Locking Down the IoT with LoRaWAN

By Nicholas Cravotta

Contributed By Digi-Key's North American Editors

IoT devices without adequate security introduce several vulnerabilities to networks. For example, if devices like cameras and printers can be hacked, they can be controlled and used by intruders to gain information about a company. In some cases, devices that are not secure can even allow hackers access into the main network, compromising all of a company’s online assets.

To protect against such attacks, developers need to implement security in both hardware and software. This is even more pertinent when wireless communications is used since the data being transferred is available to read by any radio within range.

Part of the challenge of locking down IoT devices is that sensor nodes at the edge tend to be very low power and often must run on batteries for years. Thus, any security implementation must minimize power consumption.


Today, developers have the option to employ a range of wireless standards that take care of enabling secure communications so they can focus on adding value to their application rather than reinventing how to securely transfer data. For example, LoRaWAN is a low power protocol for WAN connectivity that provides interoperability among devices without requiring complex local installations. Its star-of-stars topology serves as a transparent bridge that relays messages between end-nodes and a backend server where processing takes place. It is intended for low-power (i.e., battery-powered) nodes and offers a cost-effective and power-efficient alternative to wireless technologies that require more infrastructure to operate.

LoRaWAN supports bi-directional communication. The ability to securely transmit to individual nodes is required for advanced sensor capabilities beyond merely streaming data from a node. For example, bi-directional communication enables developers to perform over-the-air (OTA) updates. OTA can be used to update firmware, making it possible to keep devices up-to-date without having to physically interact with nodes. This is important for applications where nodes might no longer be easily accessible when they have been deployed, either because they are installed in a remote location or deep within a more complex system’s infrastructure.

LoRaWAN simplifies the development of secure IoT devices by implementing a robust security scheme within the standard. Designed for low power operation, LoRaWAN implements security in a manner that minimizes power consumption without compromising the integrity, authenticity, or reliability of low power nodes. This enables LoRaWAN-based systems to not only protect data integrity, but also to support secure OTA updates if required.

LoRaWAN has two independent security layers—one at the network session layer and the other at the application layer – to ensure communications are not compromised. Security at the network layer verifies the authenticity of a node within the network. This first layer, then, keeps devices off the network that don’t belong there. Without this layer, rogue devices would be able to start up secure conversations with other nodes on the network by pretending to be authentic devices. Since rogue devices can’t join the network, they can’t open a communications channel with secured devices.

To join a network, a device must have credentials that allow it to join. If the specific LoRaWAN network is known during manufacturing, the device can be factory programmed with the authentication information it needs to join that network.

In the majority of use cases, however, the device will need to be securely added to a network. For this, over-the-air authentication (OTAA) is used. With OTAA, network and application session keys are generated when needed. This gives users the flexibility to bring a device into a LoRaWAN network without knowing which network beforehand.

For security at the application layer, an application session key is used to encrypt and decrypt data to protect it while it is travelling through the channel. This ensures that unencrypted data is available only to the sensor node that generated the data and the application intended to receive it.

As its foundation, LoRaWAN uses AES 128-bit encryption, the industry standard for secure communications. Accessing data requires use of the session key to decrypt it. Thus, all intermediate devices along the communication channel can only pass along the data, not actually look at it or change it. Since security is an integrated part of LoRaWAN, developers can quickly design secure systems without having to implement complex security algorithms.

Accelerating IoT Design

One key advantage of using a standard like LoRaWAN is that it can greatly accelerate design, especially with security integrated into the protocol. Many tools are available for jumping right into application design, enabling developers to take advantage of secure wireless communications without having to first become an expert in a new technology.

Image of STMicroelectronics STM32 LoRa Discovery boardFigure 1: The STM32 LoRa Discovery board is a development tool that features an all-in-one open module solution. The board allows for quick and easy trials using the LoRaWAN standard. (Image source: STMicroelectronics)

For example, the STM32 LoRaWAN Discovery Board provides developers with an immediate way to learn about LoRaWAN and evaluate how it might be used in a particular application (see Figure 1). Built around ST’s STM32 processor, this all-in-one open module is one of the smallest and lowest cost wireless modules supporting LoRaWAN. The Discovery Board includes I-CUBE-LRWAN embedded software that provides a complete class-A certified LoRaWAN node. The module also has Arduino connectors to support extension boards. Greatly simplifying design is the onboard STM32 processor, which can run both application code and the LoRaWAN stack stored on internal Flash. This eliminates the need for an external MCU, which is required by other LoRaWAN modules that only provide the wireless radio.

Image of FCC, ISED, and RED certified Microchip SAM R34 Xplained Pro evaluation kitFigure 2: The FCC, ISED, and RED certified SAM R34 Xplained Pro evaluation kit from Microchip Technology is a hardware platform used to evaluate the ATSAMR34 low-power LoRa sub-GHz SiP. It also serves as a reference design for developing SAM R34-based LoRa end-node applications. (Image source: Microchip Technology)

Alternatively, developers can use the SAM R34 Xplained Pro Evaluation Kit from Microchip (see Figure 2). The Xplained Pro is a hardware platform for evaluating the ATSAMR34 low-power LoRa sub-GHz SiP from Microchip. Developers can program the kit using the Atmel Studio integrated development platform, giving them full access to the features of the ATSAMR34. The SAM R34 Xplained Pro Evaluation Kit also provides a clear roadmap for building custom designs.

Sample applications included with these tools provide a blueprint for more complex applications. They enable developers to get the fundamentals of an IoT system up and going so they can have confidence that the connectivity part of their design is operational and robust. Without this confidence, debugging an IoT-based system can be extremely complex since the developer won’t know if a problem is with the application or with the communications channel.

Image of Renesas’ IoT fast prototyping kitFigure 3: Renesas’ prototyping kit provides a useful platform for developing IoT applications on the S3A7 MCU Board. The kit allows for easy evaluation of both the board and its peripherals. (Image source: Renesas Electronics)

In addition to simplifying connectivity between node and aggregation devices, vendors supporting LoRaWAN also provide tools to simplify access to the cloud. Starting a cloud application from scratch can be a daunting prospect. There are many different types of cloud services to consider, and many options available for each type of service. Beyond this, developers need to consider how they will authenticate devices, provision new devices and services, manage incoming and outgoing data streams, store data, allocate processing resources, and so on. On top of all of these decisions, developers must always keep security in mind. To help simplify complex systems, the Renesas IoT Sandbox, used with the IoT Fast Prototyping Kit, provides a comprehensive development platform for designing IoT-based systems that can reach out into the cloud (see Figure 3).


LoRaWAN is a compelling technology for low power IoT applications such as sensor nodes. It brings together essential capabilities – including WAN connectivity and security – to accelerate the development of IoT systems and simplify their management.

Disclaimer: The opinions, beliefs, and viewpoints expressed by the various authors and/or forum participants on this website do not necessarily reflect the opinions, beliefs, and viewpoints of Digi-Key Electronics or official policies of Digi-Key Electronics.

About this author

Nicholas Cravotta

Nicholas Cravotta has been technical editor for EDN, Embedded Systems Programming, and Communications Systems Design, and was the founding editor-in-chief of Multimedia Systems Design. With seventeen years of experience as a practicing engineer, he understands the issues behind designing complex systems firsthand. He has worked with hard real-time embedded systems, written application software for PCs and workstations, built an operating system from the ground up, developed in-house software and hardware development and test tools, and ported software across platforms, among other projects. He has written over 800 published articles, taught programming and technical writing at UC Berkeley, and is an award-winning game designer in his spare time.

About this publisher

Digi-Key's North American Editors