- By Renee Bassett
- IIoT Insight
A downside to LoRaWAN is that LoRa sensors are susceptible to interference attacks that can make the LoRa signal unavailable to the recipient.
A potential network vulnerability has emerged: Attackers can target Industrial Internet of Things (IIoT) networks by using drones to bypass physical barriers. These drones can be equipped with signal jamming technology to automatically locate and disrupt part of the industrial communication infrastructure.
Nozomi Networks Labs investigated the likelihood of attacks against the low-power radio frequency WAN (LoRaWAN) technology used in IIoT networks. The company’s research focused on the viability of discovering the transmission frequency of the IIoT network and jamming the signal to disrupt network communication. The results revealed potential attack vectors that industrial security professionals should consider as technology matures.
LoRaWAN wireless technology is based on low-power, wide-area networks (LPWAN). LoRaWAN is an open standard promoted by the LoRa Alliance, mostly for IIoT deployments. Technology usage includes devices that benefit from wireless communication and have requirements for long-distance communication and low power consumption, such as intelligent utility meters.
A downside to LoRaWAN is that LoRa sensors are susceptible to interference attacks that can make the LoRa signal unavailable to the recipient. Such an attack would not be pragmatic because of the long-distance applications in which these sensors can be placed, and because of countermeasures from modulation (such as frequency hopping). But Nozomi wanted to test whether signals could be made unavailable.
Jamming the signal
LoRa sensors send a few countable packets per day, usually in a predefined time range, which allows the LoRa packets to be timed. Another approach is to initiate an attack when the sensor starts its transmission with the goal of sending the jamming signal the moment the transmission starts from the sensors to disrupt the payload. Nozomi Networks Labs used the second approach because it has an advantage over frequency hopping. However, the jammer must be close enough to the sensor to jam the signal.
Locating a device from a radio signal can be easily done. Any wave that propagates in a medium has a specific direction as it distances itself from its source. By using an array of antennas, one can derive the source location of a signal. Such an approach would need the proper synchronization of devices to calculate the time difference of arrival of the signal and the direction. Another attribute of a wave is its power. Under certain conditions, one can estimate the distance to the sensor by measuring how strong or weak the signal is.
Making the attack real
For the jammer, Nozomi used a software-defined radio (SRD) module. These devices are programmable signal processing devices that allow modulation and demodulation of a signal. To identify and jam the LoRaWAN signal, Nozomi used a localization strategy based on the strength of the LoRa signal, and a jamming attack that activates when the sensor sends data. For the localization, Nozomi used the received signal strength indicator (RSSI) value.
The jammer attack consists of two phases:
- Detection of the LoRa signal. Nozomi used a series of band-pass filters to check the available channels in the LoRa range. This allowed monitoring of multiple channels to capture any possible packet transmission.
- Jamming the LoRa signal. This involves sending a burst of energy to the frequency to be jammed. This results in the destruction of the LoRa signal. The legitimate gateway is forced to drop the packet, and valuable information is lost.
Results of the tests
Packets were either dropped or the cyclic redundancy check of the packet was invalid. This meant part of the packet was received from the gateway, but it was malformed so the gateway could not validate it and was forced to drop it.
Nozomi used drones to apply this approach in the real world. A drone can move across any terrain and gain adequate altitude to receive the signal. The RSSI can be accurate after a few measurements in the same general location by averaging the values. An attacker could select a random location close to a facility within a 5 to 10 km radius. Once within the receiving area of the LoRa signal, an attacker can take multiple measurements to establish a good averaging RSSI value. The process must be repeated in at least two arbitrarily selected locations if they are not the same point. The final stage is to approach the sensor and activate the selective jammer.
Nozomi reported that lab simulations prove attacks like these can occur. Those who would do harm may not be far behind. Find out more at the Nozomi blog.
We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.