A Security-Conscious Primer on LoRa and LoRaWAN Technologies

Authors

DOI:

https://doi.org/10.34190/eccws.24.1.3575

Keywords:

IoT, LPWAN, LoRa, LoRaWAN, Security

Abstract

At its core, the Internet of Things (IoT) paradigm encompasses a wealth of devices, mainly sensors, actuators and systems that can connect and exchange data through any means of communication, as long as they’re individually addressable and are a part of a network. There is a wide array of possible network types, among which Low-Power Short-Range Networks (LPSRNs) and Low-Power Wide-Area Networks (LPWANs) offer a great deal of potential to support energy efficient communications with low maintenance. LoRa (an abbreviation of “Long Range”), one of the most popular technologies for implementing LPWANs, is a radio-based technique derived from Chirp Spread Spectrum (CSS) technology (where “Chirp” stands for Compressed High Intensity Radar Pulse). However, when used as a standalone technology, it exposes exchanged data as LoRa devices simply transmit packets publicly without any built-in security. The LoRaWAN (LoRa Wide Area Network) framework addresses these shortcomings by providing a software layer on top of LoRa, supporting device addressing, management and message acknowledgement, while also providing a security framework with network and application encryption layers based on the AES-128 algorithm. LoRaWAN security mechanisms provide authentication and integrity protection of transmitted packets to the LoRaWAN Network Server (LNS), to ensure end-to-end encryption at the application layer. Due to its widespread application in IoT scenarios such as smart cities, smart transportation and environmental monitoring, the security of the LoraWAN framework is fundamental to ensure the security and safety of critical metering and telemetry infrastructures. In this paper we provide a primer on LoRa and LoRaWAN technologies and address the security and management-related aspects of this framework, also presenting a threat model for LoRaWAN networks based on the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) methodology, providing a convenient starting point for risk assessment and preventive/mitigation action planning.

Author Biographies

Tomás Simões, University of Coimbra, CISUC, DEI, Portugal

Tomás Simões is currently taking his BSc. in Informatics Engineering at the University of Coimbra (UC), Portugal, also being a junior researcher at the Networking, Communications and Security research group. His interests range from LoraWAN cybersecurity, with a particular focus on standardisation and cyber-physical infrastructure aspects, to Low Earth Orbit satellite communications, being involved in the local team working on the SATERA (SESAR3 JU GA 101164313) project.

Tiago Cruz, University of Coimbra, CISUC, DEI, Portugal

Tiago Cruz is an Associate Professor with Habilitation with the Department of Informatics Engineering of the University of Coimbra. His research interests cover areas such as management systems for communications infrastructures and services, critical infrastructure security, broadband access network device and service management, Internet of Things, software defined networking, and network function virtualization.

Bruno Sousa, University of Coimbra, CISUC, DEI, Portugal

Bruno Sousa is an Auxiliary Professor in the Department of Informatics Engineering of the University of Coimbra, Portugal, since December 2018, from where he got a PhD in Informatics Engineering on the subject of Multihoming for IP-based networks, in December 2014. He is a senior researcher in the Centre for Informatics and Systems of UC (CISUC), where he has initiated his activities in 2006. He is the author of several book chapters, several publications in journals and international conferences. He has participated in the TPC of several conferences. He has participated in several European and national research projects, such as IST FP6 Integrated Projects, EuQoS and WEIRD, ICT FP7, MobiTRust, SALUS, Mobile Cloud Networking, LiveCity and FI-WARE, and H2020 EMPATIA. His research interests include resilience mechanisms in networks and applications/services, and intrusion detection and prevention in 5G networks and for Internet of Things (IoT).

Paulo Simões, University of Coimbra, CISUC, DEI, Portugal

Paulo Simões is an Associate Professor with the University of Coimbra. He has over 180 journals and conference publications in his research areas. He is regularly involved in several European- and industry-funded research projects, with both technical and management activities. His research interests include security, network management, and critical infrastructure protection.

Downloads

Published

2025-06-25

Issue

Vol. 24 No. 1 (2025): Proceedings of the 24th European Conference on Cyber Warfare and Security

Section

Academic Papers

License

Copyright (c) 2025 European Conference on Cyber Warfare and Security

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.