Researchers Find Some LoRaWAN Networks Vulnerable to Cyber-Attacks

Slashdot reader JustAnotherOldGuy quotes ZDNet: Security experts have published a report Tuesday warning that the new and fast-rising LoRaWAN technology is vulnerable to cyberattacks and misconfigurations, despite claims of improved security rooted in the protocol's use of two layers of encryption.

LoRaWAN stands for "Long Range Wide Area Network." It is a radio-based technology that works on top of the proprietary LoRa protocol. LoRaWAN takes the LoRa protocol and allows devices spread across a large geographical area to wirelessly connect to the internet via radio waves...

But broadcasting data from devices via radio waves is not a secure approach. However, the protocol's creators anticipated this issue. Since its first version, LoRaWAN has used two layers of 128-bit encryption to secure the data being broadcast from devices — with one encryption key being used to authenticate the device against the network server and the other against a company's backend application. In a 27-page report published Tuesday, security researchers from IOActive say the protocol is prone to misconfigurations and design choices that make it susceptible to hacking and cyber-attacks. The company lists several scenarios it found plausible during its analysis of this fast-rising protocol.
Some examples:

• "Encryption keys can be extracted from devices by reverse engineering the firmware of devices that ship with a LoRaWAN module."
• "Many devices come with a tag displaying a QR code and/or text with the device's identifier, security keys, or more."

Physical Access to Device

[CyberMatt]

You should assume the network is vulnerable if there is physical access to the equipment!

Re:

[chill]

Yeah, but putting a sticker on it with the embedded key is taking that a bit far. That sort of defeats any tamper-resistance built into the hardware.

Hardcoded keys

[sinij]

"Encryption keys can be extracted from devices by reverse engineering the firmware of devices

Why in 2020 there are still devices that ship with hard-coded keys?

endpoint encryption ?

[cats-paw]

I haven't figured out why they keep trying to put encryption in the hardware, where it's much more difficult to update, even with flash in the unit.

the encryption needs to be in software on the endpoints and just let the radio waves transmit pure data, agnostically.

Look at all the holes that were found in early Wifi versions of encryption. Is it even secure at this point in time ?

Is there some scenario where you _must_ have the encryption done in hardware ?

Even "weak" devices like tablets shouldn't have mu

Re:endpoint encryption ?

[OpinOnion]

This is supposed to be a transparent network layer that acts as a gateway for IoT devices to talk to your lan and wan and send alerts and rely metrics of use or trigger some automation system), the endpoints don't even know it's there, like a WiFi adapter in a box that has an Ethernet port and you plug it up to your old Xbox or Smart TV with no built in wifi or outdated/broken wifi but working ethernet. In theory you just plug it in and it works and the device things it's on ethernet. It's also supposed to be as low power as possible. Plus if endpoints need software then you have to make software for EVERY kind of endpoint and that's a nightmare. They could use a more robust embedded OS that gets security updates, like their own custom Linux kernel, but then the power demand will go up and some of these devices could be remote sensor running on batteries and solar. Kind is like if your weather station came with a little box that plugged into your router and connected to a service backend or your own server for a web interface. The weather stations use a special low power system that goes an impressive distance and uses low power. If they had to run an ARM chip on double A batteries, they wouldn't last worth shit. So you need a way to send via this simple and super low power method using something as lower powered as your weather station monitor and 2 AA batteries turn into a LAN/WAN compatible signal AND not have the sensor data be public information. It's not as easy as it sounds and certainly you can't use software based endpoints or complex operating systems. What you need is a standardized super low powered OS on a chip I suppose, but can anything like that run on something like 2 AA batteries like my weather station sensor can for like 2 years and rely a reasonable fast stream of information. That's the kind of programmers you usually can't find enough of. ;) I'm glad all these embedded systems are making programmers think again.

RF networks

[radiocan]

I see these announcements of network vulnerabilities very often. People forget that the easiest and quickest form of an attack is actually an attack on the network's physical (PHY) layer with the help of a radio jammer that's available for a few bucks from aliexpress or ebay.