LoRaWAN Security
LoRaWAN security protects long-range IoT networks through dual-key cryptography, OTAA device activation, Join Server separation, and frame counter replay protection.
Continue your mission
LoRaWAN security protects long-range IoT networks through dual-key cryptography, OTAA device activation, Join Server separation, and frame counter replay protection.
# LoRaWAN Security
LoRaWAN security is the set of cryptographic protocols, key management procedures, and architectural controls that protect Long Range Wide Area Network deployments from unauthorized access, data interception, and device impersonation. LoRaWAN exists because billions of IoT sensors must transmit data across distances of two to fifteen kilometers on coin-cell batteries lasting years, conditions that rule out the heavyweight security stacks found in conventional networking. The security model must protect sensor integrity, payload confidentiality, and network authenticity while operating within tight computational and energy constraints. Without a purpose-built security architecture, every smart meter, agricultural sensor, and industrial monitor becomes a potential entry point into critical infrastructure.
---
LoRaWAN security refers specifically to the mechanisms defined by the LoRa Alliance's LoRaWAN specification that govern authentication, encryption, and key management for devices communicating over LoRa radio links. LoRa (Long Range) is the physical radio modulation technique developed by Semtech; LoRaWAN is the MAC layer and network architecture built on top of it. Security at the LoRa physical layer does not exist in any meaningful sense: radio frames are visible to any receiver within range. All meaningful security is therefore implemented at the LoRaWAN layer and above.
LoRaWAN security is not the same as general IoT security, cellular IoT security (NB-IoT, LTE-M), or Zigbee/Z-Wave mesh network security. Those protocols carry different threat models, different computational budgets, and different backend architectures. LoRaWAN is specifically a star-of-stars topology: end devices communicate to gateways, which forward raw packets to a network server, which routes payload data to an application server. Security must span this entire chain.
Two major specification versions are in deployment. LoRaWAN 1.0.x uses a single-root-key model with significant weaknesses in replay protection and network/application key separation. LoRaWAN 1.1 introduced a substantially revised architecture with a dedicated Join Server, separate root keys for network and application functions, and improved nonce handling. Practitioners must distinguish between these versions because 1.0.x devices remain common in production and carry known vulnerabilities.
LoRaWAN security does not address physical tamper protection (that is a hardware concern), radio frequency jamming (a physical-layer denial of service), or the security of the application server itself. Those are adjacent concerns requiring separate controls.
---
LoRaWAN 1.1 security operates through a dual-key session architecture combined with a three-component backend: the Network Server (NS), the Join Server (JS), and the Application Server (AS). Each component holds different keying material and performs different security functions, which prevents a single compromised backend component from exposing the entire system.
Root Keys and Device Identity
Every LoRaWAN device carries two permanent root keys provisioned at manufacture: the Network root key (NwkKey) and the Application root key (AppKey). Each device also carries a globally unique 64-bit identifier called the DevEUI, analogous to a MAC address. The NwkKey is shared between the device and the Join Server, but is never transmitted over the air. The AppKey is shared between the device and the Application Server, mediated by the Join Server.
Over-The-Air Activation (OTAA)
OTAA is the preferred and more secure activation method. When a device powers on, it transmits a Join Request containing its DevEUI, AppEUI (or JoinEUI in 1.1), and a randomly generated DevNonce. The Join Server validates the request by verifying a Message Integrity Code (MIC) computed using the NwkKey. The Join Server then generates a Join Accept message containing a network address (DevAddr), network parameters, and cryptographic material needed to derive session keys.
From the Join Accept and the DevNonce, both the device and the Join Server independently derive four session keys: FNwkSIntKey (Forwarding Network Session Integrity Key), SNwkSIntKey (Serving Network Session Integrity Key), NwkSEncKey (Network Session Encryption Key), and AppSKey (Application Session Key). The three network-layer keys are shared with the Network Server; AppSKey is shared only with the Application Server. This separation means a compromised network operator cannot decrypt application payloads.
In LoRaWAN 1.0.x, OTAA produces only two session keys (NwkSKey and AppSKey) and the nonce management is weaker, making replay of join requests more feasible if DevNonce values are reused (a known issue when devices reset without persistent storage).
Activation By Personalization (ABP)
ABP hardcodes session keys and a DevAddr directly into firmware. There is no join procedure and therefore no key rotation. Frame counters begin at zero on each device reset, which breaks replay protection unless the network server tracks counter resets, a feature not universally implemented. ABP is appropriate only when OTAA is operationally impossible (for example, in environments where join traffic cannot be guaranteed). Any deployment using ABP must accept a degraded security posture and compensate with additional controls at the application layer.
Frame Counter and Replay Protection
Every uplink and downlink frame carries a frame counter (FCnt). The Network Server rejects any frame with a counter value less than or equal to the last accepted value. This prevents replay attacks where a recorded transmission is re-sent to trigger a repeated action. In 1.0.x, a 16-bit counter could roll over or reset to zero, creating windows for replay. LoRaWAN 1.1 uses 32-bit counters and defines strict handling rules to close this window.
Payload Encryption
Application payloads are encrypted using AES-128 in CTR mode with AppSKey. The ciphertext travels through gateways and the Network Server without ever being decrypted, because the Network Server does not hold AppSKey in a properly architected 1.1 deployment. The gateway is a transparent radio relay; it does not perform any cryptographic operations beyond forwarding. This is architecturally significant: even a compromised gateway cannot read payload data.
MIC Validation
The Message Integrity Code is a four-byte field computed over the frame header, payload, and session keys using AES-128 CMAC. The Network Server validates the MIC on every uplink to confirm the frame originated from a legitimate device with the correct session keys. A device that has been cloned without the correct keys cannot produce a valid MIC.
Class A, B, and C Device Types
LoRaWAN defines three device classes with different power consumption and downlink timing characteristics. Class A devices sleep between transmissions and wake only to transmit or receive scheduled downlink responses. Class B devices synchronize with the network using periodic beacon frames, allowing scheduled downlink at specific times. Class C devices maintain constant receive capability. Each class has different security considerations: Class C devices face the highest exposure to malicious downlink traffic, while Class A devices are most vulnerable to timing attacks during their brief receive windows.
A Concrete Scenario: Smart Water Meter Network
A water utility deploys 10,000 LoRaWAN 1.1 meters across a city. Each meter uses OTAA, so session keys rotate at each power cycle or join event. Meter readings are encrypted with AppSKey; only the Application Server at the utility's data center can decrypt them. The Network Server, operated by a third-party MVNO, processes MICs and routes encrypted payloads but never sees the consumption data in cleartext. An attacker who compromises the network operator's infrastructure gains routing metadata (which devices are active, when they transmit) but not consumption figures. If an attacker captures radio traffic and attempts a replay, the frame counter validation at the Network Server rejects the duplicate.
---
LoRaWAN deployments are not isolated sensor networks. They feed data into operational systems: grid management platforms, water treatment controls, building automation, cold chain monitoring for pharmaceuticals, and industrial process controls. A compromised LoRaWAN sensor can inject false readings into those systems, causing automated responses that have physical consequences. A compromised device identity can be used to flood a network with traffic, denying service to legitimate sensors.
The consequences of weak LoRaWAN security are not theoretical. In 2019, security researchers at IOActive and independent researchers demonstrated that the majority of deployed LoRaWAN 1.0.x devices used hardcoded, reused, or weak AppKeys. Because 1.0.x uses AppKey as both an authentication secret and the root from which AppSKey is derived, a single leaked AppKey compromises every session that device will ever establish. Researchers found keys embedded in publicly available firmware images, GitHub repositories, and device documentation. A single search of a public code repository revealed AppKey values for production devices from multiple vendors.
A common misconception is that LoRaWAN's low data rate and small payload size make it an unattractive attack target. Attackers are not always seeking data exfiltration. Command injection, device spoofing, and service disruption are meaningful objectives even when each frame carries only a few bytes. A spoofed downlink that resets a device or alters its reporting threshold can disable monitoring without triggering any alarm.
Another misconception is that OTAA inherently solves key security. OTAA solves key derivation and rotation, but the root keys (NwkKey, AppKey) must themselves be securely provisioned and protected. If root keys are stored in device flash memory without hardware security features (a hardware security module or a trusted execution environment), physical access to the device allows extraction. Devices deployed in uncontrolled physical environments, which describes most LoRaWAN use cases, face this risk constantly.
The business impact of inadequate LoRaWAN security includes regulatory exposure (falsified meter data violates billing regulations), operational disruption (false sensor readings trigger unnecessary maintenance responses), and liability (pharmaceutical cold chain failures due to suppressed temperature alerts). For operators of critical infrastructure, the risk extends to safety systems.
The scale of exposure is growing rapidly. LoRaWAN deployments reached 200 million devices in 2023 and are projected to exceed 1 billion by 2027. Most of these devices will remain in service for five to ten years, meaning security decisions made during initial deployment will persist long after security understanding has evolved. Organizations deploying LoRaWAN today must therefore design for security requirements that may not be apparent until 2030.
---
CDA approaches LoRaWAN security through the Planetary Defense Model's Vulnerability Surface Domain (VSD) and the Continuous Surface Reduction (CSR) methodology: every surface you expose is a surface we eliminate.
LoRaWAN networks have a large, distributed, and often unmanaged attack surface. Every gateway is a network-accessible device running embedded software. Every end device is a potential target for physical key extraction. Every backend API endpoint between Network Server, Join Server, and Application Server is an integration point that must be authenticated and encrypted. The default posture of many LoRaWAN deployments is to accept these surfaces as necessary; CDA's posture is to systematically enumerate them and reduce each one.
In practice, CDA's approach to a LoRaWAN engagement begins with a full device and backend inventory. Gateways running outdated firmware with known CVEs are flagged for immediate patching or replacement. End devices using ABP are documented with their frame counter management status; any device resetting counters without network-server tracking is treated as a replay-vulnerable endpoint. Devices running LoRaWAN 1.0.x are flagged for migration planning, with priority determined by data sensitivity and downstream system connectivity.
Key management is treated as a first-order concern. CDA recommends hardware security elements (secure enclaves or dedicated security chips) for root key storage on any device deployed in an environment with physical access risk, which includes almost every outdoor deployment. Root keys must be provisioned through a controlled manufacturing process, not configured during field installation. Key diversity must be verified: a single AppKey shared across a product line (a common vendor shortcut) means a single disclosure compromises every device of that model.
Backend interfaces are assessed against TLS configuration standards. Mutual TLS between Network Server, Join Server, and Application Server is required, not optional. CDA also examines the join server trust model: who controls it, how its credentials are protected, and what happens if the join server provider is compromised or changes terms of service. For critical infrastructure operators, CDA recommends self-hosted join servers rather than reliance on third-party managed services.
Gateway hardening includes disabling unnecessary management interfaces, enforcing authenticated access to gateway configuration, and ensuring gateways do not accept forged packet forwarder traffic from unauthorized sources. These are not exotic controls; they are baseline hardening applied through configuration audit and automated scanning.
---
• Audit all devices for LoRaWAN version and activation method. Any production device using LoRaWAN 1.0.x or ABP carries known weaknesses that require documented compensating controls or an active migration plan.
• Treat root keys as secrets equivalent to private PKI keys. Require hardware security elements for root key storage on all devices in physically accessible environments; never allow root keys in publicly accessible firmware images or source repositories.
• Verify Join Server separation in your backend architecture. If the same operator controls both the Network Server and the Join Server, the architectural benefit of key separation in LoRaWAN 1.1 is negated; confirm that AppSKey does not flow through the Network Server in cleartext.
• Implement frame counter reset detection at the Network Server. Any device that resets its frame counter without explicit re-join invalidates replay protection; network server configuration must either reject such resets or require a new OTAA join before accepting traffic.
• Conduct gateway firmware audits as part of routine vulnerability management. Gateways are network-connected devices with management interfaces, and many run Linux-based embedded systems with the same CVE exposure as any server; they must be included in your patch management process, not treated as infrastructure that manages itself.
---
---
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.