Long Range Wide Area Network (LoRaWAN) devices have been hacking targets for quite some time. We dive into attacks that malicious actors can use against vulnerable LoRaWAN devices, and review the state of LoRaWAN security. This is the first in a three-part series.
What is the difference between LoRa and LoraWAN?
LoRa and LoRaWAN are the two hottest wireless communication technologies in IoT, and it is hard for many people who are new to IoT to distinguish the difference between LoRa and LoraWAN.
First, let’s know about the difference between LoRa and LoraWAN technologies.
What is a Lora gateway and what does it do?
LoRa gateways use different frequency extension factors and different frequency extension factors, and can therefore theoretically demodulate multiple frequency extension factors in the same channel. Gateways and web servers are connected via standard IP, and endpoints communicate with one or more gateways via a single hop.
This is presentation by Keysight technologies on 5G NR Dynamic Spectrum Sharing. Very well articulated presentation as always by Keysight. Details on the 3GPP support for NR DSS implementation in LTE bands in Rel 15 and Rel 16.
This document introduces Sigtran, a protocol suite defined by the IETF to transport signaling data like SS7 over IP networks. It describes the key components of Sigtran, including SCTP as the new transport protocol and various User Adaptation layers that allow SS7 and ISDN protocols to run over SCTP and IP. SCTP was created to address limitations of TCP for carrying time-sensitive signaling data and includes features like multi-streaming and structured message transport that make it more suitable than TCP for this purpose. The document outlines the full Sigtran protocol stack and how it maps existing signaling protocols to the new transport layers.
The document describes IEEE 802.16j multi-hop relay networks. It outlines the benefits of using relay stations such as coverage extension and throughput enhancement. It discusses key concepts like relay links and access links. The document also provides details on relay station network entry procedures including scanning, synchronization, ranging, registration. It explains relay frame structure and functional blocks. Finally, it summarizes procedures like neighbor measurement reporting, access station selection, and operation parameter configuration.
Sigtran and SS7 over IP technologies allow the transport of SS7 signaling over an IP network. Sigtran defines protocols like SCTP and M3UA that encapsulate SS7 and ensure reliable delivery over IP. A phased deployment strategy migrates SS7 links onto IP in stages to test performance before full conversion. Testing focuses on priority, failure handling, latency, and interoperability to ensure equivalent functionality over IP.
Cisco discovery drs ent module 6 - v.4 in english.igede tirtanata
The document contains multiple choice questions about OSPF routing. It tests knowledge of OSPF concepts like DR/BDR election, network types, route calculation, and configuration. The questions cover topics such as OSPF network statements, adjacency formation between routers, and using OSPF in different network types.
The document provides an agenda and overview of Ulticom's Signalware SIGTRAN software as it relates to Vodafone Italy's NP project. It discusses SIGTRAN and its components SCTP and M3UA, and how Signalware implements these protocols. It describes Signalware's architecture, and how M3UA is used between the application server and signaling gateway. It also covers installation, configuration, operation and monitoring of Signalware M3UA.
What is the difference between LoRa and LoraWAN?
LoRa and LoRaWAN are the two hottest wireless communication technologies in IoT, and it is hard for many people who are new to IoT to distinguish the difference between LoRa and LoraWAN.
First, let’s know about the difference between LoRa and LoraWAN technologies.
What is a Lora gateway and what does it do?
LoRa gateways use different frequency extension factors and different frequency extension factors, and can therefore theoretically demodulate multiple frequency extension factors in the same channel. Gateways and web servers are connected via standard IP, and endpoints communicate with one or more gateways via a single hop.
This is presentation by Keysight technologies on 5G NR Dynamic Spectrum Sharing. Very well articulated presentation as always by Keysight. Details on the 3GPP support for NR DSS implementation in LTE bands in Rel 15 and Rel 16.
This document introduces Sigtran, a protocol suite defined by the IETF to transport signaling data like SS7 over IP networks. It describes the key components of Sigtran, including SCTP as the new transport protocol and various User Adaptation layers that allow SS7 and ISDN protocols to run over SCTP and IP. SCTP was created to address limitations of TCP for carrying time-sensitive signaling data and includes features like multi-streaming and structured message transport that make it more suitable than TCP for this purpose. The document outlines the full Sigtran protocol stack and how it maps existing signaling protocols to the new transport layers.
The document describes IEEE 802.16j multi-hop relay networks. It outlines the benefits of using relay stations such as coverage extension and throughput enhancement. It discusses key concepts like relay links and access links. The document also provides details on relay station network entry procedures including scanning, synchronization, ranging, registration. It explains relay frame structure and functional blocks. Finally, it summarizes procedures like neighbor measurement reporting, access station selection, and operation parameter configuration.
Sigtran and SS7 over IP technologies allow the transport of SS7 signaling over an IP network. Sigtran defines protocols like SCTP and M3UA that encapsulate SS7 and ensure reliable delivery over IP. A phased deployment strategy migrates SS7 links onto IP in stages to test performance before full conversion. Testing focuses on priority, failure handling, latency, and interoperability to ensure equivalent functionality over IP.
Cisco discovery drs ent module 6 - v.4 in english.igede tirtanata
The document contains multiple choice questions about OSPF routing. It tests knowledge of OSPF concepts like DR/BDR election, network types, route calculation, and configuration. The questions cover topics such as OSPF network statements, adjacency formation between routers, and using OSPF in different network types.
The document provides an agenda and overview of Ulticom's Signalware SIGTRAN software as it relates to Vodafone Italy's NP project. It discusses SIGTRAN and its components SCTP and M3UA, and how Signalware implements these protocols. It describes Signalware's architecture, and how M3UA is used between the application server and signaling gateway. It also covers installation, configuration, operation and monitoring of Signalware M3UA.
SS7 and SIGTRAN technologies continue to be important for connecting new and existing networks due to their proven reliability and ability to support legacy infrastructure. They enable critical applications like value-added services, IP Multimedia Subsystem (IMS) adoption, and the rollout of 4G/LTE networks. Vendors offer integrated hardware modules and software solutions using SS7 and SIGTRAN to help telecom providers accelerate development and reduce costs.
M3UA is a protocol that allows legacy SS7 networks to be integrated with IP networks. It provides a way to transport SS7 signaling protocols like ISUP, SCCP, and TUP over IP using SCTP. M3UA is commonly deployed as an application server process that acts as a gateway, allowing SS7 networks to interface with IP-based networks. This allows telephony services to take advantage of IP networks while maintaining reliability. M3UA can be configured in a point-to-point or gateway setup.
OSPF- Open Shortest path first, had conveyed the details of OSPF routing explaination which comes under Dynamic routing protocols and also configured OSPF Multi-area with the help of CISCO Packet tracer. The persons who were Pursuing CCNA will gain more exposure on overviewing this.
RRC protocols in LTE help manage radio resources and signaling between the UE and network. Key aspects include:
1. RRC defines two UE states - RRC_CONNECTED for active data transfer and RRC_IDLE for idle/paging.
2. Signaling Radio Bearers (SRBs) carry RRC and NAS messages using different logical channels.
3. System information is broadcast on common channels, informing UEs of network configurations and neighbor cells.
4. Handover between cells is supported through the X2 interface for intra-LTE handovers and inter-RAT handovers to other technologies like UMTS or GSM.
SS7 is a signaling system originally designed for telephone call setup and management between telephone exchanges and customer equipment. It has been developed to transport data and video traffic as well. SS7 uses out-of-band signaling where signaling information is carried on a separate channel from user data. The SS7 protocol stack includes layers like MTP1-3 for transport and routing, SCCP for additional routing functions, and TCAP to support special services through transactions between switches. A basic SS7 network consists of SSP, STP, SCP connected by signaling links to route messages for services like 800 calls.
The document provides an overview of the IEEE 802.11 MAC protocol through a presentation. It discusses topics such as IEEE 802.11 layers, channels, infrastructure networks, ad hoc networks, joining a network, synchronization, communication approaches, MAC functionality including PCF and DCF, encryption, fragmentation, management functions, and MAC frame formats. The presentation was given on May 9th, 2001 by Mahdi Ahmed Jama to provide an introduction to the IEEE 802.11a MAC protocol.
Here are the answers to the review questions from the document:
1. List at least three significant events in the evolution of CDMA networks:
- 1948 John Pierce describes CDMA Multiplexing
- 1956 "Antimultipath" RAKE receiver patented
- 1970s CDMA used in several military communication and navigation systems
2. List the four main network subsystems of UMTS Release 99:
- UTRAN
- CN
- NMS
- Service Platform
3. Name the four basic air interface access technologies:
- TDMA
- FDMA
- CDMA
- OFDMA
This document provides an overview of the network architecture and signalling protocols in UMTS networks. It describes the main network elements of UTRAN, UE and CN. It explains the interfaces between these elements and the protocols used for communication, including RRC for UE-RNC signalling, RANAP for RNC-CN signalling, and NAS protocols for non-access signalling between UE and CN. It also summarizes the protocol stacks used over the Iu interfaces between RNC and CN for circuit-switched and packet-switched domains.
This document discusses key aspects of GSM networks including:
- The network architecture consisting of mobile stations, base transceiver stations, base station controllers, mobile switching centers, home location registers, and other entities.
- The functional layers of GSM including the application, service carrier, connection management, mobility management, and radio resource layers.
- The air interface using TDMA/FDMA, channel structures, and physical and logical channel types.
- Factors that influence system capacity such as Erlang measurement of traffic intensity and grade of service.
- Network planning considerations for omni-directional and directional cell modes.
The document provides an overview of LTE (Long Term Evolution) Release 8. It discusses key requirements for LTE such as supporting high data rates, low latency, and an all-IP network. It describes the network architecture including components like eNodeB, MME, S-GW, and P-GW. It also covers functionality of these components and the protocol stack consisting of PDCP, RLC, MAC, and RRC layers. Mobility management, QoS, and comparisons to other technologies like HSPA+ and WiMAX are also summarized.
WCDMA uses spread spectrum technology to allow multiple users to access the same frequency band simultaneously. It spreads user data over a wide bandwidth through multiplication with unique spreading codes. At the receiver, the desired user's signal is recovered through correlation with the same spreading code. WCDMA employs RAKE receivers to combine signals from different propagation paths using maximal ratio combining for improved reception. Power control is used to manage interference between users communicating over the same frequency channel.
This document provides summaries of key concepts in GSM RF including:
1) GSM PLMN services including bearer, tele, and supplementary services.
2) GSM 900 and DCS 1800 uplink and downlink frequency ranges.
3) Ciphering and authentication processes to encode transmissions and verify identities.
4) Equalization, interleaving, and other techniques used to extract signals and spread data across timeframes.
HIPERLAN is a European standard for wireless local area networks (WLANs) developed by ETSI to provide high performance networking comparable to wired Ethernet networks. HIPERLAN 1 operates in the 5GHz band and uses a frequency hopping spread spectrum technique along with advanced MAC and PHY layer protocols to provide data rates up to 23Mbps and support both asynchronous and isochronous traffic. HIPERLAN 2 is under development and aims to be compatible with asynchronous transfer mode networking to provide quality of service guarantees over wireless links.
The document provides an overview of LTE technology including:
- LTE is becoming the de facto standard for 4G mobile networks due to its high data rates and ability to work with existing network infrastructure.
- Key LTE technologies allow for flexible use of spectrum and high throughput including OFDMA, MIMO, and adaptive modulation.
- LTE network components include the UE, eNB, MME, S-GW, and P-GW which work together to route data and control connectivity.
- Frame structures in LTE divide transmissions into 10ms frames for efficient scheduling of resources.
The document provides a basic introduction to SS7 (Signaling System 7) including:
1. SS7 defines the elements and procedures for user identification, routing calls, billing, and managing calls on a global scale.
2. SS7 uses out-of-band signaling over high-speed dedicated data links and employs protocols like ISUP and TCAP to set up and tear down calls between network elements.
3. Key SS7 network elements include SSPs, STPs, and SCPs which work together to determine routing and provide supplementary services for calls.
The document discusses the Bluetooth protocol. It provides details on Bluetooth properties like short-range wireless communication in the 2.4GHz band using frequency hopping. It describes Bluetooth profiles, usage cases, architecture including layers like L2CAP and protocols like LMP. Pairing, networks, testing qualifications are also summarized.
Low-power wide area networking technology offers long-range communication, enabling new types of IoT services. LoRaWAN is one of the most adopted solutions, providing ubiquitous connectivity for outdoor applications. However, its capabilities and limitations are not well understood. The authors provide an impartial overview of LoRaWAN's limitations to avoid unrealistic expectations, discussing use cases where it works and does not work, and listing open research questions.
Effects of Shadowing on LoRa LPWAN Radio Links IJECEIAES
LoRaWAN is a long-range, low-power, wireless telecommunications method; expected to play a big role for the Internet of Things. End appliances use LoRaWAN through a single wireless hop to communicate with gateways linked to the Internet that function as transparent bridges relaying messages amongst these end-devices and a central network server. This technology youtes a combination of extended range, low power utilization and protected data communication and is gaining significant traction in IoT networks being deployed by wireless network operators. However, no comprehensive evaluation of the technology exists in the open literature. The main intention of this paper is to investigate the effects of shadowing on LoRaWAN links and analyze the performance in terms of packet loss ratio for different physical layer settings. Results indicate large differences in performance when shadowing is taken into consideration upsetting the expected performance tremendously.
What are the Benefits of LoRaWAN Technology?
Today, we talk about the seven benefits of LoRaWAN technology application.
In December 2021, LoRaWAN officially became the ITU International Standard for Low Power Wide Area Networks and has been endorsed by the International Telecommunication Union (ITU).
LoRaWAN is developed as an open standard and has been widely recognized by the low power wide area network community. The rapid adoption of this standard for global IoT low-power wide-area networks is a testament to its universality.
LoRaWAN is now a very popular LPWA communication standard that uses unlicensed radio spectrum in the ISM (Industrial, Scientific, Medical) band at frequencies ranging from approximately 433 MHz to 868 MHz, 915 MHz (standards vary around the world).
In the IoT connectivity environment, in addition to smart home networking and office space scenarios, many IoT devices will be connected and communicated in remote environments where the new environment will be inaccessible and require power connections due to M2M transmission coverage limitations.
Check out slides presented by Mo Haghighi, Research Scientist at Intel Labs Europe, which explore how to solve urban challenges at the Olympic Park. These slides were presented at Digital Catapult's LPWAN London meetup.
SS7 and SIGTRAN technologies continue to be important for connecting new and existing networks due to their proven reliability and ability to support legacy infrastructure. They enable critical applications like value-added services, IP Multimedia Subsystem (IMS) adoption, and the rollout of 4G/LTE networks. Vendors offer integrated hardware modules and software solutions using SS7 and SIGTRAN to help telecom providers accelerate development and reduce costs.
M3UA is a protocol that allows legacy SS7 networks to be integrated with IP networks. It provides a way to transport SS7 signaling protocols like ISUP, SCCP, and TUP over IP using SCTP. M3UA is commonly deployed as an application server process that acts as a gateway, allowing SS7 networks to interface with IP-based networks. This allows telephony services to take advantage of IP networks while maintaining reliability. M3UA can be configured in a point-to-point or gateway setup.
OSPF- Open Shortest path first, had conveyed the details of OSPF routing explaination which comes under Dynamic routing protocols and also configured OSPF Multi-area with the help of CISCO Packet tracer. The persons who were Pursuing CCNA will gain more exposure on overviewing this.
RRC protocols in LTE help manage radio resources and signaling between the UE and network. Key aspects include:
1. RRC defines two UE states - RRC_CONNECTED for active data transfer and RRC_IDLE for idle/paging.
2. Signaling Radio Bearers (SRBs) carry RRC and NAS messages using different logical channels.
3. System information is broadcast on common channels, informing UEs of network configurations and neighbor cells.
4. Handover between cells is supported through the X2 interface for intra-LTE handovers and inter-RAT handovers to other technologies like UMTS or GSM.
SS7 is a signaling system originally designed for telephone call setup and management between telephone exchanges and customer equipment. It has been developed to transport data and video traffic as well. SS7 uses out-of-band signaling where signaling information is carried on a separate channel from user data. The SS7 protocol stack includes layers like MTP1-3 for transport and routing, SCCP for additional routing functions, and TCAP to support special services through transactions between switches. A basic SS7 network consists of SSP, STP, SCP connected by signaling links to route messages for services like 800 calls.
The document provides an overview of the IEEE 802.11 MAC protocol through a presentation. It discusses topics such as IEEE 802.11 layers, channels, infrastructure networks, ad hoc networks, joining a network, synchronization, communication approaches, MAC functionality including PCF and DCF, encryption, fragmentation, management functions, and MAC frame formats. The presentation was given on May 9th, 2001 by Mahdi Ahmed Jama to provide an introduction to the IEEE 802.11a MAC protocol.
Here are the answers to the review questions from the document:
1. List at least three significant events in the evolution of CDMA networks:
- 1948 John Pierce describes CDMA Multiplexing
- 1956 "Antimultipath" RAKE receiver patented
- 1970s CDMA used in several military communication and navigation systems
2. List the four main network subsystems of UMTS Release 99:
- UTRAN
- CN
- NMS
- Service Platform
3. Name the four basic air interface access technologies:
- TDMA
- FDMA
- CDMA
- OFDMA
This document provides an overview of the network architecture and signalling protocols in UMTS networks. It describes the main network elements of UTRAN, UE and CN. It explains the interfaces between these elements and the protocols used for communication, including RRC for UE-RNC signalling, RANAP for RNC-CN signalling, and NAS protocols for non-access signalling between UE and CN. It also summarizes the protocol stacks used over the Iu interfaces between RNC and CN for circuit-switched and packet-switched domains.
This document discusses key aspects of GSM networks including:
- The network architecture consisting of mobile stations, base transceiver stations, base station controllers, mobile switching centers, home location registers, and other entities.
- The functional layers of GSM including the application, service carrier, connection management, mobility management, and radio resource layers.
- The air interface using TDMA/FDMA, channel structures, and physical and logical channel types.
- Factors that influence system capacity such as Erlang measurement of traffic intensity and grade of service.
- Network planning considerations for omni-directional and directional cell modes.
The document provides an overview of LTE (Long Term Evolution) Release 8. It discusses key requirements for LTE such as supporting high data rates, low latency, and an all-IP network. It describes the network architecture including components like eNodeB, MME, S-GW, and P-GW. It also covers functionality of these components and the protocol stack consisting of PDCP, RLC, MAC, and RRC layers. Mobility management, QoS, and comparisons to other technologies like HSPA+ and WiMAX are also summarized.
WCDMA uses spread spectrum technology to allow multiple users to access the same frequency band simultaneously. It spreads user data over a wide bandwidth through multiplication with unique spreading codes. At the receiver, the desired user's signal is recovered through correlation with the same spreading code. WCDMA employs RAKE receivers to combine signals from different propagation paths using maximal ratio combining for improved reception. Power control is used to manage interference between users communicating over the same frequency channel.
This document provides summaries of key concepts in GSM RF including:
1) GSM PLMN services including bearer, tele, and supplementary services.
2) GSM 900 and DCS 1800 uplink and downlink frequency ranges.
3) Ciphering and authentication processes to encode transmissions and verify identities.
4) Equalization, interleaving, and other techniques used to extract signals and spread data across timeframes.
HIPERLAN is a European standard for wireless local area networks (WLANs) developed by ETSI to provide high performance networking comparable to wired Ethernet networks. HIPERLAN 1 operates in the 5GHz band and uses a frequency hopping spread spectrum technique along with advanced MAC and PHY layer protocols to provide data rates up to 23Mbps and support both asynchronous and isochronous traffic. HIPERLAN 2 is under development and aims to be compatible with asynchronous transfer mode networking to provide quality of service guarantees over wireless links.
The document provides an overview of LTE technology including:
- LTE is becoming the de facto standard for 4G mobile networks due to its high data rates and ability to work with existing network infrastructure.
- Key LTE technologies allow for flexible use of spectrum and high throughput including OFDMA, MIMO, and adaptive modulation.
- LTE network components include the UE, eNB, MME, S-GW, and P-GW which work together to route data and control connectivity.
- Frame structures in LTE divide transmissions into 10ms frames for efficient scheduling of resources.
The document provides a basic introduction to SS7 (Signaling System 7) including:
1. SS7 defines the elements and procedures for user identification, routing calls, billing, and managing calls on a global scale.
2. SS7 uses out-of-band signaling over high-speed dedicated data links and employs protocols like ISUP and TCAP to set up and tear down calls between network elements.
3. Key SS7 network elements include SSPs, STPs, and SCPs which work together to determine routing and provide supplementary services for calls.
The document discusses the Bluetooth protocol. It provides details on Bluetooth properties like short-range wireless communication in the 2.4GHz band using frequency hopping. It describes Bluetooth profiles, usage cases, architecture including layers like L2CAP and protocols like LMP. Pairing, networks, testing qualifications are also summarized.
Low-power wide area networking technology offers long-range communication, enabling new types of IoT services. LoRaWAN is one of the most adopted solutions, providing ubiquitous connectivity for outdoor applications. However, its capabilities and limitations are not well understood. The authors provide an impartial overview of LoRaWAN's limitations to avoid unrealistic expectations, discussing use cases where it works and does not work, and listing open research questions.
Effects of Shadowing on LoRa LPWAN Radio Links IJECEIAES
LoRaWAN is a long-range, low-power, wireless telecommunications method; expected to play a big role for the Internet of Things. End appliances use LoRaWAN through a single wireless hop to communicate with gateways linked to the Internet that function as transparent bridges relaying messages amongst these end-devices and a central network server. This technology youtes a combination of extended range, low power utilization and protected data communication and is gaining significant traction in IoT networks being deployed by wireless network operators. However, no comprehensive evaluation of the technology exists in the open literature. The main intention of this paper is to investigate the effects of shadowing on LoRaWAN links and analyze the performance in terms of packet loss ratio for different physical layer settings. Results indicate large differences in performance when shadowing is taken into consideration upsetting the expected performance tremendously.
What are the Benefits of LoRaWAN Technology?
Today, we talk about the seven benefits of LoRaWAN technology application.
In December 2021, LoRaWAN officially became the ITU International Standard for Low Power Wide Area Networks and has been endorsed by the International Telecommunication Union (ITU).
LoRaWAN is developed as an open standard and has been widely recognized by the low power wide area network community. The rapid adoption of this standard for global IoT low-power wide-area networks is a testament to its universality.
LoRaWAN is now a very popular LPWA communication standard that uses unlicensed radio spectrum in the ISM (Industrial, Scientific, Medical) band at frequencies ranging from approximately 433 MHz to 868 MHz, 915 MHz (standards vary around the world).
In the IoT connectivity environment, in addition to smart home networking and office space scenarios, many IoT devices will be connected and communicated in remote environments where the new environment will be inaccessible and require power connections due to M2M transmission coverage limitations.
Check out slides presented by Mo Haghighi, Research Scientist at Intel Labs Europe, which explore how to solve urban challenges at the Olympic Park. These slides were presented at Digital Catapult's LPWAN London meetup.
This document provides a technical overview of LoRa and LoRaWAN. It defines LoRa as the physical layer modulation that enables long-range communication, while LoRaWAN is the communication protocol and network architecture. Key aspects of LoRaWAN covered include the star network topology, support for multiple device classes to optimize battery life and latency, adaptive data rates for high network capacity, and security features. Regional variations of the LoRaWAN specification are described for Europe and North America. Comparisons are made between LoRaWAN and other LPWAN technologies, highlighting LoRaWAN's advantages in areas like battery life, coverage, cost, and ability to support a variety of IoT applications.
IRJET- Viability of Smart City Applications with Lora WANIRJET Journal
This document discusses the viability of using LoRa WAN for smart city applications. It summarizes the LoRa WAN technology, including its long range capabilities and low power consumption. It then describes two case studies of using LoRa WAN for air quality and congestion monitoring in London. The results show that LoRa WAN is a feasible low power solution for these types of smart city applications. Battery lifetimes of several years can be achieved, meeting requirements for monitoring networks. Therefore, LoRa WAN shows potential as an effective technology for implementing IoT in smart cities.
Systematic literature survey: applications of LoRa communicationIJECEIAES
LoRa is a communication scheme that is part of the low power wide area network (LPWAN) technology using ISM bands. It has seen extensive documentation and use in research and industry due to its long coverage ranges of up-to 20 km or more with less than 14 dB transmit power. Moreover, some applications report theoretical battery lives of up to 10 years for field deployed modules utilising the scheme in wireless sensor network (WSN) applications. Additionally, the scheme is very resilient to losses from noise, as well as bursts of interference through its forward error correction (FEC) scheme . Our objective is to systematically review the empirical evidence of the use-cases of LoRa in rural landscapes, metrics and the relevant validation schemes. In addition, the research is evaluated based on (i) mathematical function of the scheme (bandwidth use, spreading factor, symbol rate, chip rate and nominal bit rate) (ii) usecases (iii) test-beds, metrics of evaluation and (iv) validation methods. A systematic literature review of published refereed primary studies on LoRa applications was conducted using articles from 2010-2019. We identified 21 relevant primary studies. These reported a range of different assessments of LoRa with 10 out of 21 reporting on novel use cases. The authors conclude that more work is needed in terms of field testing, as no articles could be found on performance/deployment in Botswana or South Africa despite the existence of LoRa networks in both countries. Thus researchers in the region can research propagation models performance, the energy efficiency of the scheme and MAC layer as well as the channel access challenges for the region.
Factors affecting lte throughput and calculation methodologyAbhijeet Kumar
This document discusses LTE throughput calculation and application in wireless rollout projects. It provides a history of LTE development and commercialization. It then explains factors that impact LTE throughput calculations including frequency bandwidth, resource blocks, modulation schemes, coding rates, UE categories, and MIMO capabilities. The document demonstrates calculations for theoretical peak throughput in different scenarios and factors that should be considered in LTE network planning and deployment projects.
1) LoRa is a long-range wireless communication protocol, also known as Low Power Wide Area Network (LP-WAN), that enables a large number of IoT devices to connect to the internet over long ranges of several kilometers with low power consumption.
2) A key aspect of LoRaWAN is that a single gateway can communicate with thousands of end devices located within a few kilometers. LoRa achieves long ranges by trading off bandwidth, with a maximum data rate of 27 kbps.
3) The LoRa architecture consists of end devices, gateways, a network server, and application server. Gateways receive packets from many end devices and forward them to the network server via 4G or
LoRa is a wireless communication technology that uses chirp spread spectrum (CSS) modulation to enable long-range and low-power data transmission between devices over several kilometers outdoors or hundreds of meters indoors. It operates in unlicensed radio frequency bands and supports applications requiring long-range communication like smart cities, industrial automation, and environmental monitoring. LoRaWAN is an open standard built on top of LoRa for secure bi-directional communication in low-power wide-area networks (LPWANs) that is widely adopted in the Internet of Things (IoT) industry.
LoRa and LoRaWAN are wireless technologies that enable low-power long-range communication for IoT devices. LoRa is a physical layer modulation technique that allows long-range transmissions, while LoRaWAN is the media access control protocol that defines how devices connect to each other and ensures secure, reliable communication. Together, LoRa and LoRaWAN allow thousands of sensors and devices to connect over distances of several kilometers with battery lives lasting several years. LoRaWAN has benefits like low power consumption, wide area networks, security, and open standards that make it well-suited for many IoT applications.
LoRaWAN network operates using unlicensed sub-gigahertz spectrum
One of the key considerations when planning a dedicated wireless network may be the use of licensed or unlicensed channels. While some of the new LTE NB-IoT products can operate on unlicensed bands, most cellular devices operate on licensed spectrum.
WiFi and Bluetooth use unlicensed spectrum in the 2.4 GHz and 5 GHz bands. Despite this, those frequencies are still so crowded that they pose serious reliability problems and the range of gateways is limited to a few meters.
LoRaWAN networks use unlicensed sub-gigahertz radio bands, such as 169 MHz, 433 MHz, 868 MHz (Europe), and 915 MHz (North America). The lower frequency bands allow data rates from 0.3 kbps to 50 kbps.
How to choose the most suitable LoRa devices Lora product becomes the top-level design of the Internet of Things(IoT).
What are the Lora devices?
LoRa devices and the LoRaWAN protocol used for smart cities, smart homes and buildings, smart agriculture, smart metering, smart supply chain, and logistics, and more.
LoRa has become a rising star in Internet of Things communication technology due to its "long-range and low power consumption" advantages.
LoRaWAN has obvious advantages: high capacity, globally unified standard, free frequency band with Lora 433MHz, Lora 868MHz, Lora 915MHz, low cost, flexibility. Like WiFi, it has become a major choice for the "Private Internet of Things". (NB-IoT such as GPRS is public Networking program). Many domestic companies and universities are now at the climax of building his LoRa Internet of Things.
Comparative study of various voip applications in 802.11 a wireless network s...ijmnct
Today, Voice over Wireless Local Area Network (VOWLAN) is the most accepted Internet application.
There are a large number of literatures regarding the performance of various WLAN networks. Most of
them focus on simulations and modeling, but there are also some experiments with real networks. This
paper explains the comparison of performance of two different VOIP (Voice over Internet Protocol)
applications over the same IEEE 802.11a wireless network. Radio link standard 802.11a have maximum
transmission rate of 54Mbps. First protocol is session initiation protocol (SIP) and second is H.323
protocol. First one has an agent called SIP proxy. Second have a gateway reflects the characteristics of a
Switched Circuit Network (SCN). With this comparison we have required to obtain a better understanding
of wireless network suitability for voice communication in IP network.
6LoWPAN is a networking standard that allows IPv6 packets to be transmitted efficiently over low-power wireless networks like IEEE 802.15.4. It defines an adaptation layer that compresses IPv6 and UDP headers to address challenges of limited bandwidth and device resources. 6LoWPAN networks connect to the internet using edge routers and support applications through protocols like CoAP that are optimized for low-power devices.
Delivered a talk to discuss developer-perspective technical introduction, stories around LoRa/LoRaWAN, also the state in Indonesia.
Use this deck for a sharing session with Maker4Nation community, back then on Oct 3, 2018 in Jakarta.
This article comprehensively explains low-power wide area network (LPWAN) technology for IoT.
IoT communication technologies are divided into two categories: short-range wireless LAN and low-power wireless WAN (LPWAN), Bluetooth, Wi-Fi, ZigBee, etc. are belong to short-range wireless LAN.
LPWAN is mainly used in long-range, low-bandwidth, low-power, and many connection needs of IoT application scenarios, the hottest LoRa in the market in recent years is the most representative technology in LPWAN. LoRa is the most representative technology in LPWAN.
Non-cellular low-power IoT technology solves the problem of large-scale and wide-coverage network connectivity for IoT applications, which makes up for the shortage of traditional cellular technology and promotes the application of IoT and large-scale deployment. Low-power wide-area networks will carry the burden of communication network economies of scale in the future IoT era.
This document summarizes a study that designed and evaluated a LoRa wireless mesh network system for monitoring sensors over a large area. 19 LoRa mesh networking devices were deployed across an 800m x 600m university campus and collected data at 1-minute intervals. The LoRa mesh network achieved an average 88.49% packet delivery ratio, higher than the 58.7% achieved by a standard LoRa star network topology under the same conditions. This study presents the first detailed evaluation of a LoRa mesh networking system and demonstrates that it can increase packet delivery ratios without needing additional LoRa gateways.
LoRa integrates LR-FHSS functionality to support satellite communications with dense deployments.
It is estimated that terrestrial network connectivity covers only about 10% of the global surface area, and there are still many places in the world without carrier network signal coverage or the ability to set up base stations.
With the advantage of long-range, LoRa has been attracting attention in the field of satellite communication since its inception, and there are already relevant satellite communication applications on the ground both at home and abroad.
Previously, LoRa Alliance announced that the LoRaWAN protocol supports LR-FHSS (Long Range - Frequency Hopping Spread Spectrum) function.
Similar to The current state of LoRaWAN security (20)
This document discusses a framework for fuzzing the GSM protocol stack. It begins with an abstract and introduction describing the challenges of fuzzing GSM due to its complexity. It then provides background on GSM basics including the network architecture, protocol layers, and message formats. The document focuses on describing the prerequisites and architecture developed for automated GSM fuzzing, including generating test cases, monitoring mobile phone states, and managing the fuzzing process.
Modmobmap is a tool for mapping 2G, 3G, and 4G mobile networks using various tricks and interfaces. It uses ServiceMode on Android phones to obtain cell information and the Dirty Fuzzy Registration technique to enumerate cells by changing network registration. The tool combines these methods and Software-Defined Radio to cheaply scan networks. A demonstration with a Galaxy S5 phone shows it works by accessing the phone's diagnostic interface and capturing data in GSMTAP format.
This document summarizes a presentation on attacking HomePlugAV powerline communication devices. It provides background on PLC technology, describing how PLCs transmit data over electrical wiring and discussing previous research. It then outlines several attacks against PLC networks, including eavesdropping on unencrypted communication between a computer and PLC, spoofing devices to intercept network information requests, and manipulating configuration files to backdoor devices.
1. The document describes a framework called MobiDeke that was created to fuzz the GSM protocol stack over-the-air by generating and mutating malformed GSM messages and monitoring the target's behavior for crashes or errors.
2. MobiDeke addresses limitations with existing fuzzing methods by automating the generation, mutation, transmission and monitoring processes.
3. The key components of MobiDeke are modules for generating and mutating GSM messages, transmitting payloads over-the-air via a software-defined radio, and monitoring the target phone and base station for crashes or abnormal behavior.
An expert presented techniques for hacking intercom systems. The presentation covered:
1) Conducting red team physical intrusion tests which sometimes require bypassing intercom systems.
2) Different types of intercom systems and how numeric intercoms use mobile networks like GSM.
3) Potential attack vectors like impersonating resident phone numbers by intercepting calls to the intercom using a fake mobile tower.
The presenter discusses attacking Internet of Things devices like intercom systems. They demonstrate intercepting communications from an intercom by setting up a rogue mobile network with software-defined radio equipment. The goal is to impersonate authorized users and send commands to open doors or access sensitive information. Potential attacks discussed include eavesdropping on calls, spoofing phone numbers registered with the intercom, and modifying settings via SMS messages.
This document summarizes a paper on practical attacks against HomePlugAV powerline communication devices. It begins by providing background on powerline communication technology and discussing the HomePlugAV specification. It then describes analyzing HomePlugAV networks using various tools to understand the protocols and encryption. The document outlines several practical attacks demonstrated, including intercepting network keys, bruteforcing passwords, and gaining remote memory access on devices once on the network. It concludes by discussing future work areas like firmware analysis and authentication message fuzzing.
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
Presentation made at SecurityPWNing 2018 explaining how to intrude a company using radio attacks and real cases scenarios we encountered during our tests.
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...📡 Sebastien Dudek
The document discusses a tool called V2G Injector that was developed to interface with, analyze, and inject traffic into Vehicle-to-Grid (V2G) systems. V2G systems allow electric vehicles to store and return energy to the electric grid through bidirectional charging stations. The tool exploits vulnerabilities in the HomePlug GreenPHY standard used for powerline communication between electric vehicles and charging stations.
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...📡 Sebastien Dudek
A presentation discusses vehicle-to-grid (V2G) communication and security. It summarizes the development of a tool called the "V2G Injector" that can monitor and inject crafted packets into V2G networks communicating over power lines. The tool decodes V2G data formats and circumvents security in the HomePlug Green PHY standard to extract network keys from charging stations. The tool allows an attacker to intercept and manipulate V2G communications between electric vehicles and charging stations.
This document discusses attacks on digital house intercom systems that use mobile networks like GSM, 3G, and 4G to communicate. It begins by providing background on digital intercom systems and how they work. It then reviews the state of research on attacking GSM networks. The document goes on to describe experiments the author conducted to passively monitor and actively attack a digital intercom system in a lab environment. Attacks demonstrated include leaking phone numbers, opening doors, and "backdooring" the system. The document concludes that digital intercom systems could be vulnerable due to their use of mobile networks with known security weaknesses.
This document discusses mobile network security and practical attacks. It presents:
1) Attacks on 2G networks like GSM are possible using inexpensive hardware by exploiting weaknesses in the authentication protocols or reusing authentication triplets.
2) 3G and 4G networks have stronger encryption but mutual authentication can still be bypassed depending on the baseband implementation.
3) Practical attacks were demonstrated through jamming to force a downgrade to 2G, running a rogue base station, and exploiting bugs found through fuzzing a mobile device's baseband.
Modmobmap is a tool that maps mobile cells in real-time by capturing cell information from exposed diagnostic interfaces or the Android RIL. It aims to provide more precise cell tower data than existing recording solutions. The presentation discusses using cheap software-defined radios, custom SIM cards, Faraday cages, and downgrade attacks to attract mobile devices and intercept their communications for testing purposes. It also covers automating cell changes using AT commands to simulate a mobile station camping between cells.
Modmobtools provides tools for monitoring and jamming 2G, 3G, and 4G cellular networks. The tools include Modmobmap for scanning cellular towers and cells, and Modmobjam for targeted jamming of specific frequencies used by cellular networks. The presentation discusses using older Nokia phones or exposed diagnostic interfaces on Android phones to monitor cells, and leveraging software-defined radios to precisely jam only targeted frequency channels.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
2. Internet of things (IoT) devices have been adopted across many areas and use cases, from the production
lines of manufacturing industries to the operation of smart cities. IoT is expected to have an even more
significant impact on daily life in the near future; however, barriers such as increased power consumption
prevent many organizations from adopting the technology. A subset of IoT technologies that use Low Power
Wide Area Network (LPWAN)1 was created to resolve the problem of power consumption. Among these
LPWAN technologies, we can find cellular IoT systems known as Narrow-Band IoT (NB-IoT), SigFox, and
LoRa.
The LoRa (long-range) protocol helps companies connect low-powered IoT devices to the internet using a
wireless connection. Long Range Wide Area Network (LoRaWAN) is a radio-based technology that works
in conjunction with LoRa. Since they are affordable and convenient to use, many industries have adopted
LoRaWAN technology. Specifically, they have been used in soil management, animal monitoring, weather
monitoring, water meter reading, environment sensors for dams, asset tracking and fleet management,
failure prediction for buildings, and more. These technologies have been introduced as an alternative to
short-range systems such as Bluetooth, ZigBee, and Z-Wave. However, questions must be raised when
adopting these technologies in sensitive environments: are they secure, and do they present a risk to
organizations using them?
This article will discuss LoRa modulation technology and the LoRaWAN protocol by first summarizing
previous security research material on the topic. The succeeding sections will cover more solutions and
introduce our tools that add to past research. We also provide insight into overcoming the limitations in
defining attacks against these technologies and propose solutions that can reinforce LoRaWAN devices
against radio and hardware attacks.
Introduction
LoRa PHY is the physical layer commonly used by the LoRa Wide Area Network (LoRaWAN) Medium
Access Control (MAC) stack, as shown in the OSI network model:
3. Figure 1. The LoRaWAN (MAC) protocol stack is implemented on top of LoRa modulation (PHY).2
There are three dominant LPWAn technologies: LoRaWAN, NB-IoT, and Sifox. Compared to NB-IoT,
LoRaWAN is perfect for single-building applications as it can be set up and managed without any telecom
operator dependence on a gateway. It also has a longer battery life but a lower data rate and more
latency than NB-IoT. LoRaWAN has also started to be more widely deployed in Europe compared to
Sigfox, although Sigfox’s radio module costs less.
We also noticed other differences between the three technologies:
4. Table 1. A Comparison of the different Low-Power Wide Area Network (LPWAN) technologies (fixed version from
National Center for Biotechnology Information3
)
Both SigFox and LoRa use ISM bands4 (i.e., 868 MHz in Europe, 915 MHz in North America, and 433 MHz
in Asia). Like SigFox, LoRa also transmits signals using a proprietary spread spectrum technique
modulation scheme4 based on Chirp Spread Spectrum modulation (CSS) to encode information. This
modulation technique was created by Semtech, which provided specifications on its website.5 Invented
initially for radar applications in the 1940s and then used by military and secure communications
applications, CSS was adopted by the IEEE for long-range and mobility for the Low-Rate Wireless Personal
Area Networks (LR-WPANs) standard, 802.15.4.
LoRa end-devices can also use different modulations as supported by the SX12xx series (like the SX1261):
FSK (Frequency-Shift Keying)
GFSK (Gaussian Frequency-Shift Keying)
MSK (Minimum-Shift Keying)
GMSK (Gaussian Minimum Shift Keying)
LoRa
It should also be noted that LoRa modulation is used over Frequency Shift Keying (FSK) to send data over
long distances because of the LoRa Spread Spectrum’s high sensitivity. FSK provides a higher data rate.
5. Figure 2. Two SX1276 transceivers used in a Dragino Gateway
LoRa Modulation
Symbols are transmitted around a sin wave around a defined carrier frequency, noted as carrier frequency
(fc), with a linear frequency that varies over time:
Figure 3. Linear frequency-modulated up-CHIRP6
This sin wave is called a CHIRP (Compressed High-Intensity Radar Pulse). A chirp is a signal that varies
in frequency and can increase or decrease across the whole bandwidth. The following example shows an
up-chirp containing a message, m(t), with eight symbols encoded in 8 bits using a speed of 1 KBaud:
6. Figure 4. Byte associated to chirp symbols
In the case of down-chirps, the signal frequency decreases over time.
The CSS technique presents many advantages:
Transmitting signal across vast distances
Immunity to multipath and fading
Resistance to doppler shift (moving devices, high clock tolerance)
Good sensitivity
Simple to implement
Low power and adapted for low data rates
Two parameters define the data bit rate:
Bandwidth
Spreading factor
The following expression defines the modulation bit rate Rb as:
(where SF = spreading factor (7...12); BW = modulation bandwidth)
LoRa CSS modulation uses three bandwidths, using the 125 kHz bandwidth the most:
125 kHz
250 kHz
500 kHz
LoRa uses six different spreading factors, from SF7 to SF12, as shown in the following graphic:
7. Figure 5. Comparison of LoRa Spreading Factors: SF7 to SF127
This gives us an idea of the different configurations we can find in the EU868, EU433, CN780, and AS923
bands. The data rates8 are as follows:
Data Rate Configuration Bits/s Max Payload
DR0 SF12/125kHz 250 59
DR1 SF11/125kHz 440 59
DR2 SF10/125kHz 980 59
DR3 SF9/125kHz 1,760 123
DR4 SF8/125kHz 3,125 230
DR5 SF7/125kHz 5,470 230
DR6 SF7/250kHz 11,000 230
DR7 FSK: 50kpbs 50,000 230
Table 2. Data rates associated to Spreading Factor and bandwidth configuration
This allows us to conclude that a higher spreading factor equates to a higher over-the-air time, which means
the information will take longer to send. On the other hand, a lower spreading factor equates to a higher
data rate, which means the information will be sent quicker.
The LoRa physical layer includes eight up-chirps for preamble symbols (in red), two down-chirps
synchronization message symbols (in green), a physical payload (in pink), plus an optional CRC depending
on message direction:
8. Figure 6. LoRa modulated up-link frame
The demodulation process of a LoRa modulated message can be done by multiplying the received signal
su(t) with a computed inverse chirp as ref(t), such as the signal s(t) before symbol extraction is s(t) =
su(t)*ref(t), in order to isolate significant components and obtain the symbols to extract after:
Figure 7. Decode LoRa modulated symbols9
To extract these symbols, the recovered s(t) needs are passed to a fast Fourier transform (FFT) analysis
process after being filtered. Symbols can then be extracted properly, as seen in the following flowgraph:
9. Figure 8. Decoded LoRa modulated IQ symbols10
The following diagram details a complete IQCSS transceiver:
Figure 9. LoRa PHY transceiver block diagram11
To send and receive LoRa-modulated signals, Semtech provides cheap transceivers that can be used for
uplink and downlink messages and are generally used by endpoint-devices as gateways.
But a few software-defined radio implementations, especially two GNU Radio modules, were also released
to work on LoRa:
gr-lora from rpp0 from Pieter Robyns, Eduard Marin, William Thenaers, and Clayton Smith
gr-lora from Matt Knight of Bastille Threat Research Team
10. Before releasing the gr-lora module, Matt Knight made a very instructive presentation on LoRa PHY at the
33rd Chaos Communication Congress (33c3),14 which should be viewed by anyone interested in LoRa PHY
implementation. However, this implementation hasn’t been updated in three years and needs to be
readapted to the current version of GNU Radio. The next part of this blog series will discuss the use of the
actively updated gr-lora module from the rpp0 repository, which we can also directly use to decode uplink
and downlink messages.
IoT devices can use LoRa PHY to transport messages, but since they do not provide native security
mechanisms, developers need to implement their own security to protect messages from interception,
injection, replay attacks, and other malicious activity.
Another layer on top of LoRA PHY, called LoRaWAN, has been created to simplify communications and
address these security problems.
LoRaWAN
LoRaWAN is the cloud-based MAC layer protocol. This layer is used to communicate between LPWAN
gateways. The following diagram shows the classic architecture of a LoRaWAN network:
Figure 10. LoRaWAN architecture12
We reproduced a real-world environment with two development LoRaWAN kits, a LoRaWAN GPS tracking
badge, and a LoRaWAN door sensor connected to a Dragino LG308 Gateway. In the following picture, we
can observe the environment connected to one of The Things Network’s servers:
11. Figure 11. LoRaWAN real-world testbed with LoRaWAN sensors and a gateway
12. From LoRaWAN 1.1, a separate Join server can also be used to store and generate root keys as well as
send them to the application server and the network server.
LoRaWAN is not mandatory when using a LoRa device. It is also possible to use raw MAC communication
to directly send commands and messages, like in P2P (Peer-to-Peer), for example. But in that situation,
100% of the security depends on the user, as the raw MAC communication does not provide any encryption
and integrity the same way LoRaWAN does.
Regional parameters of LoRaWAN can be found in documentation from the Lora Alliance.13
Different server solutions are available to connect gateways:
The Things Network14
Tencent cloud
Custom/private solutions
Network server solution for IoT devices using LoRaWAN and with security in mind, like LORIOT15
Different classes exist for LoRaWAN communications:
1. Class A: The uplink transmission of each end-device is followed by two short downlink receive
windows.
2. Class B: End-devices of Class B allow for more receive slots — the end-device opens its
receiving window at the scheduled time, and it receives a time-synchronized beacon from the
gateway.
3. Class C: The window for receiving is always open; however, this results in increased battery
consumption.
Figure 12. The LoRaWAN stack
Two different versions of LoRaWAN are currently in use: LoRaWan 1.1, and LoRAWAN v1.0.3, which can
be found in many cheap devices sold in the market (such as Dragino gateways), including end-devices and
shields. Solutions based on Mbed OS version 5.8 (the operating system that runs the LoRaWAN stack on
most embedded devices) and more expensive solutions support LoRaWAN version 1.1 and provide even
more security features for version 1.0.3.
13. We will review the security impact and different modes of operation in the following sections.
LoRaWAN Security
There are two different modes that define/compute keys for MAC frame payload encryption:
OTAA
ABP
Regardless of the mode used with LoRaWAN communication, messages are protected by two session keys,
AppSKey and NwSKey, which are used to encrypt messages in Counter with CBC-MAC (CCM) mode, a
variation of Counter (CTR) mode16:
Figure 13. Use of CTR mode encryption within LoRaWAN
CTR mode is used to encrypt the payload using AppSKey and authenticates the message with a Cipher-
based Message Authentication Code (CMAC) based on the NwkSkey.
In the different sections, we will review these different modes to understand their impact on security.
OTAA mode: Over-The-Air Activation
If the end-device supports the Join function and can store dynamically generated keys, a join procedure
can be performed to compute keys for encrypting and protecting packet integrity.
The process for computing new keys:
1. The end-device sends a Join Request
2. The network will generate keys
3. If the device can Join the network, a Join Accept message is sent by the network encrypted with
AppKey, providing an App Nonce
4. With the given parameters sent via the Join Accept message, the end-device can compute the
new encryption and integrity keys
14. Figure 14. LoRaWAN 1.0 Join procedure in OTAA
Some differences exist between 1.0 and 1.1 in terms of security.
LoRaWAN 1.0
As described in LoRaWAN 1.0.3 specifications,17 the Join Request is sent in clear-text to the
gateway with the following parameters:
DevEUI: unique end-device identifier in IEEE EUI64 address space
AppEUI: the application identifier in IEEE EUI64 address space
A random DevNonce of 2 bytes
From the specifications, DevNonce values are tracked to avoid replay attacks.
The message integrity code (MIC) for this message, which also enables the network to check if the
AppKey is correct, is computed as follows:
cmac = aes128_cmac(AppKey, MHDR | AppEUI | DevEUI | DevNonce)
MIC = cmac[0..3]
If the device is allowed to join the network and the MIC is correct, the network sends an
encrypted Join Accept message with the following fields:
AppNonce in LoRaWAN 1.0: random value (3 bytes)
15. NetID, called Home_NetID in 1.1: network ID (3 bytes)
DevAddr: Device ID (3 bytes)
DL Settings: downlink parameters
RxDelay: delay between TX and RX (1 byte)
CFList: optional list of channel frequencies (16 bytes)
The Join-accept payload is encrypted as follows:
aes128_decrypt(AppKey, AppNonce | NetID | DevAddr | DLSettings | RxDelay | CFList | MIC)
The sessions keys are computed in the network and end-device sides as follows:
NwkSKey = aes128_encrypt(AppKey, 0x01 | AppNonce | NetID | DevNonce | pad16)
AppSKey = aes128_encrypt(AppKey, 0x02 | AppNonce | NetID | DevNonce | pad16)
All the communications will then be encrypted using AppSKey, and the integrity protected with
NwkSKey.
Nevertheless, only one AppKey key is used to compute the MIC as well as AppSKey and
NwkSKey, which leaves a bigger opening for an attacker to crack either the MIC of the Join
procedure’s message or the Join-accept message to retrieve this key. Retrieving the key could
allow an attacker to eavesdrop on the messages between an end-device and a gateway.
LoRaWAN 1.1
The 1.1 version introduces more key diversification to make key-cracking attacks more complex
on LoRaWAN. Everything is documented in the LoRaWAN 1.1 specifications.18
In this version, LoRaWAN defines two root keys, NwkKey and AppKey, that are AES-128 keys
specific to the end-device and assigned during the fabrication.
For the Join-request message, values transmitted by the end-device are generally the same, but
they are renamed:
According to the specifications, DevNonce is a counter that starts at zero when the device is initially
powered up and is incrementally increased by one with each Join-request. This DevNonce value
will never be reused for a given JoinEUI value, but since some end-devices cannot store this
counter in non-volatile memory, they may discard the Join-request of the device to the server. In
that case, the JoinEU (AppEUI renamed in v1.1) must reset as well.
16. To protect the message's integrity, the MIC is computed using a dedicated NwkKey:
cmac = aes128_cmac(NwkKey, MHDR | JoinEUI | DevEUI | DevNonce)MIC = cmac[0..3]
If the device is allowed to join the network, a Join-accept message is sent to the device with the
following encrypted parameters:
JoinNonce in LoRaWAN 1.0: random value (3 bytes)
NetID, called Home_NetID in 1.1: network ID (3 bytes)
DevAddr: Device ID (3 bytes)
And this Join-Accept message is encrypted as follows using the NwkKey:
aes128_decrypt(NwkKey, JoinNonce | NetID | DevAddr | DLSettings | RxDelay | CFList | MIC)
DL Settings: downlink parameters
RxDelay: delay between TX and RX (1 byte)
CFList: optional list of channel frequencies (16 bytes)
The key used to encrypt the Join-Accept message depends on the Join or ReJoin Request
message that triggers it.
The Join-Accept message is encrypted as follows:
aes128_decrypt(NwkKey or JSEncKey, JoinNonce | NetID | DevAddr | DLSettings | RxDelay |
CFList | MIC)
Like in the 1.0 version, an exception exists by using the NwkKey only instead of the AppKey to
encrypt this message. Indeed, in the downlink configuration field DLsettings, 7-bit subfields are
indicated if the Network Server implements the LoRaWAN 1.0 (unset) or 1.1 (set) protocol.
Referring to the specifications, when this OptNeg bit is set:
The protocol version is further (1.1 or later) negotiated between the end-device and the
Network Server through the RekeyInd/RekeyConf MAC command exchange
The device derives FNwkSIntKey & SNwkSIntKey & NwkSEncKey from the NwkKey
The device derives AppSKey from the AppKey
17. The session keys are derived with the NwkKey as follows:
FNwkSIntKey = aes128_encrypt(NwkKey, 0x01 | JoinNonce | JoinEUI | DevNonce | pad16 )
SNwkSIntKey = aes128_encrypt(NwkKey, 0x03 | JoinNonce | JoinEUI | DevNonce | pad16)
NwkSEncKey = aes128_encrypt(NwkKey, 0x04 | JoinNonce | JoinEUI | DevNonce | pad16)
FNwkSIntKey = aes128_encrypt(NwkKey, 0x01 | JoinNonce | JoinEUI | DevNonce | pad16 )
SNwkSIntKey = aes128_encrypt(NwkKey, 0x03 | JoinNonce | JoinEUI | DevNonce | pad16)
And the AppSKey with the AppKey:
AppSKey = aes128_encrypt(AppKey, 0x02 | JoinNonce | JoinEUI | DevNonce | pad16)
The MIC is computed as follows:
cmac = aes128_cmac(JSIntKey,JoinReqType | JoinEUI | DevNonce | MHDR | JoinNonce | NetID
| DevAddr | DLSettings | RxDelay | CFList )
MIC = cmac[0..3]
Note that JSIntKey is used to get MIC Rejoin-Request type 1 messages and Join-Accept
answers:
JSIntKey = aes128_encrypt(NwkKey, 0x06 | DevEUI | pad16)
But when this OptNeg bit is not set:
The device reverts to LoRaWAN1.0, no options can be negotiated
The device does not send the RekeyInd command
The device derives FNwkSIntKey & AppSKey from the NwkKey
The device sets SNwkSIntKey & NwkSEncKey equal to FNwkSIntKey
AppSKey and Session keys are then computed as follows with NwkKey:
AppSKey = aes128_encrypt(NwkKey, 0x02 | JoinNonce | NetID | DevNonce | pad16)
FNwkSIntKey = aes128_encrypt(NwkKey, 0x01 | JoinNonce | NetID | DevNonce | pad16)
SNwkSIntKey = NwkSEncKey = FNwkSIntKey.
And the MIC is computed as follows:
cmac = aes128_cmac(NwkKey, MHDR | JoinNonce | NetID | DevAddr | DLSettings | RxDelay |
CFList )
MIC = cmac[0..3]
18. ABP: Activation by Personalization
The ABP method is simpler than OTAA as there is no Join Procedure. Nevertheless, it has downsides in
terms of security, as session keys are hardcoded on versions 1.0 and 1.1.
Indeed, session keys stay the same until the user manually changes them or when a firmware
update/upgrade is applied. Because of this, ABP is more vulnerable to a cryptanalysis attack compared to
OTAA.
MAC Frame Payload Encryption (FRMPayload)
With given session keys, we can protect MAC frame payloads on Data Up and Down messages.
LoRaWAN 1.0
First, the key "K" is chosen depending on the FPort of the data message:
For the encryption, the message is split into a sequence of blocks: "Ai" for i = 1..k with k
=ceil(len(pld) / 16) (with pld = FRMPayload).
Note that the Direction (Dir) is defined by "1" for a downlink and "0" for an uplink.
So, the block Ai is encrypted as follows:
Si = aes128_encrypt(K, Ai) for i = 1..k
S = S1 | S2 | .. | Sk
Encryption and decryption of the blocks are then performed as follows:
(pld | pad16) xor S
The MIC is computed as follows:
19. msg = MHDR | FHDR | FPort | FRMPayload
cmac = aes128_cmac(NwkSKey, B0 | msg)
MIC = cmac[0..3]
Where B0 is defined with the following parameters:
LoRaWAN 1.1
The key “K” used depends on the FPort as for LoraWAN 1.0 version:
For each data message, the algorithm defines a sequence of Blocks Ai for i = 1..k with k
=ceil(len(pld) / 16):
Blocks are computed and encrypted/decrypted the same way as for LoRaWAN 1.0:
Si = aes128_encrypt(K, Ai) for i = 1..k
S = S1 | S2 | .. | Sk
Encrypted/decrypt = (pld | pad16) xor S
For computing the MIC, there are differences between Uplink frames and Downlink Frame.
Downlink Frames
For Downlink frames, the MIC is computed with the SNwkSIntKey as follows:
cmac = aes128_cmac(SNwkSIntKey, B0 | msg)
MIC = cmac[0..3]
And the B0 blocks is defined differently by introducing a ConfFCnt field:
20. In all cases, this ConfFCnt = 0x0000, but if the device is connected to a LoRaWAN 1.1 network
and the ACK bit of DL is set (acknowledging an uplink "confirmed" frame), then the ConfFCnt is a
frame counter with a value of "confirmed" uplink modulo 2^16.
Uplink frames
If the device is connected to a LoRaWAN 1.0 Network Server, the MIC uses B0 block defined as
follows:
And so the MIC is computed as follows:
cmacF = aes128_cmac(FNwkSIntKey, B0 | msg)
MIC = cmacF[0..3]
If the device is connected to a 1.1 Network Server, the MIC then uses B0, but also a B1 block
defined as follows:
And the MIC is computed as follows:
cmacS = aes128_cmac(SNwkSIntKey, B1 | msg)
MIC = cmacS[0..1] | cmacF[0..1]
Attacks against LoRaWAN
Most of the attacks documented below have been performed on LoRaWAN class A devices. However, a
class B attack is also possible; these are usually done to drain the end-device’s battery.
DoS in ABP mode
21. Given that the counter in FRMPayload is only 16 bits long In LoRa 1.0, a denial-of-service (DoS) attack is
actually possible. Xueying Yang, Evgenios Karampatzakis, Christian Doerr, and Fernando Kuiper (a team
of security researchers based in the Netherlands)19 demonstrated this. They posited that a malicious actor
could replay a captured packet, wait until the counter overflows, and replay this packet to realize a DoS
attack:
Figure 15. An example of a replay attack for ABP20
Session keys stay the same until manually changed or with a firmware update/upgrade. Because of this,
ABP could be more vulnerable to a cryptanalysis attack than OTAA.
Eavesdropping
In their paper,21 Xueying Yang, Evgenios Karampatzakis, Christian Doerr, and Fernando Kuiper also
highlighted that the key could be retrieved if the counter is reset, as it is not used securely in LoRaWAN
1.0. Indeed, when the counter is reset, the keystream will be reused and could allow an eavesdropping
attack. Another factor that leaves it vulnerable is the use of CTR to encrypt information.
The same researchers also highlighted a bit-flipping issue in v1.0 that is backward compatible with v1.1.
22. Bit-Flipping
Regardless of the version, the integrity of LoRaWAN messages is protected thanks to the MIC and
encryption. Nevertheless, the messages decrypted by the network server and sent to the application are
no longer protected:
Figure 16. The setup of a bit-flipping attack
To protect messages from the network server to the application server, it would require designing the
network to use an SSL tunnel, preferably with a client SSL certificate in order to protect the
communication or by using another MIC field inside the MAC Layer Payload computed by the AppSKey.
Ack Spoofing
An acknowledgment mechanism was introduced in LoRaWAN to maximize battery life by reducing the time
the radio needs to be powered up. But as highlighted by Xueying Yang, Evgenios Karampatzakis, Christian
Doerr, and Fernando Kuiper once again in their paper,22 the ACK message does not state which message
it is confirming.
23. Figure 17. ACK messages may be repurposed to acknowledge frames other than the ones the application provider
originally received
To illustrate this issue, researchers proposed to selectively jam the downlink when an end-device sends a
confirmed message to the gateway that will confirm the reception. The confirmation message will never get
to the end-device, and the confirmed message will be retransmitted seven times. Then, the message will
be considered lost or refused, and the status “mac_err” will be raised.
But during the jamming session, the attacker can capture the downlink message for the confirmation and
can play the confirmation for the first message when the end-device sends a second confirmation message.
LoRa Class B Attacks
Most setups use the class A mode, which specifies that downlink traffic must/can follow an uplink one.
Class B tends to reduce the amount of spent energy by telling end-devices to wake up periodically to wait
for any incoming messages during a receiving window. The durations of the receiving windows are specified
by beacon broadcast messages that are comprised of a PHY layer header followed by a beacon payload:
Table 3. Beacon frame content for the EU 863- 870MHz ISM band23, 24
24. An attacker can easily compute the different publicly known fields with malicious parameters25 to:
Find the location of a LoRa gateway thanks to a GwSpecific field with an InfoDesc subfield
containing GPS coordinates
Drain the battery by sending crafted beacons framed with an extreme wakeup time value
According to their paper26 (as well as another LoRaWAN security evaluation paper by Frank Hessel, Lars
Almon, Flor Álvarez27) and LoRaWAN v1.1 specifications,28 the integrity of beacon frames is still an issue.
It would be better to use a MIC instead of a CRC to check the time’s field integrity.
Root Key Management
On top of all the security mechanisms we previously discussed is the management of keys. Indeed, the
backend is exposed to the internet, which leaves it open to attacks (LFI, SQL injection, deserialization
vulnerability, etc.). A malicious actor would be able to get the secret key, read the data, craft downlink
packets, and more. All risks related to key management procedures are enumerated in a complete paper
by F-Secure Labs (ex-MWR Labs).
Here are some security points to check in a LoRaWAN setup:
Use randomly generated keys
Avoid the exposition of key management servers and services (exposed key management
service accessible on the internet)
Preferably use HSM (Hardware Security Module) to keep the keys
Preferably use OTAA mode and LoRa version 1.1.
Further Reading
An interesting paper on the MobiSPC 201829 highlights security improvements brought by LoRaWAN v1.1.
To understand the differences between LoRaWAN v1.0 and v1.1, we also suggest watching Renaud
Lifchitz’s presentation at The Things Conference 2019.30 During the presentation, Renaud stated that there
will be some vulnerabilities present even if replay attacks are used to transmit an earlier captured packet;
he also outlined how LoRaWAN v1.1 has better authentication, confidentiality, and integrity. Indeed,
message padding enforcement is not present to prevent default ECB mode encryption risks such as
information leaks of the plaintext (length, prefixes, common substrings, etc.). Moreover, backend networks
do not have a defined secure standard to protect messages between the network server and other servers
because it is sent in plaintext in UDP by default, rather than using MQTT within a TLS session.
25. The State of Security
When looking at LoRaWAN, we can see that very few security tools exist for the technologies released
starting this year. Some researchers from IO Activ released a framework called LAF31 (LoRaWAN Auditing
Framework). They also provided a tool that can parse, send, craft, analyze, audit a setup, and crack some
LoRaWAN packets using weak/default keys. In their paper, the researchers presented LoRaWAN 1.0.3
attacks mainly using their tool.
Nevertheless, this framework still has some limitations we can try to overcome:
It only works with a Gateway
It can only listen to uplink packets
It can only listen to eight out of 64 channels
Generation and fuzzing depends on LoRaWAN (Go) using an inflexible format such as JSON
Over the same period, another type of tool called “LoRa Craft”32 was released to intercept packets using
Software Defined-Radio and craft packets using dedicated LoRaWAN v1.0 and v1.1 Scapy layers
developed for this tool. But this tool is mainly a do-it-yourself (DIY) tool and needs much more assistance
than those already released, like the crypto-helpers for Join-Accept payloads and MIC to help crack weak
keys.
Later in May, another framework called ChirpOTLE33 was released by the SEEMOO Lab. This
demonstrated two attacks affecting the availability of LoRaWAN networks, like time drifting in LoRa class
B and a novel ADR spoofing attack to manipulate frame metadata. But still, the researchers’ setup was
limited since they only chose a few default channels to demonstrate their attack on each node.
Conclusion: Let’s Go Further!
In this first technical brief, we introduced LoRa and LoRaWAN technologies as well as security
improvements from version 1.0 to 1.1. We also outlined research and practical tools to help against
attacks on LoRaWAN networks and noted the limitations encountered by security researchers.
LoRaWAN devices may be low-powered, but they are used in critical areas and should be secured as
comprehensively as possible. For example, in 2016, a large-scale LoRaWAN network was deployed in
Taiwan,34 and cities in the country have adopted many LoRaWAN devices over the years. They are used
to monitor water levels in rivers, dam management, waste disposal, and more. Attacks against sensors
used in smart cities could potentially affect the safety of a sizeable population. In terms of the private
sector, organizations could also be fed falsified information on monitoring devices, which could impact
their bottom line. These are only some of the issues that need to be resolved.
The next part of the series will explain how we managed to overcome security research limitations by
going in another direction. We look into the use of Software-Defined Radio (SDR) and optimization when
attacking both uplink and downlink on multiple channels, as well as multiple spreading factors using a
very cheap SDR device. We will also introduce tools that would help analyze LoRa PHY as well as
LoRaWAN radio communications. As discussed earlier, the final part of the series will be on hardware
attacks and security mechanisms concerning LoRa end-devices.
26. References
1
TechTarget. (n.d.). IoT Agenda. “LPWAN (low-power wide area network).” Accessed on Jan. 11, 2020 at
https://internetofthingsagenda.techtarget.com/definition/LPWAN-low-power-wide-area-network.
2
Dong-Hoon Kim,Eun-Kyu Lee, and Jibum Kim. (March 30, 2019). MDPI. “Experiencing LoRa Network Establishment on a Smart
Energy Campus Testbed”. Accessed on Jan. 11, 2020 at https://www.mdpi.com/2071-1050/11/7/1917.
3
Philip J. Basford et al. (Jan. 20, 2020). The National Center for Biotechnology Information. “LoRaWAN for Smart City IoT
Deployments: A Long-Term Evaluation.” Accessed on Jan. 11, 2020 at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7038353/.
4
Peter McNeil. (March 22, 2018). Pasternack. “What are the ISM Bands, and What Are They Used For?” Accessed on Jan. 11,
2020 at https://blog.pasternack.com/uncategorized/what-are-the-ism-bands-and-what-are-they-used-for/.
5
Semtech. (May 2, 2015). Semtech. “AN1200.22 LoRa™ Modulation Basics.” Accessed on Jan. 11, 2020 at
http://wiki.lahoud.fr/lib/exe/fetch.php?media=an1200.22.pdf.
6
IoTOne. (n.d.). IoTOne. “Chirp Spread Spectrum.” Accessed on Jan. 11, 2020 at https://www.iotone.com/term/chirp-spread-
spectrum/t110.
7
Sakshama Ghoslya. (n.d.). Sghoslya. “LoRa: Symbol Generation.” Accessed on Jan. 11, 2020 at https://www.sghoslya.com/p/lora-
is-chirp-spread-spectrum.html.
8
The Things Network. (n.d.). The Things Network. “Modulation and Data Rate.” Accessed on Jan. 11, 2020 at
https://www.thethingsnetwork.org/docs/lorawan/modulation-data-rate.html.
9
Thomas Telkamp. (Nov. 10, 2016). The Things Network. “LoRa Crash Course.” Accessed on Jan. 11, 2020 at
https://www.youtube.com/watch?v=T3dGLqZrjIQ.
10
Thomas Telkamp. (Nov. 10, 2016). The Things Network. “LoRa Crash Course.” Accessed on Jan. 11, 2020 at
https://www.youtube.com/watch?v=T3dGLqZrjIQ.
11
Ivo Bizon Franco de Almeida et al. (Sept. 22, 2020). Arvix. “In-phase and Quadrature Chirp Spread Spectrum for IoT
Communications In-phase and Quadrature Chirp Spread Spectrum for IoT Communications.” Accessed on Jan. 11, 2020 at
https://arxiv.org/pdf/2009.10421.pdf.
12
The Things Network. (n.d.). The Things NetworkI. “LoRaWAN Architecture.” Accessed on Jan. 11, 2020 at
https://www.thethingsnetwork.org/docs/lorawan/architecture.html.
13
LoRa Alliance. (Feb. 20, 2020). LoRa Alliance. “RP002-1.0.1 LoRaWAN® Regional 40 Parameters.” Accessed on Jan. 11, 2020
at https://lora-alliance.org/sites/default/files/2020-06/rp_2-1.0.1.pdf.
14
The Things Network. (n.d.). The Things Network. “The Things Network.” Accessed on Jan. 11, 2020 at
https://www.thethingsnetwork.org/.
15
Loriot. (n.d.). Loriot. “Loriot.” Accessed on Jan. 11, 2020 at https://www.loriot.io/.
16
Matt Knight. (Dec. 29, 2016). RC3 33c3. “Decoding the LoRa PHY.” Accessed on Jan. 11, 2020 at
https://www.youtube.com/watch?v=NoquBA7IMNc.
17
LoRa Alliance. (2018). LoRa Alliance. “LoRaWAN 1.0.3 Specification.” Accessed on Jan. 11, 2020 at https://lora-
alliance.org/sites/default/files/2018-07/lorawan1.0.3.pdf.
18
LoRa Alliance. (Oct. 11, 2017). LoRa Alliance. “LoRaWAN™ 1.1 Specification.” Accessed on Jan. 11, 2020 at
https://lora-alliance.org/sites/default/files/2018-04/lorawantm_specification_-v1.1.pdf.
27. 19
Xueying Yang et al. (April 17, 2020). IEEE Xplore. “Security Vulnerabilities in LoRaWAN.” Accessed on Jan. 11, 2020 at
https://ieeexplore.ieee.org/document/8366983/footnotes#footnotes.
20
Xueying Yang et al. (April 17, 2020). IEEE Xplore. “Security Vulnerabilities in LoRaWAN.” Accessed on Jan. 11, 2020 at
https://ieeexplore.ieee.org/document/8366983/footnotes#footnotes.
21
Xueying Yang et al. (April 17, 2020). IEEE Xplore. “Security Vulnerabilities in LoRaWAN.” Accessed on Jan. 11, 2020 at
https://ieeexplore.ieee.org/document/8366983/footnotes#footnotes.
22
Xueying Yang et al. (April 17, 2020). IEEE Xplore. “Security Vulnerabilities in LoRaWAN.” Accessed on Jan. 11, 2020 at
https://ieeexplore.ieee.org/document/8366983/footnotes#footnotes.
23
LoRa Alliance. (2018). LoRa Alliance. “LoRaWAN 1.0.3 Specification.” Accessed on Jan. 11, 2020 at https://lora-
alliance.org/sites/default/files/2018-07/lorawan1.0.3.pdf.
24
LoRa Alliance. (2018). LoRa Alliance. “LoRaWAN 1.1 Specification.” Accessed on Jan. 11, 2020 at https://lora-
alliance.org/sites/default/files/2018-04/lorawantm_specification_-v1.1.pdf.
25
Xueying Yang et al. (April 17, 2020). IEEE Xplore. “Security Vulnerabilities in LoRaWAN.” Accessed on Jan. 11, 2020 at
https://ieeexplore.ieee.org/document/8366983/footnotes#footnotes.
26
Xueying Yang et al. (April 17, 2020). IEEE Xplore. “Security Vulnerabilities in LoRaWAN.” Accessed on Jan. 11, 2020 at
https://ieeexplore.ieee.org/document/8366983/footnotes#footnotes.
27
Frank Hessel, Lars Almon, and Flor Álvarez. (May 23, 2020). Arvix. “ChirpOTLE: A Framework for Practical LoRaWAN Security
Evaluation.” Accessed on Jan. 11, 2020 at https://arxiv.org/pdf/2005.11555.pdf.
28
LoRa Alliance. (2018). LoRa Alliance. “LoRaWAN 1.1 Specification.” Accessed on Jan. 11, 2020 at https://lora-
alliance.org/sites/default/files/2018-04/lorawantm_specification_-v1.1.pdf.
29
Tahsin C.M. Dönmez and Ethiopia Nigussie. (Jan. 2018). ScienceDirect. “Security of LoRaWAN v1.1 in Backward Compatibility
Scenarios.” Accessed on Jan. 11, 2020 at https://www.sciencedirect.com/science/article/pii/S1877050918311062.
30
Renaud Lifchitz. (Feb. 11, 2019). The Things Network. “From LoRaWAN 1.0 to 1.1: Security Enhancements.” Accessed on Jan.
11, 2020 at https://www.youtube.com/watch?v=FsO5zxYHfKw.
31
Cesar Cerrudo, Esteban Martinez Fayo, and Matias Sequeira. (Jan. 2020). IO Active. “LoRaWAN Networks Susceptible to
Hacking: Common Cyber Security Problems, How to Detect and Prevent Them.” Accessed on Jan. 11, 2020 at https://act-
on.ioactive.com/acton/attachment/34793/f-87b45f5f-f181-44fc-82a8-8e53c501dc4e/1/-/-/-/-
/LoRaWAN%20Networks%20Susceptible%20to%20Hacking.pdf.
32
Cesar Cerrudo, Esteban Martinez Fayo, and Matias Sequeira. (Jan. 2020). IO Active. “LoRaWAN Networks Susceptible to
Hacking: Common Cyber Security Problems, How to Detect and Prevent Them.” Accessed on Jan. 11, 2020 at https://act-
on.ioactive.com/acton/attachment/34793/f-87b45f5f-f181-44fc-82a8-8e53c501dc4e/1/-/-/-/-
/LoRaWAN%20Networks%20Susceptible%20to%20Hacking.pdf.
33
Frank Hessel, Lars Almon, and Flor Álvarez. (May 23, 2020). Arvix. “ChirpOTLE: A Framework for Practical LoRaWAN Security
Evaluation.” Accessed on Jan. 11, 2020 at https://arxiv.org/pdf/2005.11555.pdf.
34
Semtech. (Aug. 16, 2016). Semtech. “Semtech LoRa® RF Technology Adopted by Asia Pacific Telecom for Rollout of
Commercial Low Power Wide Area Internet of Things Network in Taiwan.” Accessed on Jan. 15, 2020 at
https://www.semtech.com/company/press/semtech-lora-rf-technology-adopted-by-asia-pacific-telecom-for-rollout-of-commercial-low-
power-wide-area-internet-of-things-network-in-taiwan.
28. TREND MICROTM
RESEARCH
Trend Micro, a global leader in cybersecurity, helps to make the world safe for exchanging digital information.
Trend Micro Research is powered by experts who are passionate about discovering new threats, sharing key insights, and
supporting efforts to stop cybercriminals. Our global team helps identify millions of threats daily, leads the industry in
vulnerability disclosures, and publishes innovative research on new threats techniques. We continually work to anticipate new
threats and deliver thought-provoking research.
www.trendmicro.com