LoRaWAN security vulnerabilities exposed
October 18, 2016
on
on
Certain documents from the LoRa Consortium show that LoRaWAN uses the AES 128 algorithm to encrypt messages. However, according to French IT security specialist Renaud Lifchitz, in reality the AES 128 algorithm is only used to generate a stream of keys, a so-called “keystream”, that is simply XOR-ed with the data. The result is non-optimal encryption that can be deciphered by someone willing enough.
XOR-ing data and keys creates encrypted messages with the same length as the key, a useful hint for hackers. Furthermore, the keystream is reinitialised at session start and may be identical to a previously used keystream and allows in that case resending old messages. XOR-ing two messages that were encrypted with the same keystream partly decodes the two messages. Finally, when the contents of a message are known, it is possible to discover the keystream, allowing deciphering future messages.
Another weakness lies in the identification and connection process. Every gateway sends his ID to the server periodically. If the ID is known, information which apparently is not too difficult to obtain, the gateway can be “overruled” by a malicious gateway that simply sends this ID at a higher rate than the real one.
The main weakness remains however the hardware that communicates over LoRa. Often these are simple systems with unprotected memory, debug ports and naïve AES implementations that can easily be compromised. As always a system is only as strong as its weakest link.
BTW, LoRa’s competitor Sigfox isn’t much more secure.
XOR-ing data and keys creates encrypted messages with the same length as the key, a useful hint for hackers. Furthermore, the keystream is reinitialised at session start and may be identical to a previously used keystream and allows in that case resending old messages. XOR-ing two messages that were encrypted with the same keystream partly decodes the two messages. Finally, when the contents of a message are known, it is possible to discover the keystream, allowing deciphering future messages.
Another weakness lies in the identification and connection process. Every gateway sends his ID to the server periodically. If the ID is known, information which apparently is not too difficult to obtain, the gateway can be “overruled” by a malicious gateway that simply sends this ID at a higher rate than the real one.
The main weakness remains however the hardware that communicates over LoRa. Often these are simple systems with unprotected memory, debug ports and naïve AES implementations that can easily be compromised. As always a system is only as strong as its weakest link.
BTW, LoRa’s competitor Sigfox isn’t much more secure.
Read full article
Hide full article
Discussion (3 comments)