IOActive researchers found that the LoRaWAN protocol – which is used across the globe to transmit data to and from IoT devices in smart cities, Industrial IoT, smart homes, smart utilities, vehicle tracking and healthcare – has a host of cyber security issues that could put network users at risk of attack. Such attacks could cause widespread disruption or in extreme cases even put lives at risk.
Session Keys and Functions in LoRaWAN v1.0.3
Vulnerable LoRaWAN networks
The researchers found the root keys used for encrypting communications between smart devices, gateways and network servers are often poorly protected and easily obtainable through several methods.
This could leave the network vulnerable to attackers who could be able to compromise the confidentiality and integrity of the data flowing to and from connected devices, in order to:
- Conduct Denial of Service attacks: Once hackers have the encryption keys, they can gain access to the network and cause DoS attacks, disrupting communications between connected devices and the network server, so companies can’t receive any data.
- Send false data: Alternatively, attackers could intercept communications and replace these with false data, such as fake sensor and meter readings. This could create several issues by allowing hackers to hide malicious activity or cause industrial equipment to damage itself, potentially halting operations and putting company infrastructure at risk.
“Organizations are blindly trusting LoRaWAN because it’s encrypted, but that encryption can be easily bypassed if hackers can get their hands on the keys – which our research shows they can do in several ways, with relative ease, ” explains Cesar Cerrudo, CTO at IOActive. “Once hackers have access, there are many things they could potentially do – they could prevent utilities firms from taking smart meter readings, stop logistics companies from tracking vehicles, or prohibit hospitals from receiving readings from smart equipment. In extreme cases, a compromised network could be fed false device readings to cover up physical attacks against infrastructure, like a gas pipeline. Or to prompt industrial equipment containing volatile substances to overcorrect; causing it to break, combust or even explode.”
Worryingly, IOActive researchers found that there is currently no way for an organization to know if a LoRaWAN network is being or has been attacked, or if an encryption key has been compromised. In response, IOActive has released a LoRaWAN Auditing Framework, which will allow users to audit and pentest the security of their infrastructure and reduce the impact of an attack and ensure that potentially vulnerable LoRaWAN networks are deployed securely.
LoRaWAN PHYPayload Structure
“In any LoRaWAN network, root keys should be properly protected and vendor default keys should be replaced with random and different keys for each device. If possible, Secure Element and Hardware Security Module should be used so keys are never exposed. It’s also important to constantly monitor LoRaWAN networks for detecting and preventing attacks. Finally, all LoRaWAN infrastructure needs to have security audited two or three times a year in order to identify and fix security problems,” Cesar Cerrudo, CTO at IOActive, told Help Net Security.