How does LoRa ensure IoT security?

Ensuring functional safety and information security for Internet of Things (IoT) deployments is not just a matter of choosing the right protocols; it also relies on implementation processes as well as best practices and industry standards.

LoRaWAN is designed to be very secure - authentication and encryption are mandatory, however, if security keys are not kept secure and randomly distributed between devices, or if a once-used passphrase (random number) is reused, the network and devices can be compromised. Therefore, it is critical to look for a LoRaWAN CertifiedCM device to ensure that the device has been tested to security standards and works properly.

The LoRa Alliance has always kept security at the forefront of the development of the LoRaWAN specification and is highly transparent about the security features of the protocol (see Figure 1). The LoRaWAN specification was designed from the outset with security as a fundamental aspect, providing state-of-the-art security to meet the needs of highly scalable, low-power IoT networks. Unlike many other IoT technologies, the LoRaWAN specification already provides dedicated end-to-end encryption for application providers.

Figure 1: LoRaWAN security overview

The specification defines two encryption layers:

Uses a unique 128-bit key shared between the end device and the network server

Uses a unique 128-bit key (AppSKey) shared end-to-end at the application level

The AES algorithm is used to provide authentication and integrity of data packets to the network server and end-to-end encryption to the application server. By providing these two levels, a "multi-tenant" shared network can be achieved without the network operator having to see the user's payload data. The devices can be activated through personalization on the production line or during commissioning, or through over-the-air activation (OTAA) in the field. OTAA allows the key of the device session to be re-set when necessary.

LoRaWAN has all the basic building blocks required and used by any modern wireless communication technology and features AES-128. The inherent security of LoRaWAN provided in the specification needs to be accompanied by the secure implementation and secure deployment of these devices and/or networks to maintain the built-in security mechanisms of the protocol. It should be noted that this is true for all secure device implementations using any communication technology.

As mentioned above, LoRaWAN relies on symmetric cryptography, which requires keys to be shared in a secure and reliable manner. To further aid this process, LoRa Alliance members have developed:

The LoRaWAN backend interface isolates the storage of the root key in the joining server so that it becomes trusted regardless of the network

Secure element solutions that provide additional hardware physical protection to prevent tampering.

To ensure device and network security, as with any technology, best practices are always to use certified equipment and work with proven, trusted service providers. LoRaWAN is no different, and end users can have confidence in their deployment if they leverage resources that know how to properly implement a LoRaWAN solution.

Security is a moving target, malicious actors continue to emerge, and LoRaWAN is constantly evolving to address any new threats. While LoRaWAN is inherently secure, the LoRa Alliance is continually reviewing, designing, and implementing security enhancements and best practices to ensure LoRaWAN stays ahead of the changing security landscape.

Therefore, to help the market choose the right implementation, the LoRa Alliance will release a "Recommended Practices" document next month, which will provide device manufacturers with best practices to ensure the security of their devices. In addition, the Security Working Group reports to the LoRa Alliance Technical Committee responsible for the LoRaWAN specification and continuously reviews the security of technical specifications and documents. The Security Working Group is composed of security experts from LoRa Alliance members and works with academia to review documents and discuss security challenges.