Low-Power Wide Area Network

Reading time: 5 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Introduction

Low-Power Wide Area Network (LPWAN) is a group of wireless, low-power, wide-area network technologies designed for long-range communications at a low bit rate. They can reach more than six miles and their batteries can last up to 20 years.

Long Range (LoRa) is currently the most deployed LPWAN physical layer and its open MAC-layer specification is LoRaWAN.


LPWAN, LoRa, and LoRaWAN

  • LoRa – Chirp Spread Spectrum (CSS) physical layer developed by Semtech (proprietary but documented).
  • LoRaWAN – Open MAC/Network layer maintained by the LoRa-Alliance. Versions 1.0.x and 1.1 are common in the field.
  • Typical architecture: end-device β†’ gateway (packet-forwarder) β†’ network-server β†’ application-server.

The security model relies on two AES-128 root keys (AppKey/NwkKey) that derive session keys during the join procedure (OTAA) or are hard-coded (ABP). If any key leaks the attacker gains full read/write capability over the corresponding traffic.


Attack surface summary

LayerWeaknessPractical impact
PHYReactive / selective jamming100 % packet loss demonstrated with single SDR and <1 W output
MACJoin-Accept & data-frame replay (nonce reuse, ABP counter rollover)Device spoofing, message injection, DoS
Network-ServerInsecure packet-forwarder, weak MQTT/UDP filters, outdated gateway firmwareRCE on gateways β†’ pivot into OT/IT network
ApplicationHard-coded or predictable AppKeysBrute-force/decrypt traffic, impersonate sensors

Recent vulnerabilities (2023-2025)

  • CVE-2024-29862 – ChirpStack gateway-bridge & mqtt-forwarder accepted TCP packets that bypassed stateful firewall rules on Kerlink gateways, allowing remote management interface exposure. Fixed in 4.0.11 / 4.2.1 respectively .
  • Dragino LG01/LG308 series – Multiple 2022-2024 CVEs (e.g. 2022-45227 directory traversal, 2022-45228 CSRF) still observed unpatched in 2025; enable unauthenticated firmware dump or config overwrite on thousands of public gateways .
  • Semtech packet-forwarder UDP overflow (unreleased advisory, patched 2023-10): crafted uplink larger than 255 B triggered stack-smash ‑> RCE on SX130x reference gateways (found by Black Hat EU 2023 β€œLoRa Exploitation Reloaded”).

Practical attack techniques

1. Sniff & Decrypt traffic

bash
# Capture all channels around 868.3 MHz with an SDR (USRP B205)
python3 lorattack/sniffer.py \
    --freq 868.3e6 --bw 125e3 --rate 1e6 --sf 7 --session smartcity

# Bruteforce AppKey from captured OTAA join-request/accept pairs
python3 lorapwn/bruteforce_join.py --pcap smartcity.pcap --wordlist top1m.txt

2. OTAA join-replay (DevNonce reuse)

  1. Capture a legitimate JoinRequest.
  2. Immediately retransmit it (or increment RSSI) before the original device transmits again.
  3. The network-server allocates a new DevAddr & session keys while the target device continues with the old session β†’ attacker owns vacant session and can inject forged uplinks.

3. Adaptive Data-Rate (ADR) downgrading

Force SF12/125 kHz to increase airtime β†’ exhaust duty-cycle of gateway (denial-of-service) while keeping battery impact low on attacker (just send network-level MAC commands).

4. Reactive jamming

HackRF One running GNU Radio flowgraph triggers a wide-band chirp whenever preamble detected – blocks all spreading factors with ≀200 mW TX; full outage measured at 2 km range .


Offensive tooling (2025)

ToolPurposeNotes
LoRaWAN Auditing Framework (LAF)Craft/parse/attack LoRaWAN frames, DB-backed analyzers, brute-forcerDocker image, supports Semtech UDP input
LoRaPWNTrend Micro Python utility to brute OTAA, generate downlinks, decrypt payloadsDemo released 2023, SDR-agnostic
LoRAttackMulti-channel sniffer + replay with USRP; exports PCAP/LoRaTapGood Wireshark integration
gr-lora / gr-lorawanGNU Radio OOT blocks for baseband TX/RXFoundation for custom attacks

Defensive recommendations (pentester checklist)

  1. Prefer OTAA devices with truly random DevNonce; monitor duplicates.
  2. Enforce LoRaWAN 1.1: 32-bit frame counters, distinct FNwkSIntKey / SNwkSIntKey.
  3. Store frame-counter in non-volatile memory (ABP) or migrate to OTAA.
  4. Deploy secure-element (ATECC608A/SX1262-TRX-SE) to protect root keys against firmware extraction.
  5. Disable remote UDP packet-forwarder ports (1700/1701) or restrict with WireGuard/VPN.
  6. Keep gateways updated; Kerlink/Dragino provide 2024-patched images.
  7. Implement traffic anomaly detection (e.g., LAF analyzer) – flag counter resets, duplicate joins, sudden ADR changes.

References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks