Press Release

MWR Issues Advice to Build a Secure LoRa Solution

Speaking at SyScan360 in Singapore, Rob Miller – senior security consultant at MWR today detailed how to build LoRa systems that are provably secure against cyber-attack.

Despite LoRa being a being relatively new standard, it’s low-power, long-range credentials make it a perfect candidate for a number of cutting edge-applications, meaning adoption is now accelerating at a significant pace. With industries now scrambling to take advantage of this emerging protocol, MWR noticed a lack of practical LoRa security guidance available and sought to close the gap with a new whitepaper.

Explaining the use case for LoRa, Miller said “Long range radio protocols, like GSM and WiFI, draw a lot of power making them unsuitable for smaller or remote devices, while In contrast low power solutions, like ZigBee or BTLE, are limited in range to tens of meters. So, there is a need for a long range solution that only sends occasional, small amounts of data that could run off a battery for years. LoRa, and its primary protocol LoRaWAN, addresses this gap in the market. It is intended for systems that require the ability to send and receive low amounts of data over a wide range without high power costs. “

In conducting the research, Miller noted that whilst several effective security features are designed into LoRa, companies should not consider the protocol secure out of the box - “Simply stating that a technology "uses AES-128 encryption" does not mean that solutions using this technology are therefore secure. It should be clear to all developers of LoRa solutions that using LoRa does not guarantee security. Instead they should build LoRa solutions with the potential attacks in mind.

“Given that LoRa will form part of a complex IT solution means that security vulnerabilities are a likely occurrence during development. Similarly given that LoRa solutions are being used in systems ranging in use from home security through to monitoring and controller infrastructure, attacks and development of exploits against these systems are also likely.

Miller concludes in the whitepaper that “Secure systems can be developed by understanding LoRa’s security features, as long as developers accept that they are not a silver bullet for security. A secure solution can be developed by considering cyber-security at every stage. Knowing the different ways that a LPWAN solution can be attacked allows a system to be developed built to defend, detect and respond to cyber-attacks.”

The MWR Labs whitepaper with guidance on securing this protocol is available here.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.