LoRaWAN, a new long-range wireless communications technology for low-powered devices, which is widely used worldwide in smart city, industrial internet of things (IIoT) and smart home projects, is vulnerable to cyberattacks due to the implementation errors commonly made by device manufacturers and network operators when building and deploying LoRaWAN devices, a latest report from security consultancy firm IOActive warned.
LoRaWAN (long range wide area networking), is a MAC layer protocol built on top of LoRa designed to allow lowpowered devices to communicate with Internet-connected applications over long range (LoRa) wireless connections. Although the protocol is advertised as having “built-in encryption” and thus is “secure by default”, common implementation issues and “blind trust” of users who are not paying attention to cyber security, can make LoRaWAN networks susceptible to threats, the researchers said.
A LoRaWAN architecture consists of four key elements: end devices, gateway, network server, and application server. End devices communicate with applications via gateways and network servers. Devices exchange messages directly with gateways via LoRa and LoRaWAN, and the gateways communicate with the network server via TCP/IP or UDP/IP protocol, depending on the implementation.
LoRaWAN defines two layers of security: one at the network level and another at the application level. The network-level security ensures the authenticity of the node (device) in the network, providing integrity between the device and the network server. The application-layer security ensures confidentiality with end-to-end encryption between the device and the application server, preventing third parties from accessing the application data being transmitted. Each layer is using a secret key - Network Session Key (NwkSKey) and the Application Session Key (AppSKey), both 128 bits long. These keys are “the source of the network’s only security mechanism, encryption,” and thus, if cracked, could give hackers access to the devices and networks protected by them.
The researchers have analyzed most widely used versions of the protocol (1.0.2 and 1.0.3). During the research, they have found that an attacker can obtain keys via various ways. For example, key can be extracted from devices through reverse engineering. Many devices also come with tags containing information such as the AppKey. These tags are intended to be used in the commissioning process, but if not removed before placing the device in its final location, an attacker with physical access to a device can use the information on the tag to generate valid session keys.
IOActive also has found source code containing AppKeys and AppSKeys/NwkSKeys, which are meant to be removed before deploying a device. Unfortunately, that is not always the case and devices are deployed with hardcoded keys. Other issues uncovered by researchers include internet-exposed network servers using default or weak credentials; network servers with vulnerable software installed allowing hackers to gain access to the LoRaWAN network management by exploiting vulnerabilities in software. Keys could also be obtained by breaching device manufacturers’ networks or by hacking the equipment used by technicians to configure LoRaWAN network.
Once in possession of the keys, attackers can carry out denial-of-service (DoS) attacks against devices and the network server, or send fake data to the LoRaWAN network, affecting the applications using the data.
“Imagine a LoRaWAN device measuring the pressure of a critical gas pipeline, which needs to be under constant monitoring. An attacker with valid session keys could craft and send LoRaWAN messages with normal behaviour data for the pipeline pressure, masking any anomaly and hiding a physical attack against this pipeline. If not caught in time, such an attack could lead to an environmental, economic, or, in a worst-case scenario, lethal disaster,” the researchers noted.
“The best approach to preventing attacks is holistic, where the complete LoRaWAN ecosystem is secured. This can only be achieved if all of the technology that is part of the ecosystem (devices, gateways, network servers, join servers, application servers, and applications) is properly security audited. This way, possible security problems are identified and fixed. This should be done at least twice a year, as the ecosystem is not static. LoRaWAN networks are very dynamic with new components being added regularly,” security firm advised.