Security threats and countermeasures of LoRa physical layer

Abstract

LoRa is a popular Low Power Wide Area Networking (LPWAN) technology that is expected to boost the next generation IoT for its capability to provide long-range ubiquitous connectivity for everyday objects with an AA battery. Despite the popularity, there exists a growing concern about the security of LoRa communication. Current LoRaWAN systems are susceptible to security attacks due to the inherent features of LoRa communication. Specifically, LoRa operates at unlicensed frequency bands under public standards, which makes it vulnerable to active attack and information leakage. Besides, LoRa packets have a long transmission window compared with traditional wireless technologies (i.e., Wi-Fi, Bluetooth), which leaves sufficient time for attackers to launch attacks. Meanwhile, the large scale of LoRa deployment with low-cost and low-power devices makes it an ideal target for large-scale cyber attacks. In this thesis, we investigate security threats and countermeasures of LoRa physical layer. Specifically, we explore the possible security attack at both the transmitter side (covert channel) and receiver side (jamming attack) and propose corresponding countermeasures against such attacks. The first work describes our design and implementation of a covert channel over LoRa physical layer (PHY). LoRa adopts a unique modulation scheme (chirp spread spectrum (CSS)) to enable long-range communication at low-power consumption. CSS uses the initial frequencies of LoRa chirps to differentiate LoRa symbols, while simply ignoring other RF parameters (e.g., amplitude and phase). Our study reveals that the LoRa physical layer leaves sufficient room to build a covert channel by embedding covert information with a modulation scheme orthogonal to CSS. To demonstrate the feasibility of building a covert channel, we implement CloakLoRa. CloakLoRa embeds covert information into a regular LoRa packet by modulating the amplitudes of LoRa chirps while keeping the frequency intact. Since amplitude modulation is orthogonal to CSS, a regular LoRa node receives the LoRa packet as if no secret information is embedded into the packet. Such an embedding method is transparent to all security mechanisms at upper layers in current LoRaWAN. As such, an attacker can create an amplitude-modulated covert channel over LoRa without being detected by current LoRaWAN security mechanism. We build the covert channel using a COTS LoRa node (Tx) and a low-cost receive-only software-defined radio (Rx). Comprehensive evaluations show that CloakLoRa can send covert information over 250 m. The second work investigates jamming of LoRa PHY and corresponding countermeasure. LoRaWAN forms a one-hop star topology where LoRa nodes send data via one-hop up-link transmission to a LoRa gateway. If the LoRa gateway can be jammed by attackers, the LoRa gateway may not be able to receive any data from any nodes in the network. Our empirical study shows that although LoRa physical layer (PHY) is robust and resilient by design, it is still vulnerable to synchronized jamming chirps. Potential protection solutions (e.g., collision recovery, parallel decoding) may fail to extract LoRa packets if an attacker transmits synchronized jamming chirps at high power. To protect the LoRa PHY from such attacks, we propose a new protection method that can separate LoRa chirps from jamming chirps by leveraging their difference in the received signal strength in power domain. We note that the new protection solution is orthogonal to existing solutions which leverage the chirp misalignment in time domain or the frequency disparity in frequency domain. Besides, we discuss new types of attacking methods (e.g., consecutive SFDs) and analyze their impacts on LoRa packet reception. We conduct experiments with COTS LoRa nodes and software-defined radios with varied experiment settings such as different spreading factors, bandwidths, and code rates. The results show that synchronized jamming chirps at high power can jam all previous solutions, while our protection solution can effectively protect LoRa gateways from the jamming attacks.