LoRa - The securable Long Range Low Powered Wide Area Network technology

How can we build LoRa systems that are provably secure against cyber-attack? In March MWR will be releasing guidance to help

We already have GSM, Bluetooth, Bluetooth Low Energy (BTLE), 6LowPAN, WiFi and Zigbee. So why introduce yet more wireless technology into this flooded market? There's actually a gap, and it's one that is under some fierce competition to fill. 

If we want range, then there are already long range radio protocols, but these draw a lot of power so are not suitable for smaller, remote devices. We also have low power solutions like ZigBee or BTLE, but these are limited in range to tens of meters. Many markets now require a long range solution that only sends occasional, small amounts of data and could run off a battery for years.

LoRa and its primary protocol LoRaWAN, are capable of filling this gap in the wireless communications market. Transmitting over many kilometres (depending on environment) and powered by a battery that can last for years. With such promises, several sectors are now picking up this technology to take advantage of these features.

Smart cities are one such  field. The goal of a smart city is to use metrics taken from across the city to reduce waste and increase efficiency. The city of Santander is a test bed for a range of smart city technology. One such example is that it measures current levels in dumpsters to decide which need to be collected and produce the most efficient routes to take for the day. It seems minor, but through dozens of such schemes the city claims to have reduced energy usage by as much as 25%.

Security in such scenarios can seem a little silly. Why do we care if someone can read how much trash is in a dumpster?

Obviously we don't. But we do care about the systems gathering this information, and we certainly care when these same protocols start being used for more important tasks, such as controlling level crossings, or sending signals from burglar alarms. There is a risk with any technology or protocol of scope creep. Where at the beginning we did not care about security due to the context, because of its success and relative maturity it creeps in to new sectors without review.

LoRaWAN has been designed with several very effective security features, but simply stating that a technology "uses AES-128 encryption" does not mean that solutions using this technology are therefore secure. So how can we build systems that are provably secure against cyber-attack?

To address this, MWR will be releasing guidance on LoRa, which will be published during Syscan 360 in Singapore.

The presentation at Syscan360 will cover off the following questions:

  1. How does LoRaWAN security actually work?
  2. How can we design systems that use LoRa safely?
  3. How can we test a LoRa solution to show that it is secure or insecure?
  4. How can we produce proof of concept attacks against these solutions to help demonstrate the need for change?



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.