ALPS blog

Original article by Sébastien Dudek, Threat Researcher

Enterprises and smart cities have readily adopted LoRaWAN technology because of its versatility and affordability. However, as with most widely-used devices and software, there are concerns about how malicious actors can compromise or abuse this technology. There are general concerns about security, as well as vulnerabilities in the area of communications, and finally, there are still dangerous hardware attacks that could affect companies that use this technology. These attacks are of particular concern because many LoRaWAN devices are deployed in the wild, such as sensors installed in large agricultural fields or entire cities. This means that it is entirely possible for malicious actors to attack unprotected LoRaWAN devices in the wild.

Data scraping LoRa transceivers

The LoRa transceiver communicates with the microcontroller through an SPI hardware interface. The microcontroller uses this SPI access for varied purposes, including getting uplink packets or send downlink packets to the gateway. Read more in the original article.

The transceiver does not handle sensitive information, but it has some registries that allow it to configure and work with different modes. Some user data can be taken from these registries.

Abusing exposed interfaces on the microcontroller

All the keys and calculations that will encrypt and send packets or decrypt received packets from the transceiver are performed on the microcontroller. Unfortunately, some interfaces of these microcontrollers can be exposed, as seen with the UART interface in Figure 2. We can directly interact with it and dump secrets if the interface has no authentication mechanisms applied to the access portal:

Figure 2. Interfacing with the UART of a magnetic door LoRaWAN sensor
Figure 2. Interfacing with the UART of a magnetic door LoRaWAN sensor

An attacker could also use other vectors or access methods to gather data. For example, if JTAG or ICSP interfaces are enabled, it is possible to launch attacks even through certain security features. If memory protections are used, glitching attacks can be engaged to get partial or full access to the sensitive data inside the internal flash memory.

Accessing the external flash memory

If the microcontroller uses an external flash, it is possible for an attacker to interface with this memory through the exposed access ports, depending on the device’s Surface-Mount Technology (SMT) package. In certain cases, the attacker can actually chip-off or remove the flash memory from the printed circuit board (PCB) and dump the firmware (dumping is the process of copying or extracting the firmware image).

Attacks against Secure Elements

There are many different types of attacks that can be launched against microcontrollers, but the use of Secure Elements (SE) can derail attack attempts to some degree. In the case of LoRaWAN, the SE can safely store the master keys derived to encrypt communication and protect message’s integrity. Read more in the original article.

There are very few documented instances of Secure Elements being used in products. Unfortunately, this means that it is not easy for a developer to be aware of all the beneficial security features of these SEs.

Security Recommendations for LoRaWAN

To help users of this technology, we have compiled a broad list of best practices for defending devices against malicious actors. These suggestions encompass the attacks discussed in the first two parts of the series as well.

LoRaWAN is a growing and evolving technology that helps create affordable and convenient internet-of-things solutions for smart cities and critical industries. Devices are already being used to track delivery fleets, water levels in dams, secure assets, and even monitor building safety. It is essential to make cybersecurity a higher priority to protect these enterprises, employees, and critical operations.

To learn more about the security issues mentioned above, download our technical brief.