Full metadata record
DC FieldValueLanguage
dc.contributorDepartment of Computingen_US
dc.contributor.advisorZheng, Yuanqing (COMP)en_US
dc.contributor.advisorXiao, Bin (COMP)en_US
dc.creatorHou, Ningning-
dc.publisherHong Kong Polytechnic Universityen_US
dc.rightsAll rights reserveden_US
dc.titleSecurity threats and countermeasures of LoRa physical layeren_US
dcterms.abstractLoRa is a popular Low Power Wide Area Networking (LPWAN) technology that is expected to boost the next generation IoT for its capability to provide long-range ubiquitous connectivity for everyday objects with an AA battery. Despite the popularity, there exists a growing concern about the security of LoRa communication. Current LoRaWAN systems are susceptible to security attacks due to the inherent features of LoRa communication. Specifically, LoRa operates at unlicensed frequency bands under public standards, which makes it vulnerable to active attack and information leakage. Besides, LoRa packets have a long transmission window compared with traditional wireless technologies (i.e., Wi-Fi, Bluetooth), which leaves sufficient time for attackers to launch attacks. Meanwhile, the large scale of LoRa deployment with low-cost and low-power devices makes it an ideal target for large-scale cyber attacks.en_US
dcterms.abstractIn this thesis, we investigate security threats and countermeasures of LoRa physical layer. Specifically, we explore the possible security attack at both the transmitter side (covert channel) and receiver side (jamming attack) and propose corresponding countermeasures against such attacks.en_US
dcterms.abstractThe first work describes our design and implementation of a covert channel over LoRa physical layer (PHY). LoRa adopts a unique modulation scheme (chirp spread spectrum (CSS)) to enable long-range communication at low-power consumption. CSS uses the initial frequencies of LoRa chirps to differentiate LoRa symbols, while simply ignoring other RF parameters (e.g., amplitude and phase). Our study reveals that the LoRa physical layer leaves sufficient room to build a covert channel by embedding covert information with a modulation scheme orthogonal to CSS. To demonstrate the feasibility of building a covert channel, we implement CloakLoRa. CloakLoRa embeds covert information into a regular LoRa packet by modulating the amplitudes of LoRa chirps while keeping the frequency intact. Since amplitude modulation is orthogonal to CSS, a regular LoRa node receives the LoRa packet as if no secret information is embedded into the packet. Such an embedding method is transparent to all security mechanisms at upper layers in current LoRaWAN. As such, an attacker can create an amplitude-modulated covert channel over LoRa without being detected by current LoRaWAN security mechanism. We build the covert channel using a COTS LoRa node (Tx) and a low-cost receive-only software-defined radio (Rx). Comprehensive evaluations show that CloakLoRa can send covert information over 250 m.en_US
dcterms.abstractThe second work investigates jamming of LoRa PHY and corresponding countermeasure. LoRaWAN forms a one-hop star topology where LoRa nodes send data via one-hop up-link transmission to a LoRa gateway. If the LoRa gateway can be jammed by attackers, the LoRa gateway may not be able to receive any data from any nodes in the network. Our empirical study shows that although LoRa physical layer (PHY) is robust and resilient by design, it is still vulnerable to synchronized jamming chirps. Potential protection solutions (e.g., collision recovery, parallel decoding) may fail to extract LoRa packets if an attacker transmits synchronized jamming chirps at high power. To protect the LoRa PHY from such attacks, we propose a new protection method that can separate LoRa chirps from jamming chirps by leveraging their difference in the received signal strength in power domain. We note that the new protection solution is orthogonal to existing solutions which leverage the chirp misalignment in time domain or the frequency disparity in frequency domain. Besides, we discuss new types of attacking methods (e.g., consecutive SFDs) and analyze their impacts on LoRa packet reception. We conduct experiments with COTS LoRa nodes and software-defined radios with varied experiment settings such as different spreading factors, bandwidths, and code rates. The results show that synchronized jamming chirps at high power can jam all previous solutions, while our protection solution can effectively protect LoRa gateways from the jamming attacks.en_US
dcterms.extentxx, 121 pages : color illustrationsen_US
dcterms.isPartOfPolyU Electronic Thesesen_US
dcterms.educationalLevelAll Doctorateen_US
dcterms.LCSHWide area networks (Computer networks) -- Security measuresen_US
dcterms.LCSHComputer networks -- Security measuresen_US
dcterms.LCSHHong Kong Polytechnic University -- Dissertationsen_US
dcterms.accessRightsopen accessen_US

Files in This Item:
File Description SizeFormat 
6277.pdfFor All Users5.21 MBAdobe PDFView/Open

Copyright Undertaking

As a bona fide Library user, I declare that:

  1. I will abide by the rules and legal ordinances governing copyright regarding the use of the Database.
  2. I will use the Database for the purpose of my research or private study only and not for circulation or further reproduction or any other purpose.
  3. I agree to indemnify and hold the University harmless from and against any loss, damage, cost, liability or expenses arising from copyright infringement or unauthorized usage.

By downloading any item(s) listed above, you acknowledge that you have read and understood the copyright undertaking as stated above, and agree to be bound by all of its terms.

Show simple item record

Please use this identifier to cite or link to this item: https://theses.lib.polyu.edu.hk/handle/200/11792