWAN six SF are used (SF7 to SF12). Backward compatibility problems occur when a
The elapsed time on air of a LoRaWAN messages newer version of a software or hardware system is
increases with the Spreading Factor (SF) and then not able to work with the data or functionality of an
the transmission distance. Indeed, the time on air in- older version. In LoRaWAN security case, LoRaWAN
creases with the symbol transmission time (𝑇𝑠𝑦𝑚𝑏𝑜𝑙 ) v1.1 aims to improve security, but it may be difficult
(1). The symbol transmission time is defined by to ensure backward compatibility with devices using
the formula (2). For a fixed bandwidth, the symbol earlier versions (v1.0). In fact, the Network Server is
transmission time increases with the spreading fac- responsible for deciding which protocol version to
tor value (cf Fig. 3). In particular, symbol duration exploit and chooses the highest common version be-
increases by a factor of 2 from one SF to the next. As tween itself and the End-Device (ED). As LoRaWAN
shown on this figure, the start frequency (low fre- v1.0 presents more security weaknesses than Lo-
quency) is the channel frequency (center frequency) RaWAN v1.1, the backward compatibility offered by
minus the channel bandwidth divided by two. The the evolved version could constitute a vulnerability.
final frequency (high frequency) is the channel fre-
quency plus the channel bandwidth divided by two. 2.2.2. LoRaWAN attacks
• Jamming attack
𝑇 𝑖𝑚𝑒 − 𝑜𝑛 − 𝐴𝑖𝑟 = 𝑛𝑠𝑦𝑚𝑏𝑜𝑙 × 𝑇𝑠𝑦𝑚𝑏𝑜𝑙 (1)
Radio Jamming attack consists in disrupting the
LoRa radio transmission by transmitting a powerful
2𝑆𝐹 radio signal in the proximity of application devices.
𝑇𝑠𝑦𝑚𝑏𝑜𝑙 = (2)
𝐵𝑎𝑛𝑑𝑤𝑖𝑑𝑡ℎ It is possible to jam LoRa messages using well timed
malicious transmissions. This attack is usually per-
formed using a dedicated hardware (ie Commercial-
off-the-shelf (COTS)) to jam LoRa devices. There are
no real countermeasures to prevent this attack. But
network administrators can easily detect jamming
when devices transmitting into the network start
to disappear. They may then decide to switch to
another frequency in the band to avoid the impact
of jamming.
• Selective jamming attack
Selective jamming constitutes the most sophisticated
and efficient jamming technique which could be ef-
fective using a COTS hardware by extending the
Figure 3: Symbol transmission time [1] jammer with additional software to target a specific
device address [2]. Selective jamming only jams
selected devices or messages. As other devices or
As high SF (up to SF12) is required for the network messages on the network are not jammed, it can
edge end-devices to communicate with the gateway, be much more difficult for the network operator
a mock device can intercept messages or falsify pack- or administrator to decide whether an ED is being
ets intended for the gateway. Furthermore, there is jammed, or whether some other technical problem
no time-related information in LoRaWAN packet. has occurred. Then, the countermeasures available
As LoRaWAN packet structure does not include any for the classical jamming attack are not possible in
time-based signature or data to validate the time of the case of selective jamming attack.
�• Replay attack The payload encryption is handled by the Applica-
Replay attack is performed on security protocol by tion Server, while the MIC is checked and terminated
repeating the available data transmitted by malicious by the infrastructure provider (Network Server (NS))
entity Fig. 4). Replay attack is an attack on the se- [6]. Then, between the infrastructure provider’s net-
curity protocol that consists in resending captured work server and the IoT solution provider’s Applica-
messages from the end-devices. Its objective is in tion Server (AS), the content can not be checked for
the Denial of Service of an end-device This attack is integrity and authenticity. An attacker can attempt
possible using the communication frequencies and to intercept anywhere between the NS and the AS.
channels to sniff data from transmission between This attack can be achieved through a variety of
devices (end-devices and Gateways). Predator may approaches, ranging from routing-based approach,
intercept and replay legitimate messages, compro- such as Border Gateway Protocol (BGP) Route hi-
mising the network’s security. The use of frame jacking or IP source routing, to physical and link
counters process helps LoRaWAN network to know layer-based ones, such as a compromised device on
if the message is sent by the gateway instead of a the path [7]. This attack consists in the illegitimate
malicious device. Indeed, once the end-device is ac- takeover of groups of IP addresses by corrupting
tivated, both frame counters (from the end-device Internet routing tables maintained using BGP proto-
and the gateway) are set to 0, and each message col.
coming from the gateway, or the device increments • Rogue gateway attack
the counters. By this way, if a message is received LoRaWAN gateways are obeying relays and then
with a lower frame counter than the last message, constitute the weakest link of the network. Any
it is ignored. But this process could be exploited by kind of security problem on this node would inter-
attackers to produce a Denial of Service. rupt communication between the end-devices and
the servers. One of the attacks faced by LoRaWAN
gateways is the use of a rogue gateway that acts
like as a legitimate gateway. One can distinguish
two kind of attacks: LoRa class B attack (beacon
synchronization Denial of Service (DoS) attack) and
Impersonation attack.
– Beacon synchronization DoS attack
This attack is a typical malicious gateway
attack that use class B device vulnerability.
In LoRaWAN, class B beacons received in
downlink transmission are not secured by
any methods, indicating that an attacker can
Figure 4: Attack replay deploy a malicious gateway to send counter-
feit beacons. The result is that class B end-
devices will receive messages in windows out-
• Wormhole attacks of-sync with the malicious gateway. By send-
A wormhole attack is an attack which can be per- ing out beacons randomly a malicious gate-
formed against a LoRaWAN network. This attack way could desynchronize an end device from
consists in packet sniffing and replaying them. One receiving windows of another gateway. This
malicious device captures the packets from one de- could cause a denial of service, as the legiti-
vice and transmits them to another distant located mate gateway sends messages when the end
device to replay the captured packet. The two de- device is not receiving. To deal with this at-
vices which participate to this attack are the sniffer tack, a key should be exploited by gateways
and the jammer. The sniffer captures packets and, to authenticate beacons communications.
transmits signal to the jammer informing that it ap- – Impersonation attack
prehended the packet [2]. By this way, the packet Gateways can also be impersonated to create
does not reach the gateway and is still active for attacks against end-devices. End-devices can
validation. This packet could be forwarded to the be listened to and their network address can
gateway at any time as there is no time related in- be determined. Furthermore, a triangulation
formation in LoRaWAN messages. method (minimum 3 gateways are required in
• Eavesdropping this case to perform the intended capturing
As already presented, LoRaWAN implements chan- attack the end-device).
nel confidentiality through AES in counter mode,
Besides the attacks previously presented, there are
where the block counter value is exploited as an in-
also network spoofing attack, selective forwarding
put. During a counter reset, the key will remain in
attack, sinkhole or blackhole attack ... In the follow-
place, meaning that the block cipher will reconsti-
ing section, a short literature review of papers about
tute the same key material. An attacker can exploit
LoRaWAN security is presented.
this comportment to decrypt messages.
• Bit-Flipping Attack (Man-in-the-Middle, MitM)
LoRaWAN messages are encrypted and carry a MIC. 3. Literature review
But the encryption and the integrity check are man-
aged at different locations inside a message frame. Table 2 presents a literature review on papers related to
LoRaWAN security.
�Table 2
4. Conclusion
Paper summary This paper presents a security analysis of LoRaWAN v1.1.
Ref Objectives Summary of con- Results The main vulnerabilities and attacks are summarized. It
(Year) cept gives a review on papers that address this network security.
It is shown that the main physical layer security attacks are
[2] Analysis of po- LoRa transmis- A COTS device
(2017) tential security sions are prone to is used for jam- jamming and attack replay while other attacks can affect
weaknesses selective jamming ming test. the network availability, integrity and confidentiality.
in LoRa. The (with a commer-
network stack cial off-the-shelf
is analysed hardware) attacks, 5. Acknowledgments
and ED vul- replay attack and
nerabilities are wormhole attack. This work has been carried out under support from the
presented. ARES within the frame of a post-doctoral mobility grant
in the Electromagnetism and Telecommunications Service
[3] Analysis of the It presents a These prob-
(UMONS/FPMs/Belgium).
(2019) security risk related work on lems affect
of LoRaWAN security risk of the network
v1.1 by pre-
senting the
LoRaWAN v1.0.
It also highlights
availability, the
data integrity
References
main security security vulnerabil- and confiden- [1] S. Montagny, LoRa-LoRaWAN and internet of things
improvement ities of LoRaWAN tiality, and
for beginners, Available: www. univ-smb. fr/lorawan
compared to v1.1., possible mechanisms are
LoRaWAN v1.0. attacks and de- proposed. (2021).
fense mechanisms [2] E. Aras, G. S. Ramachandran, P. Lawrence, D. Hughes,
against these Exploring the security vulnerabilities of LoRa, in: 2017
attacks 3rd IEEE international conference on cybernetics (CYB-
CONF), IEEE, 2017, pp. 1–6.
[7] Analysis of the Description of Lo- Main attack:
(2019) practical capac- RaWAN v1.1 from Class B syn- [3] I. Butun, N. Pereira, M. Gidlund, Security risk analysis
ity of LoRaWAN the joining proce- chronization of LoRaWAN and future directions, Future Internet 11
and its security dure handling to attack (Beacon (2018) 3.
challenges. the keys manage- transmission by [4] H. Noura, T. Hatoum, O. Salman, J.-P. Yaacoub,
ment, attacks, and attackers) and A. Chehab, LoRaWAN security survey: Issues, threats
network capacity Jamming and possible mitigation techniques, Internet of Things
[8] Analysis of Description of Main attacks: 12 (2020) 100303.
(2020) LoRaWAN v1.1 LoRaWAN about confidentiality [5] K. Michel Gilbert, LoRaWAN gateways: Radio coexis-
security by data and control (session key tence issues and solutions, LoRa Alliance (2021).
comparing its packet types, Reuse), integrity [6] F. Kuntke, V. Romanenko, S. Linsner, E. Steinbrink,
vulnerabilities identifiers and (bit flipping and C. Reuter, LoRaWAN security issues and mitigation
to those of keys management ACK spoofing), options by the example of agricultural iot scenarios,
LoRaWAN v1.0 (1.0 vs 1.1), ED availability Transactions on Emerging Telecommunications Tech-
joining procedure), (class B desyn- nologies 33 (2022) e4452.
and PHY attacks chronization),
[7] M. Santamaria, A. Marchiori, Demystifying LoRaWAN
(continuous, selec- authentication
tive or triggered (MiTM). security and capacity, in: 2019 29th International
jamming) Telecommunication Networks and Applications Con-
ference (ITNAC), IEEE, 2019, pp. 1–7.
[4] Comprehen- Classification of Matching of
[8] S. J. Philip, J. M. McQuillan, O. Adegbite, LoRaWAN
(2020) sive analysis LoRaWAN threat threats to each
v1. 1 security: Are we in the clear yet?, in: 2020 IEEE
of LoRaWAN regarding secu- attack and miti-
versions (1.0.1, rity criteria such gation measures 6th International Conference on Dependability in Sen-
1.0.2, 1.1, 1.0.3) as availability, LoRaWAN v1.1 sor, Cloud and Big Data Systems and Application (De-
regarding ED, authentication, security com- pendSys), IEEE, 2020, pp. 112–118.
LoRaWAN lay- integrity and parison to 1.0.2 [9] T. Perković, H. Rudeš, S. Damjanović, A. Nakić, Low-
ers, hardware confidentiality and vulnerabilities cost implementation of reactive jammer on LoRaWAN
and operating analysis of the risk network, Electronics 10 (2021) 864.
systems. degree of them.
[9] Implementation Reactive jamming A low-cost
(2021) of three forms using Channel commodity
of reactive jam- Activity Detection hardware based
ming attack and (CAD) mechanism on Arduino
countermea- detection, using platform can
sures for attack a combination of be used by
mitigation channel hopping attackers to
and transmission, completely
and using CAD interrupt the
detection, channel network
hopping and trans-
mission
�