Professional Documents
Culture Documents
Security Analysis of Lorawan Join Procedure For Internet of Things Networks
Security Analysis of Lorawan Join Procedure For Internet of Things Networks
Security Analysis of Lorawan Join Procedure For Internet of Things Networks
Abstract—Currently one of the most established protocols typically once per day to confirm the presence of nodes in
for machine to machine (M2M) communications is LoRaWAN, the network. In order to participate in a LoRaWAN network,
designed to provide low power wide area network with fea- each end device has to be personalized and activated. The
tures specifically needed to support low-cost, mobile, secure bi-
directional communication for the Internet of Things (IoT). In activation can be achieved in two ways, either via Over-The-
this context security is of pivotal importance, as IoT constitutes Air-Activation (OTAA) when an end device is deployed or
a pervasive network of devices highly integrated with our reset, or via Activation By Personalization (ABP) in which
daily life. In this paper we examine key security issues of the two steps of personalization and activation are done as
the procedure used in LoRaWAN to allow an end device to one step [3, Ch.6]. Here we focus on the OTAA procedure.
establish a connection with the network server. We have identified
vulnerabilities in this protocol, in particular with reference to the The procedure provides an exchange of two messages between
use of a random number in the join procedure packet, meant the end device and the network server (join request and join
to prevent replay attacks. We first discuss the options that a accept messages). In order to avoid replay attacks of the join
network server has when detecting a replay attack and then we request, a random number (denoted DevNonce) is included in
examine a) the possibility that a legitimate receiver is considered the transmitted packet, and the network server controls if the
an attacker because of the random number generation issues
and b) the possibility for an attacker to exploit this protocol to DevNonce has been already used by the same device.
generate a denial of service (DoS). A wide set of experiments has
been conducted using a widely used LoRaWAN chip showing the
vulnerabilities of the protocol. Various security problems are related to this procedure and
Index Terms—LoRa; LoRaWAN; Internet of things (IoT); are addressed in this paper. First, it is possible that the random
Authentication; Random Number Generator; Security. generator of the device generates the same DevNonce: we
assess the probability of this event and the possible actions that
I. I NTRODUCTION can be taken by the network server. Second, it is not trivial to
have a truly random generator for DevNonce, especially for
Internet of Things (IoT) is going to take a major place
low-cost devices. In the SX1272 transceiver [6] the random
in the telecommunications market as announced in technical
bit sequence is obtained collecting the least significant bit of
and public medias [1]. The paradigm of IoT relies on the
the received signal strength indicator (RSSI). We analyze key
deployment of billions of objects having the capability of
parameters to establish the quality of this random number
transmitting information about their context and environment
generator, indicating specific attacks that can be performed
and to create a real-time, secured and efficient interaction
to reduce the randomness of the obtained number, down to
between the real and the virtual worlds. IoT has been identified
the generation of a constant number. The success of this
as a target for the future 5G communication system, while
attack would lead to a denial of service (DoS) since one or
several proposals already exist to adapt the 4G technologies
more nodes would not be able to access the network. A wide
to IoT. Nevertheless the IoT paradigm may present some
set of experiments has been conducted using the WiMOD
very specific features that require new network deployments,
SK-iM880A [18] device, showing the vulnerabilities of the
such as low power wide area networks (LPWAN). Among
protocol.
the various LPWAN technologies we focus in this paper on
LoRaWAN.
Since LoRaWAN is a recent protocol, many aspects are not The rest of the paper is organized as follows. We first
so clearly or well defined. Moreover some features seem to be analyze the join procedure and suggest two polices of the
critical from a security perspective [5]. It should be possible network server in case of a replay attack in Section II. Section
to use LoRa solutions securely to protect against man in the III analyzes the security issues of the random generator,
middle attacks affecting the confidentiality and integrity of which is used for the generation of the DevNonce and outline
data. LoRa also provides ways for developers to securely add possible attacks by a node intending to generate a DoS. A wide
new nodes to the network. set of experimental results with the SX1272 transceiver are
In this paper we focus on the procedure protocol by which then presented and discussed in Section IV, before conclusions
a node join a LoRa network. The join protocol is also run are outlined in Section V.
𝑁 𝑚𝑎𝑥 7300
ℙ[𝑑𝐾 ∈ 𝑆] = 𝐷16 = ≃ 0.11. (7) 0.7
2 65536 0.6
So it is relatively probable to generate an already stored used
P off
0.5
DevNonce in the last days of life of an end device. However,
the device can send a join request until a valid DevNonce is 0.4
𝑚𝑎𝑥
created. So the choice of using 𝑁𝐷 ≥ 𝑁𝐷 should be the 0.3 ND = 10
this case we must be sure that both the network server and The pseudo-random generator described above provides
the end device know the last used DevNonce value, which is 𝐻min (𝑋) = 1 bit, which corresponds to the possibility of
obtaining the all-zero secret key with probability of one half. In case a) the RegRssiWideband register will store the
The National Institute of Standards and Technology (NIST) maximum value (all ones in binary format) since the receiver
in [15] specifies the design principle and requirements for power is higher than maximum value and remains constant in
the entropy sources used by random bit generators (RBGs), time. Indeed, if the saturation value is significantly exceeded,
and the tests for the validation of entropy sources. In [15] an the probability that noise brings the power below saturation is
entropy source model is described, including a noise source, very low. In order to saturate the receiver we must transmit
an optional conditioning component and a health testing a high power signal. However, it is not easy to constantly
component. saturate the receiver due to the presence of the automatic gain
Noise source: The noise source is the root for the control (AGC) in the end device, which attenuates the received
entropy source. This component contains a non-deterministic, signal even for high power values (obtained by placing two
entropy-providing activity that is ultimately responsible for the LoRa devices very close to each other). However we have
uncertainty associated with the bit strings. also to consider the response time of the AGC: if a device
Conditioning component: The optional conditioning alternatively transmits with high and low power, the saturation
component is a deterministic function responsible for reducing of the RSSI value is possible for few instants. We will discuss
bias and/or increasing the entropy rate of the resulting output this option in more details in the next Section.
bits. In case b), since the RegRssiWideband value is quantized,
Health tests: Health tests are intended to ensure that it is possible that with a high and constant received power,
the noise source and the entire entropy source continues to the value written in the register changes negligibly, becoming
operate as expected. The end goal is to obtain assurance that de facto constant in time (if the received power is constant).
failures of the entropy source are caught quickly and with a Note that we do not need very high power in this case, as it
high probability. Another aspect of health testing strategy is was the saturation attack.
determining likely failure modes for the entropy source and,
IV. E XPERIMENTAL R ESULTS
in particular, for the noise source.
We have performed a set of experiments with the WiMOD
A. RBG of SX1272 SK-iM880A device, investigating the performance of the De-
We focus in this paper on the procedure used in the SX1272 vNonce generator a) without attacks, and b) in the presence
modem by Semtech. In this chip [6, Ch.4] an 𝑁 -bits random of a jammer.
number is obtained by performing 𝑁 read operation of the
A. Performance Without A Jammer
least significant bit (LSB) of the register RegRssiWideband
(address 0x2c). The value from RegRssiWideband is derived We first have assessed the performance in the absence of
from a wideband (4 MHz) signal strength at the receiver attacks. We are interested in random bit generator and in
input every 1 ms. It is assumed that the LSB constantly and the accuracy of the DevNonce random generator. For the
randomly changes due to the noise and radio channel behavior random bit generator we have computed from experiments the
(reflections, fading, shadowing, interference). sampling probabilities of generating zeros and ones, denoted
With respect to the NIST model, the RSSI is the noise 𝑃 [0] and 𝑃 [1] respectively, and the probability to generate
source. The output of the digitization process corresponds sequences of bits. In order to assess the performance of the
to the value written in the RegRssiWideband register that DevNonce random generator we estimate its entropy and min-
goes from 𝑠 to 𝑠 + 127 dBm, where 𝑠 is the sensitivity entropy, defined in (9) and (10).
level, and with step of 0.5 dB. Finally the selection of the For the random bit generator, Table I shows the sampling
LSB in the register corresponds to the post-processing or to probabilities obtained by experiments, where we focused on
the conditional component, aiming at reducing biases of the sequences of one or two bits. We observe that the probabilities
entropy sources. of generating a 1’s and 0’s are slightly unbalanced, and we
We note that in this procedure no health test is provided, have observed that the displacement is due to the receiver
thus making the system more vulnerable to attacks. saturation. On the other hand generated bits are independent,
at least as long as we observe two consecutive bit generations
B. Attacks on RBG since
We now consider two attacks to reduce the randomness of 𝑃 [00] = 𝑃 [0]2 = 0.4682 = 0.219
the random bit generator: 𝑃 [01] = 𝑃 [0] ⋅ 𝑃 [1] = 0.468 ⋅ 0.532 = 0.249
a) We induce saturation of the receiver by high power (11)
𝑃 [10] = 𝑃 [1] ⋅ 𝑃 [0] = 0.532 ⋅ 0.468 = 0.249
jamming;
b) We jam the receiver with a fixed power (not inducing 𝑃 [11] = 𝑃 [1]2 = 0.5322 = 0.283
saturation) in order to force a given RSSI value. are approximately equal to the sampling probabilities.
In these two cases the LoRa end device is susceptible to a For the DevNonce generation performance, we have ob-
DoS attack. Indeed, the value of DevNonce will be the same tained 𝐻(𝑥) = 15.90 and 𝐻min (𝑋) = 14.20. Note that for
whenever a new join procedure is triggered by the end device an ideal random bit generator (with equal probabilities for the
and the network server will discard the join-request message. two values) we should have 𝐻(𝑥) = 𝐻min = 16. With the
Table I Table III
R ANDOM B IT G ENERATOR W ITHOUT JAMMER . D EV N ONCE G ENERATOR W ITH JAMMER AT 1 M .
Table II Table IV
R ANDOM B IT G ENERATOR WITH JAMMER AT 1 M . R ANDOM B IT G ENERATOR WITH JAMMER AT 0.35 M .
Parameter 1st exp 2nd exp Parameter 1st exp. 2nd exp.
Message random ones Modulation LoRa LoRa
P[0] 0.554 0.446 Message random ones
P[1] 0.446 0.554 P[0] 0.494 0.569
P[00] 0.309 0.203 P[1] 0.506 0.431
P[01] 0.245 0.243
P[10] 0.245 0.243
P[11] 0.201 0.311 range of the analog to digital converter (ADC). However, there
is a delay in the adaptation, so when the jammer starts its
transmission the AGC increases the attenuation but the first
practical random generator of the WiMOD SK-iM880A device RSSI measurements still show saturations. The same occurs at
on average, every number is repeated every 215.9 ≃ 61147 the end of a jammer transmission, where the sudden drop of
times. From the min-entropy we obtain that the most probable received power is not immediately compensated by the AGC,
value appears on average every 214.2 ≃ 18820 generations therefore we still have some saturation. Since saturations are
instead of 216 = 65536. Using the results of the previous associated to fixed least significant bits, by alternating on and
section, on average the most probable value is regenerated off phases of the jammer we can induce saturations at the
after 18820
7300 = 2.6 lives. legitimate receiver, therefore determining the DevNonce.
Lastly, we have estimated the value of 𝜌, whose theoretical We now examine the generation of DevNonce, whose
value when using an ideal random bit generator has been performance is reported in Table III. We observe that entropy
derived in (8). From the experiments we obtained 𝜌 = 320.6 and min-entropy are similar to those obtained without jammer.
which is very close to the value provided by (8), thus proving In particular the best values are achieved when a string of
the appropriateness of the random generator in the absence of ones is transmitted. Concerning the last parameter in Tab. III,
an attacker. instead, we can observe that the slightly increment of the non-
uniformity on the bit generation probability brings a slightly
B. Performance With a Jammer decrease on the value of the first regeneration, with respect
We now analyze the performance when a jammer is ac- of that evaluated theoretically, even if the reduction is not so
tive, where the jammer is another WiMOD SK-iM880A, relevant (around 5%).
transmitting in LoRa mode with power of 14 dBm. Due to However, at a distance of 1 m, other phenomena such as
the jammer transmissions, we expect for example that the channel fluctuations that are different from thermal noise seem
legitimate receive saturates more often, thus increasing the to be still relevant. For this reason we set the jammer closer
unbalance between 𝑃 [0] and 𝑃 [1]. to the receiver, in order to decrease the contribution of this
We first position the jammer at a distance of 1 m from the phenomena. We now position the jammer at a distance of
legitimate receiver. Two experiments have been conducted: in 𝜆 ≃ 0.35 m. Also in this case two experiments have been
the first a random message is transmitted by the jammer, in conducted: in the first experiment we transmitted a random
the second a string of ones is transmitted by the jammer (thus message; in the second we transmitted a message containing
yielding a constant power). Table II shows the probabilities of a string of ones.
bit generation. Also in this case, two consecutive generations With reference to Table IV, we observe more different
of a bit seem to be independent. However, with a jammer, the results for the two experiments. For example in the first case
displacement between 𝑃 [0] and 𝑃 [1] is incremented. we obtain a quite uniform probability to generate a 0 or a 1
As anticipated in Section III.B we have observed is that, bit, due probably to the variance of the message that actually
at the beginning and at the end of a jammer transmission appears as random noise at the receiver.
saturation of the legitimate receiver occurs. This is due to the Furthermore, as seen in previous sections, since the variance
AGC of the receiver that attempts to adjust the attenuation of the message is higher, the AGC works with lower efficiency
of the received signal in order to exploit at best the dynamic and we obtain a relatively high value of RSSI. Moreover if the
variance of the message is small the most probable value of DoS attacks. Further investigations are needed to assess other
RSSI is quite similar to that obtained at a distance of 1 m attacks such as the alternation of on and off phases of the
in the same setting. This confirms the hypothesis that AGC attackers to yield saturation of the legitimate receiver, thus
attempts to set the receiver in the same condition (of variance yielding to a fixed DevNonce number.
and mean), independently on the received power; however if
ACKNOWLEDGMENTS
the variance of message is relevant the AGC cannot properly
follow the input dynamics. We would like to thank Ivano Calabrese from Patavina
In the second experiment, instead, we obtain an unbalanced Techologies for his support.
probability of generation of bits similar to the case of jammer R EFERENCES
at 1 m.
[1] C. Goursaud, J.M. Gorce, Dedicated networks for IoT : PHY / MAC
state of the art and challenges, EAI endorsed transactions on Internet
Table V of Things, 2015.
D EV N ONCE G ENERATOR W ITH JAMMER AT 0.35 M . [2] http://www.semtech.com/wireless-rf/lora/LoRa-FAQs.pdf
TM
[3] N. Sornin, M. Luis, T. Eirich, T. Kramp, O. Hersent, LoRaWAN
Parameter 1st exp. 2nd exp. Specification, January 2015.[Online]. Available: https://www.lora-
alliance.org/portals/0/specs/LoRaWAN%20Specification%201R0.pdf
Message random ones [4] http://www.radio-electronics.com/info/wireless/lora/lorawan-network-
𝐻(𝑋) 15.94 15.84 7 architecture.php
[5] R. Miller, LoRa Security - Building a Secure
𝐻min (𝑋) 14.10 12.66 LoRa Solution, MWR Labs. [Online]. Available:
𝜌 293.8 271.1 https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-LoRa-security-
guide-1.2-2016-03-22.pdf
[6] Semtech, Recommended SX1272 Settings for EU868 LoRaWAN
We now analyze the performance of the DevNonce genera- Network Operation, January 2015.[Online]. Available:
http://www.semtech.com/images/datasheet/an1200.23.pdf
tor, reported in Table V. In the first experiment, with a random [7] https://github.com/Lora-net/LoRaMac-node/tree/master/src
message transmitted by the jammer, the results are similar to [8] https://www.libelium.com/contact/#buy
those with jammer at 1 m and without jammer. In the second [9] Libelium, Waspmote Datasheet.[Online]. Available:
http://www.libelium.com/downloads/documentation/waspmote_datasheet.pdf
experiment, instead, the most relevant value is the min-entropy, [10] Semtech, SX1272/73 Datasheet.[Online]. Available:
that is lower than in the other cases. A min-entropy of 12.66 http://www.semtech.com/images/datasheet/sx1272.pdf
means that the most probable value is generated, on average, [11] S.Antipolis, P. Girard, Low Power Wide Area Net-
works security,December 2015.[Online]. Available:
every 6451.6 procedures. https://docbox.etsi.org/Workshop/2015/201512_M2MWORKSHOP/
Finally, with a jammer at distance 𝜆, the reduction of S04_WirelessTechnoforIoTandSecurityChallenges/GEMALTO_GIRARD.pdf
the first regeneration value is more relevant in the first and [12] http://www.link-labs.com/when-should-the-lorawan-specification-be-
used/
second experiment. The decrease is up to 18% in the second [13] http://www.link-labs.com/lora-for-control-lighting-locks-and-demand-
experiment (that has the lowest min-entropy). response/
[14] Joseph J. Carr, The technician’s radio receiver handbook, Newnes, 2001.
V. C ONCLUSIONS [15] E. Barker, J. Kelsey, Recommendation for the Entropy Sources
Used for Random Bit Generation, NIST DRAFT Special
In this paper we have examined the security of the join Publication 800-90B, Second Draft, January 2016. [Online].
procedure of the LoRa protocol. We have highlighted various Available: http://csrc.nist.gov/publications/drafts/800-90/sp800-
issues, in particular we have examined the probability of a 90b_second_draft.pdf
[16] D. Eastlake, J. Schiller, S. Crocker, Randomness Requirements for Secu-
DoS even without the presence of an attacker, due to the re- rity, June 2005. [Online ]. Available: https://tools.ietf.org/html/rfc4086
generation of an already used DevNonce by the end device. [17] Wikipedia, Random Number generation. [Online]. Available:
We have considered the options available at the network node https://en.wikipedia.org/wiki/Random_number_generation
[18] http://www.wireless-solutions.de/products/starterkits/sk-im880a.html
in case a replay attack is detected and their consequences. [19] A. Rukhin, J. Soto, J. Nechvatal, M. Smid, E. Barker, S. Leigh,
We then examined the random number generator used in the M. Levenson, M. Vangel, D. Banks, A. Heckert, J. Dray, S.
SX1272 modem and we have proposed attack strategies by Vo, A Statistical Test Suite for Random and Pseudorandom
Number Generators for Cryptographic Applications, NIST DRAFT
a malicious device aiming at generating DoS. Experimental Special Publication 800-22 Revision 1a, 2010. [Online]. Available:
results show the inaccuracies of the current implementation of http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
the random number generator and potential vulnerabilities to 22r1a.pdf