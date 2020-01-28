Security experts today published a report warning that the new and fast-rising LoRaWAN technology is vulnerable to cyber attacks and incorrect configurations, despite claims that security is rooted in the use of two encryption layers in the protocol.

LoRaWAN stands for “Wide Range Wide Area Network”. It is a radio-based technology that works on top of its own LoRa protocol.

The LoRa protocol has been developed to enable companies to connect batteries or other devices with low power to the internet via a wireless connection.

LoRaWAN uses the LoRa protocol and enables devices in a large geographical area to connect wirelessly to the internet via radio waves.

LoRaWAN is especially popular with developers of Internet of Things devices. Previously, to connect an IoT or other smart device to the Internet, companies had to connect the IoT device to their private Internet Wi-Fi network, or devices had to be supplied with a SIM card, allowing the device to use a mobile network to get back. to report to a job server.

LoRaWAN is an alternative to these setups. An IoT device with a LoRaWAN client transmits data via radio waves to a nearby LoRaWAN gateway (in most cases, an antenna). The gateway records this data and forwards it to an internet server, which then forwards it to an application backend or dashboard.

This type of LoRaWAN set-up is often used in the real world. For example, smart parking, smart lighting, traffic management or weather monitoring equipment in a “smart city” use LoRaWAN to report to a central data collection station. Because the protocol works over radio waves instead of relying on WiFi networks or SIM cards, this makes complex IoT settings easier to implement because it is easier to install a few radio antennas (gateways) in a small geographical area to install compared to dozens of WiFi routers or thousands of SIM cards.

Because of this inexpensive approach, LoRaWAN networks are also often used in industrial installations (to report measurements from different sensors or SCADA devices), smart houses (to report alarms, bulkhead detection or home automation tasks in neighborhoods or cities), smart hospitals, smart crop fields, and so on.

But the transmission of data from devices via radio waves is not a safe approach. The makers of the protocol, however, anticipated this problem. Since the first version, LoRaWAN has used two layers of 128-bit encryption to protect the data transmitted from devices – one encryption key being used to authenticate the device against a company’s network server and the other against a company’s back-end application.

Image: IOActive

In a 27-page report published today, IOActive security researchers say the protocol is sensitive to incorrect configurations and design choices that make it susceptible to hacking and cyber attacks.

The company lists several scenarios that they found plausible during their analysis of this fast-rising protocol:

Encryption keys can be extracted from devices by the firmware of devices supplied with a LoRaWAN reverse engineering module.

Many devices come with a tag with a QR code and / or text with the ID, security keys or more of the device.

Researchers say the tag is intended to be used in the commissioning process and is then removed.

Some devices may come with encrypted encryption keys that come with various open-source LoRaWAN libraries (intended to

be replaced before the device is used).

be replaced before the device is used). Some devices can use easy-to-use encryption keys, such as AppKey = device ID + app ID or AppKey = app ID + device ID.

LoRaWAN network servers may be insecure configured or vulnerable to other non-LoRaWAN vulnerabilities, allowing hackers to take over these systems.

Vulnerabilities in the protocol design cause denial of service attacks.

… and others

“Organizations blindly trust LoRaWAN because it is encrypted, but that encryption can easily be circumvented if hackers can get hold of the keys – which our research shows can do this in different ways and with relative ease,” says Cesar Cerrudo, CTO at IOActive.

“Once hackers have access, there are many things they can do – they can prevent utilities from doing smart meter readings, prevent logistics companies from tracking vehicles, or prohibit hospitals from receiving measurements from smart devices. In extreme cases, a compromised network can become a compromised network fed with false device values ​​to disguise physical attacks on infrastructure, such as a gas pipeline. Or to over-correct industrial equipment that contains volatile substances, causing it to break, burn or even explode. “

To prevent unsafe implementations of LoRaWAN networks, IOActive researchers recommend checking LoRaWAN devices and networks, as well as implementing additional security measures, such as tracking LoRaWAN traffic – just like companies do normal HTTP / HTTPS web traffic would treat.

To help with the control part, the company has released an open source LoRaWAN control framework on the GitHub called LAF.