As a result of a research conducted on the protocol and more focused on implementations, we developed a framework to hack (pentest), audit and monitor a LoRaWAN network, which is composed of both tools for offensive and defensive tasks.
When conducting the research, we realized that there was nothing to use if someone wanted to assess the cybersecurity strength of a LoRaWAN network, and everything would have to be done from scratch. So, we started with a set of offensive tools in python3 which then lead to the addition of the defensive part, with a DB included on it.
For the offensive module we have the following functions:
- Traffic sniffing.
- Data fuzzing .
- Keys cracking.
- Parse and craft messages.
In order to be able to send packets with a gateway as if it were a device, we have modified the packet_forwarder component which is uploaded in github. This way, we can send packets using a computer.
For the defensive module, we have:
- Message collectors: which get packets from different sources / components such as TTN, loraserver.io and the gateway’s packet_forwarder and saves them in a standard format into DB.
- Analyzers: components that look for attack patterns in traffic and raise alerts, as well as, a bruteforcer that tries with a set of known vendor keys, easy-to-guess keys and public keys in general. Among the patterns the traffic analyzer looks for and other information the analyzer gathers:
- Join replays
- Possible ABP activated devices
- Well known or nonrandom keys
- Duplicated session keys / attacker sending valid messages
- Devices in the network
As a final remark, we encourage the community to contact us if you want to collaborate with both ideas to add to the framework or developing new software components (possibly, a customized collector for your implementation).
The link to the open source tool is: https://github.com/IOActive/laf. There you’ll find instructions about how to set up everything.
Feel free to contact us if you need help or have any questions!