Berkner Tech

Berkner Tech Modern Hardware Security

LoRaWAN Security for IoT Networks

LoRaWAN security assessment pipeline for IoT devices, from capturing uplinks to a replay test

LoRaWAN carries low-power sensor traffic over kilometers, which makes it popular for metering, agriculture, and asset tracking. Its security model is solid on paper and routinely undermined in practice by static keys and ignored frame counters. Here is how I assess a LoRaWAN device.

OTAA Versus ABP, and Why It Matters

LoRaWAN devices activate one of two ways. Over-the-air activation (OTAA) negotiates fresh session keys at join time from a root AppKey. Activation by personalization (ABP) ships static session keys burned into the device. ABP is simpler and far weaker, because those keys live in firmware you can extract.

Step 1: Capture and Decode Uplinks

Most deployments bridge uplinks to a network server over MQTT. Subscribing to the application topic shows the decoded traffic, including the device address and frame counter:

mosquitto_sub -t 'application/+/device/+/event/up' -v
Example output
application/1/device/00800000040e7b21/event/up
{"devEUI":"00800000040e7b21","fCnt":42,"fPort":2,"data":"Aa8B"}

Step 2: Read the Frame Structure

Every uplink carries a device address, a frame counter, the payload, and a message integrity code:

Anatomy of a LoRaWAN uplink frame showing MHDR, DevAddr, frame counter, payload, and MIC

Step 3: Test for Replay

Capture an uplink, then resend it. A device or network server that does not strictly enforce a monotonic frame counter will accept the replay as fresh, which lets a captured command be reissued. Confirming whether the counter is enforced is the core of the test.

Three LoRaWAN Pitfalls

Across LoRaWAN products, the same three issues recur:

Three LoRaWAN security pitfalls: ABP static keys, a shared AppKey, and frame-counter reuse

Defending a LoRaWAN Product

Use OTAA with a unique AppKey per device, store that key in a secure element rather than plain flash, and enforce frame-counter checks on both the device and the network server. Treat a shared key across a product line as a single point of total failure, because that is what it is.

Where This Fits

Reviewing activation mode, key storage, and counter enforcement on a LoRaWAN product is part of an IoT penetration test and a product security assessment. That work is the kind of work we do at Berkner Tech.

References and Further Reading