Security News > 2020 > January > LoRaWAN Encryption Keys Easy to Crack, Jeopardizing Security of IoT Networks
Researchers are warning that while LoRaWAN itself is perfectly secure, poor device security and user mistakes in configuration and implementation can still lead to hacks and widespread operational disruption.
The application-layer security is responsible for confidentiality, with end-to-end encryption between the device and the application server, preventing third parties from accessing the application data being transmitted.
Specifically, once bad actors obtain the encryption keys for a LoRaWAN network, they have a number of attack options available "To compromise the confidentiality and integrity of the data flowing to and from connected devices," IOActive researchers wrote.
Insecure LoRaWAN devices could be open to reverse engineering that can "Sniff" out keys; or, the source code for a device could be left publicly available from open-source repositories or vendor websites.
Easy ways to securely implement LoRaWAN include replacing keys provided by vendors with random keys; using different keys for different devices; auditing the root keys used to detect weak keys; and making sure service providers follow security best practices and have a secure infrastructure, IOActive said.