Abstract
LoRaWAN is a worldwide deployed IoT security protocol. We provide an extensive analysis of the version 1.0, which is the currently deployed version, and we show that it suffers from several weaknesses. We introduce several attacks, including practical ones, that breach the network availability, data integrity, and data confidentiality, and target either an end-device or the backend system.
Based on the inner weaknesses of the protocol, these attacks do not lean on potential implementation or hardware bugs. Likewise they do not entail a physical access to the targeted equipment and are independent from the means used to physically protect secret parameters.
Finally we propose practical recommendations aiming at thwarting the attacks, while at the same time being compliant with the specification, and keeping the interoperability between patched and unmodified equipment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
As acknowledged by the specification ([26], Sect. 6.1.4).
- 2.
More precisely the \(\mathsf {AES}\) decryption function is used to protect the Join Accept message, because the end-device implements the encryption function only.
- 3.
The session key \(K = \mathtt{AppSKey}\) is used when application messages are exchanged between the end-device and the AS, and \(K = \mathtt{NwkSKey}\) is used when command-only messages are exchanged between the end-device and the NS.
- 4.
Note that since the end-device ends up reusing previous session keys (which are no longer shared with the NS), this attack is also a kind of “desynchronization” attack. However, contrary to the desynchronization attacks described in Sect. 3.2, this “replay or decrypt” attack has more devastating consequences (and a higher complexity) than “only” desynchronizing the end-device and the NS.
- 5.
See Appendix A.
- 6.
Being able to influence on the power supply does not necessarily mean to physically intrude on the end-device. The attacker could turn off or interrupt a remote electric generator the end-device is connected to, or the link between the generator and the end-device (if the end-device is powered by an external source), or use other means (e.g., electromagnetic impulse targeting the end-device and leading to a power outage).
- 7.
We use the term “session” for the sake of simplicity, but it does not depict precisely what are the actual exchanges since the end-device, at this point, has no “partner”: neither the NS nor the AS is able to communicate with the end-device, and the attacker is unable to forge new valid frames.
- 8.
Thus some NS implementation derives the \(\mathtt{DevAddr}\) parameter from the unique end-device’s identifier \(\mathtt{DevEUI}\). Also the \(\mathtt{DevAddr}\) value may be chosen once and for all at the time of the end-device provisioning.
- 9.
The messages may come from different end-devices, hence, may have to be sent to one or several NS servers.
- 10.
For instance turning the \(\mathtt{DevNonce}\) parameter into a counter is not a suitable solution (see Appendix B).
- 11.
This would also make easier an attack aiming at exhausting the \(\mathtt{AppNonce}\) counter (see Appendix B).
References
BiztechAfrica: FastNet announces Africa’s first dedicated M2M network and IoT developer academy, October 2015. http://www.biztechafrica.com/article/fastnet-announces-africas-first-dedicated-m2m-netw/10718/
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970). http://doi.acm.org/10.1145/362686.362692
Blutetooth SIG: Bluetooth specification. https://www.bluetooth.com/specifications/adopted-specifications
Briodagh, K.: Japan Opens New LoRaWAN Network for IoT Testing, July 2016. http://www.iotevolutionworld.com/iot/articles/423324-japan-opens-new-lorawan-network-iot-testing.htm
Diffie, W., Hellman, M.E.: Privacy and authentication: an introduction to cryptography. Proc. IEEE 67(3), 397–427 (1979)
Dillinger, P.C., Manolios, P.: Bloom filters in probabilistic verification. In: Hu, A.J., Martin, A.K. (eds.) FMCAD 2004. LNCS, vol. 3312, pp. 367–381. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30494-4_26
Fearn, N.: Orange deploys LoRa network in thousands of French towns, September 2016. https://internetofbusiness.com/orange-lora-network-france/
Hunt, D., Jouko, N., Ridder, M.: LoRa Alliance - End Device Certification Requirements for EU 868MHz ISM Band Devices, v1.2 (2016)
Kim, G.: Tata to deploy LoRa network for IoT, June 2016. http://spectrumfutures.org/tata-to-deploy-lora-network-for-iot/
Kinney, S.: 100 US cities covered by Senet LoRa network for IoT, June 2016. http://www.rcrwireless.com/20160615/internet-of-things/100-u-s-cities-covered-senet-lora-network-iot-tag17
L’Héréec, F., Joulain, N.: Sécurité LoRaWAN. In: Computer & Electronics Security Applications Rendez-vous - C&ESAR (2016)
Lifchitz, R.: Security review of LoRaWAN networks. In: Hardwear.io (2016)
LoRa Alliance: LoRaWAN Certified Products. https://www.lora-alliance.org/certified-products. Accessed 8 Dec 2017
LoRa Alliance Technical committee: LoRaWAN Regional Parameters, LoRa Alliance, version 1.0, July 2016
LORIOT.io: https://www.loriot.io
Marek, S.: SK Telecom & KPN Deploy Nationwide LoRa IoT Networks, July 2016. https://www.sdxcentral.com/articles/news/sk-telecom-kpn-deploy-nationwide-lorawan-iot-networks/2016/07/
Mason, J., Watkins, K., Eisner, J., Stubblefield, A.: A natural language approach to automated cryptanalysis of two-time pads. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 235–244. ACM (2006). http://doi.acm.org/10.1145/1180405.1180435
Miller, R.: LoRa the explorer - attacking and defending LoRa systems. In: Information Security Conference - SyScan360 (2016)
National Institute Of Standards and Technology: NIST FIPS 197 Specification for the Advanced Encryption Standard (AES), November 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
National Institute Of Standards and Technology: NIST Special Publication 800–38A Recommendation for Block Cipher Modes of Operation - Methods and Techniques, December 2001. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf
National Institute Of Standards and Technology: NIST Special Publication 800–38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, May 2005. http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
SmartCitiesWorld: IoT connectivity for 100 million homes in China, November 2016. https://smartcitiesworld.net/news/news/iot-connectivity-for-100-million-homes-in-china-1139
SmartCitiesWorld: LoRaWAN IoT network deployed in Japan, September 2016. https://smartcitiesworld.net/connectivity/connectivity/lorawan-iot-network-deployed-in-japan
SmartCitiesWorld: Semtech LoRa chosen for new IoT network in New Zealand, September 2016. https://smartcitiesworld.net/news/news/semtech-lora-chosen-for-new-iot-network-in-new-zealand-949
Song, J.H., Poovendran, R., Lee, J., Iwata, T.: The AES-CMAC Algorithm. RFC 4493, June 2006
Sornin, N., Luis, M., Eirich, T., Kramp, T., Hersent, O.: LoRaWAN Specification, LoRa Alliance, version 1.0.2, July 2016
The Things Network. https://www.thethingsnetwork.org
Yang, X.: LoRaWAN: Vulnerability Analysis and Practical Exploitation (2017). https://repository.tudelft.nl/islandora/object/uuid:87730790–6166-4424-9d82-8fe815733f1e/datastream/OBJ/download
Z-Wave Alliance: Z-Wave specification. http://z-wave.sigmadesigns.com/design-z-wave/z-wave-public-specification/
ZigBee Alliance: ZigBee specification. http://www.zigbee.org/download/standards-zigbee-specification/
Zulian, S.: Security threat analysis and countermeasures for LoRaWAN join procedure (2016). http://tesi.cab.unipd.it/53210/
Acknowledgment
The authors thank Sébastien Canard for valuable comments and suggestions, and the anonymous reviewers for helpful comments. This article is based upon work from COST Action IC1403 CRYPTACUS, supported by COST (European Cooperation in Science and Technology).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Duty Cycle
The ducty cyle is a mechanism used to regulate the occupation rate of the radio channel by the end-device. Enforcing the duty cycle implies that an end-device cannot repeatedly send a lot of messages. Hence one could claim that the duration of the attack is greater than the figure we provide. However, the duty cycle is a regulation mechanism, not a security one (even if it could cleverly be used as such). And not all countries compel to use such a mechanism. Also, an end-device may well be certified (by the LoRa Alliance [13]) and yet not apply the duty cycle. Indeed a LoRa Alliance certification document explicitly states that “the LoRa Certification testing will not do any duty cycle testing” [8].
B Exhaustion Attack
Generating a parameter (\(\mathtt{DevNonce}\), \(\mathtt{AppNonce}\)) with no repetition, and detecting replays are some countermeasures one may think of. Yet, in LoRaWAN, size does matter. Applying one of these methods while keeping at the same time the original parameter size (for compliance reasons) may lead to an attack aiming at exhausting all possible \(\mathtt{DevNonce}\) or \(\mathtt{AppNonce}\) values, hence forbidding the NS or the end-device to start a new activation. Therefore this exhaustion attack, targeting the end-device or the NS it connects to, may lead to an irrevocable disconnection of the end-device.
1.1 B.1 Against the \(\mathtt{DevNonce}\) Parameter
Core. If the end-device generates \(\mathtt{DevNonce}\) values with no repetition or if the NS keeps track of all \(\mathtt{DevNonce}\) values it receives, it is possible to disconnect the end-device once and for all.
Attack. Every time the end-device sends a Join Request message, the attacker replies with a “false” Join Accept message. Hence the end-device generates a new message once again. If unique \(\mathtt{DevNonce}\) values are generated, all values will be eventually used. If the NS keeps track of all \(\mathtt{DevNonce}\) values, the NS will refuse further Join Request messages once all possible \(\mathtt{DevNonce}\) values have been received, be these values pseudo-random or not.
Numerical Example. Let us assume that a key exchange is done in 5 s. If the \(\mathtt{DevNonce}\) values never repeat, the attack targeting the end-device is achieved in \(2^{16} \times 5\,\text {s} = 91\) h.
Let us consider the case when the NS keeps track of all \(\mathtt{DevNonce}\) values. If the values are pseudo-random, the proportion effectively generated by the end-device, hence received by the NS after \(\ell \) key exchanges, is \(p = 1 - \exp (-\frac{\ell }{2^{16}})\). In order this proportion to be \(p = 99\%\), the number of key exchanges must be at least \(\ell = -2^{16}\times \ln (1-p)\). This corresponds to \(\ell \simeq 301{,}804\) activations and more than 17 days to exhaust almost all \(\mathtt{DevNonce}\) values. Remind that such an end-device is supposed to have an autonomous lifespan of up to ten years.
1.2 B.2 Against the \(\mathtt{AppNonce}\) Parameter
Core. If the NS generates the \(\mathtt{AppNonce}\) parameter so that it never repeats, or if the end-device keeps track of all \(\mathtt{AppNonce}\) values it receives, then it is possible to disconnect the end-device once and for all.
Attack. Let us consider the first case. The purpose is to compel the NS to use all possible \(\mathtt{AppNonce}\) values. The NS generates a Join Accept message (hence a new \(\mathtt{AppNonce}\) value) only if it receives a valid Join Request message. Therefore the NS must accept as many Join Request messages as possible \(\mathtt{AppNonce}\) values. Since \(|\mathtt{DevNonce}| < |\mathtt{AppNonce}|\), this is possible only if the NS does not keep track of all \(\mathtt{DevNonce}\) values it receives (which is likely its behaviour). Then the attacker can use a circular list of Join Request messages. Such messages can be collected using the technique described in Sect. 3.1, and then used in a similar way as the one described in Sect. 3.1.
Note that if the NS uses the same pool of \(\mathtt{AppNonce}\) values for all the end-devices, this leads to the definitive disconnection of all these end-devices. In such a case the attack may be distributed among several “false” end-devices (controlled by the attacker; no duty cycle enforced).
Let us consider the second case. The purpose of this attack is to make the end-device keep track, hence receive, all possible \(\mathtt{AppNonce}\) values. This means that the NS has to accept as many Join Request messages as possible \(\mathtt{AppNonce}\) values. Therefore the NS must not keep track of all the \(\mathtt{DevNonce}\) values it receives (since \(|\mathtt{DevNonce}| < |\mathtt{AppNonce}|\)). Yet this is not sufficient. Indeed the end-device accepts as many Join Accept messages (hence \(\mathtt{AppNonce}\) values) as Join Request messages it sends. Therefore if the end-device generates \(\mathtt{DevNonce}\) values with no repetition, it limits the number of received \(\mathtt{AppNonce}\) values. Therefore this attack is possible if the NS does not keep track of all \(\mathtt{DevNonce}\) values, and if the end-device does not generate unique \(\mathtt{DevNonce}\) values (which is likely their basic behaviour).
Moreover the implementation of this second case implies to be able to compel the end-device to send multiples Join Request messages while receiving the corresponding Join Accept responses. We have not identified such means but to be able to influence on the end-device power supply. Yet, if the end-device is switched off, it may lose memory of the stored \(\mathtt{AppNonce}\) values, which is orthogonal to the goal of this attack.
Numerical Example. If the \(\mathtt{AppNonce}\) values do not repeat, they are all produced after \(2^{24}\times 5\,\text {s} = 2.66\) years (using one end-device).
If the same pool of \(\mathtt{AppNonce}\) values is used by the NS for all end-devices, the attack may be distributed among several end-devices controlled by the attacker. If 300 such end-devices are used in parallel, the attack is achieved in 3 days approximately.
If the end-device keeps track of all \(\mathtt{AppNonce}\) values, and if the values are pseudo-random, \(p = 99\%\) values are received by the end-device after \(\ell = -2^{24}\times \ln (1-p) \simeq 77.26 \times 10^6\) activations. This means more than 12 years to exhaust almost all \(\mathtt{AppNonce}\) values.
Rights and permissions
Copyright information
© 2018 International Financial Cryptography Association
About this paper
Cite this paper
Avoine, G., Ferreira, L. (2018). Rescuing LoRaWAN 1.0. In: Meiklejohn, S., Sako, K. (eds) Financial Cryptography and Data Security. FC 2018. Lecture Notes in Computer Science(), vol 10957. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-58387-6_14
Download citation
DOI: https://doi.org/10.1007/978-3-662-58387-6_14
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-58386-9
Online ISBN: 978-3-662-58387-6
eBook Packages: Computer ScienceComputer Science (R0)