A protocol little known by executives outside of the networking world may put the future safety of enterprise IoT at extreme risk if organizations don't take action to secure their connections. New research out last week found that the way that many large organizations are using the Long Range Wide Area Networking (LoRaWAN) protocol is making them susceptible to hacking that could cause civic disruption and even put people at risk.
There's a lot of innovation riding on the future of LoRaWAN. The protocol is interwoven in the backbone of communication for 100 million different IoT devices used in smart cities, industrial IoT applications, smart utilities, smart vehicles, and healthcare applications. Enterprises have begun leveraging LoRaWAN in large volumes because of the protocol's unique capabilities in facilitating communication between low-powered devices and Internet-connected applications over long-range connections.
They're also drawn to what's been marketed as the innate security of the protocol's encrypted communication.
However, in a recent study of LoRaWAN and its implementations, researchers with consulting firm IOActive has shown that the IoT ecosystem isn't doing a good enough job protecting the keys at the heart of LoRaWAN's ecosystem. And that's putting the security of all the infrastructure connected through the protocol in jeopardy.
“Organizations are blindly trusting LoRaWAN because it’s encrypted, but that encryption can be easily bypassed if hackers can get their hands on the keys – which our research shows they can do in several ways, with relative ease, ” says Cesar Cerrudo, CTO at IOActive and one of the authors of the report.
The report explained that once the keys are compromised "the whole network becomes vulnerable, because the keys are the source of the network's only security mechanism."
The top 10 most common methods they identified as being an easy path to LoRaWAN encryption keys included:
- Reverse engineering devices to extract keys from them
- Examining tags that may not have been removed from a device that have information printed about generating valid session keys
- Scraping hardcoded keys from open source repositories or vendor websites
- Guessing the logic used to generate keys due to easy-to-guess key values
- Searching for Internet-facing servers using default credentials
- Exploiting servers with vulnerabilities
- Compromising the device manufacturers for devices using LoRaWAN
- Hacking endpoints used by device or infrastructure deployment technicians
- File disclosures from device manufacturers that store keys inf files and share them with clients through email, flash storage, and other insecure means
- Breaching a service provider that offers LoRaWAN infrastructure to steal keys from insecure backups or databases
The implications for enterprises if their LoRaWAN networks were to be breached due to poor key protection are serious, the researchers explained.
“Once hackers have access, there are many things they could potentially do – they could prevent utilities firms from taking smart meter readings, stop logistics companies from tracking vehicles, or prohibit hospitals from receiving readings from smart equipment," says Cerrudo. "In extreme cases, a compromised network could be fed false device readings to cover up physical attacks against infrastructure, like a gas pipeline. Or to prompt industrial equipment containing volatile substances to overcorrect; causing it to break, combust or even explode.”
The most troubling thing is that that there's currently no way to monitor if a LoRaWAN network has been or is undergoing an attack, or if an encryption key for the protocol has been compromised, he explains.
“Most enterprises are used to having multiple tools monitoring every inch of their IT infrastructure – but LoRaWAN is a real blind spot," he says. " Organizations need to make life more difficult for an attacker by making sure their keys are as secure as possible, by checking all devices’ encrypted keys are unique and putting measures in place to identify any suspicious activity.
In order to help enterprises to take the first step in untangling the weaknesses in LoRaWAN IOActive recently started an open source project called the LoRaWAN Auditing Framework, a set of penetration testing tools to "craft, parse, send, analyze, and crack a set of LoRaWAN packets" so that security teams can start testing the security of their LoRaWAN infrastructure.