Speaking at The Symposium on Security for Asia Network (SyScan) in Singapore, Rob Miller, senior security consultant at MWR InfoSecurity, has detailed how to build LoRa systems that are provably secure against cyber-attack.
Despite LoRa being relatively new standard, its low-power, long-range credentials make it a candidate for a number of cutting edge-applications, meaning adoption is now accelerating at a significant pace. With industries now trying to take advantage of this emerging protocol, MWR noticed a lack of practical LoRa security guidance available and sought to close the gap.
Explaining the use case for LoRa, Miller said, “Long range radio protocols, like GSM and WiFI, draw a lot of power making them unsuitable for smaller or remote devices, while In contrast low power solutions, like ZigBee or BTLE, are limited in range to tens of meters.
So, there is a need for a long range solution that only sends occasional, small amounts of data that could run off a battery for years. LoRa, and its primary protocol LoRaWAN, addresses this gap in the market. It is intended for systems that require the ability to send and receive low amounts of data over a wide range without high power costs.”
In conducting the research, Miller noted that while several effective security features are designed into LoRa, companies should not consider the protocol secure out of the box. “Simply stating that a technology ‘uses AES-128 encryption’ does not mean that solutions using this technology are therefore secure.
It should be clear to all developers of LoRa solutions that using LoRa does not guarantee security. Instead they should build LoRa solutions with the potential attacks in mind.
“Given that LoRa will form part of a complex IT solution means that security vulnerabilities are a likely occurrence during development. Similarly given that LoRa solutions are being used in systems ranging in use from home security through to monitoring and controller infrastructure, attacks and development of exploits against these systems are also likely,” he added.
Miller concluded that, “Secure systems can be developed by understanding LoRa’s security features, as long as developers accept that they are not a silver bullet for security. A secure solution can be developed by considering cyber-security at every stage. Knowing the different ways that a LPWAN solution can be attacked allows a system to be developed built to defend, detect and respond to cyber-attacks.”
An MWR Labs whitepaper with guidance on securing this protocol is available here: https://labs.mwrinfosecurity.com/publications/lo/
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow
