An introduction to LoRaWAN technology
LoRaWAN is a wireless technology that falls under the category of Low Power Wide Area Network (LPWAN). LoRaWAN is an open standard promoted by the LoRa Alliance, especially for industrial IoT deployments. The use of technology includes devices that benefit from wireless communication and have requirements for long distance communication and low power consumption.
This includes devices such as a smart water meter that would report the amounts of water consumed to the utility company, eliminating the need for an inspector to visit the residence every few months. Another use could be the transmission of data from a gas pipeline that spans long distances over a variety of terrains that might not have the appropriate infrastructure. In such a scenario, the cost of wireless communication technology would be a fraction of that required to interconnect all equipment, eg weather data. While this flexibility is related to the cost of the available data rates, it remains an attractive solution for applications where a small amount of data is exactly what is needed.
While technology like this is adopted across industries, we need to consider its possible impact on our lives. LoRa sensors (where LoRa is the modulation technology used in LoRaWAN), like many other wireless technologies, are susceptible to interference attacks that can make the LoRa signal unavailable to the recipient.
The interesting part is that such an attack would not be pragmatic, not only because of the modulation countermeasures (such as frequency hopping) but also because of the long distances over which these sensors can be placed. While the LoRa signal jamming experiments were being conducted, we were more interested in exploring how you can actually deploy such an attack in the real world. We focused on understanding the requirements of such an operation and studying what an Advanced Persistent Threat (APT) would do in such a scenario.
To understand these limitations, we studied signal interruption first from a fixed frequency point of view and then from a frequency hopping point of view. The second term refers to the tactic used to protect the signal from interference by slightly changing the transmit frequency with a pseudo-random sequence known only to the legitimate transmitter and receiver.
We first considered the jammer. We wanted to implement something selective, which would try to block the attack during the transmission time. It made sense in some ways. First, radio jammers are disruptive in an uncontrollable way. This is a problem since we cannot do specialized targeting. We could disrupt our own infrastructure or an unintentional target. In addition, they are easily detectable.
To achieve this, we considered two approaches. The first was to time the transmission of the LoRa packets. This approach could be considered because LoRa sensors send a few countable packets per day, usually within a predefined time range. The second approach was to launch our attack when the sensor starts transmitting. The goal here was to send the jamming signal as the transmission starts from the sensors, to disrupt its payload. We decided to use the second approach because it has an advantage over the frequency hopping approach.
The problem we had with the second technique was that we had to be close enough to the sensor to effectively jam the signal. There are several methods that can be used to locate a device from a radio signal. Any wave that propagates in a medium has a specific direction as it moves away from its source. By using an antenna array, you can derive the location of the source of this signal. This is exactly what sonar does in submarines. Such an approach would require proper synchronization of devices to calculate signal time difference of arrival (TDoA) and direction. Another attribute of a wave is its power. Under certain conditions, you can estimate the distance to the sensor by measuring the strength or weakness of the signal. The second approach is less precise but it is also less expensive to implement because you only need a single gateway without any synchronization requirement.
Determining the attack scenario
For our experience, we decided to implement:
- A localization strategy based on the strength of the LoRa signal
- A jamming attack that activates when the sensor sends data
For the localization we used the value of the received signal strength indicator (RSSI) This is a measure of the strength of the LoRa signal. The relation of RSSI and distance in LoRa can be given by the following formula: