The Long-range Disruption of Industrial IoT LoRaWAN Networks
Introduction to LoRaWAN technology
LoRaWAN is a wireless technology that falls into the category of low-power wide area networks (LPWAN). LoRaWAN is an open standard promoted by LoRa Alliance, especially for the implementation of industrial IoT. The use of technology includes devices that benefit from wireless communication and have requirements for long-distance communication and low power consumption.
This includes devices such as a smart water meter that will report the value of the utility’s water consumption, eliminating the need for an inspector to visit the residence every few months. Another use may be the transmission of data from a gas pipeline that extends over long distances through various terrains that may not have adequate infrastructure. In such a scenario, the cost of wireless communication technology would be a fraction of what is needed to interconnect all equipment, say meteorological data. Although this flexibility is related to the cost of available data rates, it is still an attractive solution for applications where a small amount of data is exactly what is needed.
Although technology like this is being adopted in various industries, we need to consider its possible impact on our lives. LoRa sensors (where LoRa is the modulation technology used in LoRaWAN), like many other wireless technologies, are susceptible to interference attacks that can make the LoRa signal inaccessible to the receiver.
Interestingly, such an attack would not be pragmatic, not only because of the modulation countermeasures (such as frequency hopping), but also because of the long distances at which these sensors can be placed. While experiments on LoRa signal attenuation were conducted, we were more interested in exploring how you could actually deploy such an attack in the real world. We focused on understanding the requirements of such an operation and exploring what an advanced persistent threat (APT) would do in such a scenario.
To understand these limitations, we examined signal interruption first in terms of a fixed frequency and then in terms of frequency hopping. The second term refers to the tactics used to protect the signal from interference by slightly changing the transmission frequency with a pseudo-random sequence known only to the legitimate transmitter and receiver.
We looked at the interference first. We wanted to apply something selective to try to block the attack during the broadcast. This made sense from several points of view. First, the silencers are uncontrollably disturbing. This is a problem because we can’t do specialized targeting. We may disrupt our own infrastructure or involuntary purpose. In addition, they are easy to detect.
To achieve this, we considered two approaches. The first was to determine the transmission time of LoRa packets. This approach can be considered, as LoRa sensors send several countable packets per day, usually in a predetermined time range. The second approach was to launch our attack when the sensor began transmitting. The purpose here was to send the attenuation signal as soon as the transmission started from the sensors to disrupt its payload. We decided to use the second approach, as it has an advantage over the frequency hopping approach.
The problem we had with the second technique was that we had to be close enough to the sensor to effectively block the signal. There are several methods that can be used to locate a device from a radio signal. Each wave that propagates in a medium has a specific direction as it moves away from its source. Using an array of antennas, you can retrieve the location of the source of this signal. This is exactly what sonar in submarines does. Such an approach will require appropriate synchronization of the devices to calculate the difference in arrival time (TDoA) of the signal and the direction. Another attribute of the wave is its strength. Under certain conditions, you can estimate the distance to the sensor by measuring how strong or weak the signal is. The second approach is less accurate, but is also cheaper to implement because you only need one gateway without any synchronization requirements.
Defining the attack scenario
For our experiment we decided to apply:
- Localization strategy based on LoRa signal strength
- A jamming attack that is activated when the sensor sends data
For localization we used the value of the signal strength indicator (RSSI). This is a measurement of the LoRa signal strength. The relationship of RSSI and the distance in LoRa can be given by the following formula: