Press Release

MWR Issues Advice to Build a Secure LoRa Solution

News

Speaking at SyScan360 in Singapore, Rob Miller – senior security consultant at MWR today detailed how to build LoRa systems that are provably secure against cyber-attack.

Despite LoRa being a being relatively new standard, it’s low-power, long-range credentials make it a perfect candidate for a number of cutting edge-applications, meaning adoption is now accelerating at a significant pace. With industries now scrambling to take advantage of this emerging protocol, MWR noticed a lack of practical LoRa security guidance available and sought to close the gap with a new whitepaper.

Explaining the use case for LoRa, Miller said “Long range radio protocols, like GSM and WiFI, draw a lot of power making them unsuitable for smaller or remote devices, while In contrast low power solutions, like ZigBee or BTLE, are limited in range to tens of meters. So, there is a need for a long range solution that only sends occasional, small amounts of data that could run off a battery for years. LoRa, and its primary protocol LoRaWAN, addresses this gap in the market. It is intended for systems that require the ability to send and receive low amounts of data over a wide range without high power costs. “

In conducting the research, Miller noted that whilst several effective security features are designed into LoRa, companies should not consider the protocol secure out of the box - “Simply stating that a technology "uses AES-128 encryption" does not mean that solutions using this technology are therefore secure. It should be clear to all developers of LoRa solutions that using LoRa does not guarantee security. Instead they should build LoRa solutions with the potential attacks in mind.

“Given that LoRa will form part of a complex IT solution means that security vulnerabilities are a likely occurrence during development. Similarly given that LoRa solutions are being used in systems ranging in use from home security through to monitoring and controller infrastructure, attacks and development of exploits against these systems are also likely.

Miller concludes in the whitepaper that “Secure systems can be developed by understanding LoRa’s security features, as long as developers accept that they are not a silver bullet for security. A secure solution can be developed by considering cyber-security at every stage. Knowing the different ways that a LPWAN solution can be attacked allows a system to be developed built to defend, detect and respond to cyber-attacks.”

The MWR Labs whitepaper with guidance on securing this protocol is available here.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.