Security Issues of Low Power Wide Area Networks in the Context of Lora Networks
Total Page:16
File Type:pdf, Size:1020Kb
Security Issues of Low Power Wide Area Networks in the Context of LoRa Networks Debraj Basu, Tianbo Gu and Prasant Mohapatra Department of Computer Science, University of California, Davis, CA, USA Email: fdbasu, tbgu, [email protected], Abstract—Low Power Wide Area Networks (LPWAN) have and availability (CIA) in the information security paradigm been used to support low cost and mobile bi-directional com- [9], [10]. munications for the Internet of Things (IoT), smart city and a wide range of industrial applications. A primary security A. IoT networks and security concern of LPWAN technology is the attacks that block legitimate communication between nodes resulting in scenarios like loss of The majority of IoT enabled technologies are directed packets, delayed packet arrival, and skewed packet reaching the towards building smart infrastructure projects [11]. The Array reporting gateway. LoRa (Long Range) is a promising wireless of Things (AoT) [12] is an urban sensing network of pro- radio access technology that supports long-range communication grammable, modular nodes that are deployed around cities to at low data rates and low power consumption. LoRa is considered as one of the ideal candidates for building LPWANs. We use LoRa collect real-time data on the city’s environment, infrastructure, as a reference technology to review the IoT security threats on and activity for research and public use. The Chicago Park Dis- the air and the applicability of different countermeasures that trict maintains sensors in the water at beaches along Chicago’s have been adopted so far. LoRa extends the transmission range Lake Michigan lakefront [13]. These sensors capture the by controlling the spreading factor (SF) and in turn, the data- measurements at a periodic rate along the lakefront. Pervasive rate. LoRa nodes that are close to the gateway use a small SF than the nodes which are far away. But it also implies long in- Nation is Ireland’s Internet of Things testbed operated by the-air transmission time, which makes the transmitted packets CONNECT, headquartered at Trinity College Dublin, the Uni- vulnerable to different kinds of malicious attacks, especially in the versity of Dublin. This testbed is built on LPWAN technology physical and the link layer. Therefore, it is not possible to enforce enabled by LoRa [14]. There are other railroads and port in- a fixed set of rules for all LoRa nodes since they have different frastructure projects that are leveraged by IoT where hundreds levels of vulnerabilities. Our survey reveals that there is an urgent need for secure and uninterrupted communication between an of sensors are deployed [11]. The IoT network communication end-device and the gateway, especially when the threat models are channel is predominate wireless; thus, the on-air legitimate unknown in advance. We explore the traditional countermeasures control and data messages can be overheard and modified by and find that most of them are ineffective now, such as frequency an attacker. Moreover, an attacker with malicious intent may hopping and spread spectrum methods. In order to adapt to inject illegitimate messages into the network. In [15], authors new threats, the emerging countermeasures using game-theoretic approaches and reinforcement machine learning methods can have identified security, privacy, and trust as the significant effectively identify threats and dynamically choose the corre- challenges to build smart city projects. It has been pointed out sponding actions to resist threats, thereby making secured and in the white-papers by WIND RIVERS [16] that IoT security reliable communications. is more challenging than cybersecurity because of the large Index Terms—LoRa, LPWAN, Security and privacy, Internet attack surface presented by the millions of IoT devices. Most of Things, Cyber attacks, Game theory, Reinforcement learning of these devices are resource-constrained and therefore, limited by computing power for encryption capabilities. They are also I. INTRODUCTION arXiv:2006.16554v1 [cs.CR] 30 Jun 2020 expected to operate for years without being replaced, hence According to the estimation of Boston Consulting prolonging their exposure to attack from newer attack vectors. Group [1], $267 Billion will be spent on Internet of things Recently, Low-Power Wide Area Networks (LPWANs) (IoT) technologies, products, and services by 2020. For ex- have emerged as an attractive communication technology for ample, the IoT market size of smart cities is predicted to IoT [17]. They can support large-scale coverage with long grow to $147.51 Billion by 2020 [2], since IoT can solve communication distance at low cost and long network lifetime. many critical issues currently faced by urban cites, like high In an LPWAN network, all sensor devices directly transmit energy consumption [3], [4], environment pollution [5], [6] data to an LPWAN gateway and can work for years with and transportation congestion [7], [8]. An efficient networking low energy consumption. An LPWAN gateway covers a large system is essential to achieve real-time monitoring and intelli- area of many miles and thousands of sensor devices. The gent control of physical objects for IoT applications. Security collected data is transmitted and stored in a network server and privacy of the data that are exchanged between the to be processed by different applications. network entities are an integral part of an efficient networking At present, four LPWAN technologies are mainly available, system and are usually defined by confidentiality, integrity, i.e., LoRa [18], SigFox [19], Narrowband Internet of Things (NB-IoT) [20] and Long Term Evolution for Machine type It selectively jam packets by reading the physical header and communication (LTE-M) [21]. NB-IoT has been developed go to sleep or in listening mode after jamming the packet [27]. and standardized by 3GPP. NB-IoT is designed to support very This attack mode is hard to detect and deter. In LoRa, since the low power consumption and low-cost devices in extreme cov- on-air time of packets is high, the reaction time of the selective erage conditions [22]. NB-IoT and LTE-M work on licensed jamming attacker to jam the packet after the header is read is cellular frequency bands, which are implemented on existing also high. Therefore, this kind of attack is a significant threat cellular infrastructures by mobile operators. LoRa and SigFox to the security of the LoRa network. On the top, LoRa end- work on the unlicensed 900 MHz band but adopt different devices use random time slots to transmit packets. Therefore business models. LoRa network cannot distinguish between packet losses due to regular congestion and a jamming attack. B. LoRaWAN and unique security threats In replay attacks, a valid transmission is repeated by the LoRaWAN is the standard for wireless communication pro- malicious attacker, generating false messages to the gateway tocols that allows IoT devices to communicate over large dis- and denying legitimate messages to reach the network server tances with minimal battery usage. LoRaWAN supports single- or rejects a valid network-join request [28]. To maintain the hop network topology with the end devices connected to the integrity of valid network join requests, LoRa uses random network servers via intermediate gateways. The communica- numbers (DevNonce) that are derived from the physical layer tion between the LoRa enabled sensor nodes, and the gateways signal strength values. However, an attacker can destroy the go over the wireless channel utilizing the LoRa physical layer, randomness by injecting high power packets in the network. while the connection between the gateways and the central Such an attack has been a critical security issue for nodes server are handled over a backbone Internet Protocol(IP)-based using LoRaWAN v.1.0. Some existing works in [29]–[32] have network [23]. The data rate of LoRa networks is determined analyzed the replay attack scenarios in the context of the LoRa by the spreading factor (SF). Higher SF corresponds to lower network when a node attempts to join the network. data rates and in turn, long-range communication. A very When the network server receives a join request message, low data rate (0.3-50 kbps depending on the frequency band) it checks if the DevNonce is used from the pool of last enables LoRa to cover long-range communication (1-2 miles). DevNonce (ND) not used. If the number matches, the join However, it also increases the on-air transmission time in request is rejected. For a given number of join requests per the order of 3 seconds (depending on the payload). This is day per device, a higher value of ND means that an attacker a unique feature of LoRa network when the security risks has to wait for a longer time to use a DevNonce. In paper [33] of the nodes in the network are not the same even when the authors have experimentally shown using LoRa hardware these nodes use single-hop for communication. Therefore, it SX1272 [34] that random number generator (RGB) can be makes LoRa network susceptible to different kinds of Denial comprised in the presence of a jammer which can make the of Service (DoS) attacks, including jamming, replay attacks, LoRa end-device to repeat DevNonce. In the SX1272 Radio and eavesdropping and in different variability depending on Frequency chip, the N-bit random number is obtained from the distance of the LoRa nodes from the gateway. the LSB (least significant bit) of the register RegRssiWideband DoS attacks are launched to destroy the availability of one (address 0x2c). It is assumed that the LSB continually changes or multiple nodes. For example, an adversary may physically due to noise and radio channel behavior and therefore used a tamper an end device to disable its duty or make it transmit source of random number generator. A high power jammer interference signals, or it can sniff the packets in wireless chan- can make the register value constant, and the DevNonce value nels and selectively jam a particular portion of end devices.