Disconnection Attacks Against LoRaWAN 1.0.X ABP Devices

摘要

Previous research work has already documented vulnerabilities of LoRaWAN 1.0.x, in the form of Replay Attacks which may cause disconnection situations. To face (also) these concerns, modern network servers implement careful techniques to handle sequence numbers (frame counters) in the presence of unexpected/out-of-sequence messages. In this paper we show that, despite such patches, the problem of disconnection attacks is still widely open. We document a number of new replay-type attacks which target ABP (Activation By Personalization) devices, namely devices which are deployed with an hard-coded set of session keys, and which may cause a range of disconnection situations, including extremely long term ones - the worst case being in the order of 2 to the 32 message transmissions (hundreds/thousands years considering ordinary IoT rates). We demonstrate the feasibility of the proposed attacks by analyzing their impact on three different LoRaWAN network server implementations (two well known open-source network servers, and a proprietary network server co-developed by us), and demonstrating their practicality on two of said network servers (ours and ChirpStack). Finally, we discuss trade-offs and mitigation actions, though we remark that these attacks appear intrinsic in the LoRaWAN 1.0.x specification, and can be ultimately fixed only by migrating to LoRaWAN 1.1.