Low-Power Wide-Area Networks: Opportunities, Challenges, Risks and Threats 3031329341, 9783031329340

Citation preview

Ismail Butun Ian F. Akyildiz   Editors

Low-Power Wide-Area Networks: Opportunities, Challenges, Risks and Threats

Low-Power Wide-Area Networks: Opportunities, Challenges, Risks and Threats

Ismail Butun • Ian F. Akyildiz Editors

Low-Power Wide-Area Networks: Opportunities, Challenges, Risks and Threats

Editors Ismail Butun Division of Network and Systems Engineering School of Electrical Engineering and Computer Science, KTH Royal Institute of Technology Stockholm, Sweden

Ian F. Akyildiz Truva Inc. Alpharetta, GA, USA

ISBN 978-3-031-32934-0 ISBN 978-3-031-32935-7 https://doi.org/10.1007/978-3-031-32935-7

(eBook)

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland Paper in this product is recyclable.

Dedicated to our families and the loved ones ... Ismail Butun Ian F. Akyildiz

Preface

We are all living in a connected world and getting more dependent on the Internet day by day! There are a variety of devices that are sensing the information around us (our homes, cars, environment, etc.) and share this with the intended parties to constitute the Internet of Things (IoT). It is such a big topic that Cisco predicts 500 Billion things of the IoT to be further included in our connected world; meaning more automation, remote access and control to be infused into our everyday routines. This brings its own challenges as such a connection requires a well-defined protocol stack as well as facilitating physical and data-link layer protocols restricted under low-power consumption requirements (since most of the IoT devices are dependent on limited power supplies, e.g. batteries). As such, the notion of a LowPower Wide-Area Network (LPWAN) has emerged, to facilitate the connectivity for the IoT networks in a very long-range setting compared to existing technologies and yet fulfilling the low power consumption requirement. In a very timely manner, this book, entitled Low-Power Wide-Area Networks: Opportunities, Challenges, Risks and Threats, aims at presenting the recent developments in the field of IoT, especially in the LPWAN domain, and may thus be able to shed some light on it from the editors’ perspective. Many chapter proposals have been submitted by leading academicians and industry researchers. All submissions were reviewed in a rigorous manner and each chapter went through two review cycles. In order to satisfy the expectations of all readers from different backgrounds, the final chapters of the book cover a broad range of topics related to IoT networks, including wired/wireless communication technologies, industrial/civilian applications, cyber security and finally, preventiondetection-mitigation of intrusions. In order to cover this broad topic in a comprehensive and progressive manner, our edited book consists of three parts and six chapters, which are summarized as follows:

vii

viii

Preface

• Part I: Preliminaries, Design Principles and Challenges of LPWANs • Part II: Challenges, Opportunities, Risks and Threats in LPWANs • Part III: Cyber Security Aspects and Applications of LPWANs Part I consists of Chaps. 1 and 2 to introduce the preliminaries, design principles and challenges of the LPWANs. Chapter 1 introduces an overview of most of the networking, communication and ICT technologies available in the LPWANs. Chapter 2 presents IDS/IPS systems designed for LPWAN. Part II consists of Chaps. 3 and 4 to present challenges, opportunities, risks and threats in LPWANs. Chapter 3 is dedicated to satellite-communication-driven advances in LPWANs, whereas Chap. 4 introduces the energy-saving trends in LPWAN-based IoT networks from the security threat analysis point of view. Part III consists of Chaps. 5 and 6 to stress the cyber security aspects of LPWANs and to introduce various LPWAN applications. Chapter 5 presents the security of LPWANs, especially within the vulnerability analysis and assessment domains. Finally, Chap. 6 concludes the book by presenting several application possibilities of LPWANs. Stockholm, Sweden Atlanta, GA, USA November 2022

Dr. Ismail Butun Prof. Ian F. Akyildiz

Acknowledgements

We would like to express gratitude to our colleagues (especially to Assoc.Prof. Robert Lagerström) at Network and Systems Division, School of Electrical Engineering and Computer Science, KTH Royal Institute of Technology, for their encouragement and support. Generous academicians and practitioners helped in the thorough review process of the book, including the authors of each chapter of this book. We appreciate each of them for providing their expertise in this process along with their valuable time. Especially, we would like to express our gratitude to following external reviewers: • Alparslan Sari (Ph.D. Candidate), University of Delaware, USA • Lakshmikanth Guntupalli (Ph.D.), Ericsson AB, Sweden Last but not least, we would also like to thank our editorial manager Susan Lagerstrom-Fife (Editor-in-Chief, Springer Nature, USA) and Rahul Sharma (Project Coordinator—Books for Springer Nature, Straive, India), along with their teams, for providing the editorial support needed while preparing this book.

ix

Contents

Part I Preliminaries, Design Principles and Challenges of LPWANs 1

Theoretical Landscape of LPWANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mahnoor Anjum, Muhammad Abdullah Khan, Syed Ali Hassan, and Haejoon Jung

3

2

IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT) . . . . . . . . . . . . . Amar Amouri, Vishwa Teja Alaparthy, and Ismail Butun

39

Part II Challenges, Opportunities, Risks and Threats in LPWANs 3

4

Pervasive LPWAN Connectivity Through LEO Satellites: Trading Off Reliability, Throughput, Latency, and Energy Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Zheng Zhou, Mohammad Afhamisis, Maria Rita Palattella, Nicola Accettura, and Pascal Berthou

85

Energy Saving as a Security Threat in LPWAN and Internet of Things . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Emilie Bout, Antoine Gallais, Valeria Loscrí, and Anna Maria Vegni

Part III Cyber Security Aspects and Applications of LPWANs 5

Analysis of LPWAN: Cyber-Security Vulnerabilities and Privacy Issues in LoRaWAN, Sigfox, and NB-IoT . . . . . . . . . . . . . . . . . . . . . . . 139 Junaid Qadir, José Eduardo Urrea Cabus, Ismail Butun, Robert Lagerström, Paolo Gastaldo, and Daniele D. Caviglia

6

Applications of LPWANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Muhammad Abdullah Khan, Mahnoor Anjum, Syed Ali Hassan, and Haejoon Jung

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 xi

Editors and Contributors

About the Editors Ismail Butun (Ph.D.) received his B.Sc. and M.Sc. degrees in Electrical and Electronics Engineering from Hacettepe University. He received his second M.Sc. degree and Ph.D. degree in Electrical Engineering from the University of South Florida in 2009 and 2013, respectively. He worked as an Assistant Professor between 2015 and 2018 at Bursa Technical University and Abdullah Gul University. From 2016 to 2021, he was employed as a Post-doctoral Researcher/Fellow by various universities (University of Delaware, Mid Sweden University, Chalmers University of Technology, and finally KTH Royal Institute of Technology). Since February 2022, he has been with RISE Research Institutes of Sweden, engaged on IoT security-related EU projects and automotive domain cyber-security projects. Dr. Butun has more than 50 publications in international peer-reviewed scientific journals and conference proceedings, along with an H-index of 20 and I-index of 31. He is a well-recognized academic reviewer for IEEE, ACM, and Springer, who served for 39 various scientific journals and conferences in the review process of more than 207 articles. He is an Editor of Springer Nature, IGI Global, IEEE Access and MDPI Sensors journals. He served as a TPC to various conferences held by IEEE, Springer and IARIA. He contributed as a track chair and session chair for numerous international conferences and workshops, and performed as a technical program committee (TPC) member for several international conferences organized by IEEE, Springer and ACM. His research interests include but not limited to computer networks, wireless communications, WSNs, IoT, cyber-physical systems, cryptography, network security and intrusion detection. Ian F. Akyildiz (Ph.D.) received his B.S., M.S., and Ph.D. degrees in Electrical and Computer Engineering from the University of Erlangen-Nürnberg, Germany, in 1978, 1981 and 1984, respectively. Currently, he is the President and CTO of the Truva Inc. since March 1989. He also serves on the Advisory Board of xiii

xiv

Editors and Contributors

the Technology Innovation Institute (TII) in Abu Dhabi, United Arab Emirates since June 1, 2020. He is also an Adjunct Professor at the University of Iceland and University of Helsinki since Fall 2020. He is the Ken Byers Chair Professor Emeritus of Telecommunications, Past Chair of the Telecom group at the ECE and the former Director of the Broadband Wireless Networking Laboratory between 1985 and 2020 at the Georgia Institute of Technology. Dr. Akyildiz had many international affiliations during his career. He established many research centers in Spain, South Africa, Finland, Saudi Arabia, Germany, Russia, India, Cyprus, etc. He is the Founder and Editor-in-Chief of the newly established of the ITU (International Telecommunication Union) Journal on Future and Evolving Technologies (ITU-J FET) since August 2020, and is the Editor-in-Chief Emeritus of Computer Networks Journal (Elsevier) (1999-2019), the founding Editor-in-Chief Emeritus of Ad Hoc Networks Journal (Elsevier) (2003-2019), the founding Editor-in-Chief Emeritus of Physical Communication (PHYCOM) Journal (Elsevier) (2008-2017) and the founding Editor-in-Chief Emeritus of Nano Communication Networks (NANOCOMNET) (Elsevier) (2010-2017). He is an IEEE Fellow (1996) and ACM Fellow (1997) and received numerous awards from IEEE and ACM and other professional organizations, including Humboldt Award from Germany. His current research interests are in Internet of Things, 6G/7G Wireless Systems, TeraHertz Communication. According to Google Scholar as of November 2022, his h-index is 134 and the total number of citations to his papers is 137+K.

Contributors Nicola Accettura Laboratory for Analysis and Architecture of Systems (LAASCNRS), Université de Toulouse, CNRS, UPS, Toulouse, France Mohammad Afhamisis Environmental Research and Innovation Department (ERIN), Luxembourg Institute of Science and Technology (LIST), Esch-sur-Alzette, Luxembourg Vishwa Teja Alaparthy Department of Electrical Engineering, University of South Florida, Tampa, FL, USA Amar Amouri Abu Dhabi Polytechnic, Abu Dhabi, United Arab Emirates Mahnoor Anjum Department of Electrical Engineering, School of Electrical Engineering and Computer Science (SEECS), National University of Sciences and Technology (NUST), Islamabad, Islamabad Capital Territory, Pakistan Pascal Berthou Laboratory for Analysis and Architecture of Systems (LAASCNRS), Université de Toulouse, CNRS, UPS, Toulouse, France Emilie Bout Inria Lille-Nord Europe, Villeneuved’Ascq, France

Editors and Contributors

xv

Ismail Butun Division of Network and Systems Engineering, School of Electrical Engineering and Computer Science, KTH Royal Institute of Technology, Stockholm, Sweden José Eduardo Urrea Cabus Division of Network and Systems Engineering, School of Electrical Engineering and Computer Science, KTH Royal Institute of Technology, Stockholm, Sweden Daniele D. Caviglia Department of Electrical, Electronic and Telecommunications Engineering and Naval Architecture (DITEN), University of Genoa, Genoa, Italy Antoine Gallais Univ. Polytechnique Hauts-de-France, LAMIH, CNRS, UMR 8201, INSA Hauts-de-France, Valenciennes, France Paolo Gastaldo Department of Electrical, Electronic and Telecommunications Engineering and Naval Architecture (DITEN), University of Genoa, Genoa, Italy Syed Ali Hassan Department of Electrical Engineering, School of Electrical Engineering and Computer Science (SEECS), National University of Sciences and Technology (NUST), Islamabad, Islamabad Capital Territory, Pakistan Haejoon Jung Department of Electronic Engineering, Kyung Hee University, Giheung-gu, Yongin-si, Gyeonggi-do, South Korea Muhammad Abdullah Khan Department of Electrical Engineering, School of Electrical Engineering and Computer Science (SEECS), National University of Sciences and Technology (NUST), Islamabad, Islamabad Capital Territory, Pakistan Robert Lagerström Division of Network and Systems Engineering, School of Electrical Engineering and Computer Science, KTH Royal Institute of Technology, Stockholm, Sweden Valeria Loscrí Inria Lille-Nord Europe, Villeneuved’Ascq, France Maria Rita Palattella Environmental Research and Innovation Department (ERIN), Luxembourg Institute of Science and Technology (LIST), Esch-sur-Alzette, Luxembourg Junaid Qadir Department of Electrical, Electronic and Telecommunications Engineering and Naval Architecture (DITEN), University of Genoa, Genoa, Italy Anna Maria Vegni Industrial, Electronics and Mechanical Engineering Department (DIIEM), Roma Tre University, Rome, Italy Zheng Zhou Laboratory for Analysis and Architecture of Systems (LAASCNRS), Université de Toulouse, CNRS, UPS, Toulouse, France

Editorial Board

Several academicians helped us during the early development, maturating and finalizing the ideas behind our book. We would like to express our gratitude to especially, but not limited to (enlisted according the alphabetical order): • Enrico Natalizio, Ph.D. (Vice President), Autonomous Robotics Research Center, Technology Innovation Institute, PO Box: 9639, Masdar City, Abu Dhabi, UAE, e-mail: [email protected] • Haining Wang, Ph.D. (Professor), Bradley Department of Electrical and Computer Engineering, Virginia Tech (Virginia Polytechnic Institute and State University), Virginia Tech Research Center, 900 N. Glebe Road, Arlington, VA 22203, USA e-mail: [email protected] • Manel Khelifi, Ph.D. (Senior Researcher), Fortiss GmbH, Research Institute of the Free State of Bavaria, associated with Technical University of Munich (TUM), Guerickestraße 25, 80805, Munich, Bayern, Germany, e-mail: [email protected] • Musard Balliu, Ph.D. (Associate Professor), School of Electrical Engineering and Computer Science, KTH Royal University of Technology, Lindstedtsvägen 5, SE-100 44, Stockholm, Sweden e-mail: [email protected] • Pelin Angin, Ph.D. (Associate Professor), Department of Computer Engineering, Middle East Technical University, Ankara, Turkey, e-mail: [email protected] • Ravi Sankar, Ph.D. (Professor of Electrical Engineering), Department of Electrical Engineering, University of South Florida,

xvii

xviii

Editorial Board

4202 East Fowler Avenue, ENB 118, Tampa, FL 33620-5350, USA e-mail: [email protected] • Salvatore D. Morgera, Ph.D. (Professor of Electrical Engineering), Department of Electrical Engineering, University of South Florida, 4202 East Fowler Avenue, ENB 118, Tampa, FL 33620-5350, USA e-mail: [email protected]

Acronyms

1G 1IR 2G 2IR 3G 3GPP 3IR 4G 4IR 5G 5IR ABP ACK ADM ADR AEE AES AES-CMAC AES-GCM AI AKA AKF ALOHA AODV AppKey AppSKey AV B5G BCH BER BLE

First Generation First Industrial Revolution Second Generation Second Industrial Revolution Third Generation Third-Generation Partnership Project Third Industrial Revolution Fourth Generation Fourth Industrial Revolution Fifth Generation Fifth Industrial Revolution Activation by Personalization Acknowledgement Anomaly Detection Modules Adaptive Data Rate Attacker Energy Efficiency Advanced Encryption Standard AES with Cipher-based Message Authentication Code AES with Galois Counter Mode Artificial Intelligence Authentication and Key Agreement Appropriate Key Finder Additive Links On-line Hawaii Area Ad-hoc On-Demand Distance Vector Application Encryption Key Application Session Key Authentication Vector Beyond 5G Bose–Chaudhuri–Hocquenghem codes Bit Error Rate Bluetooth Low Energy xix

xx

BW CAD CAM CAN CAT-M CBOR CE CH ChaCha CIA CIoT CK CMAC CoAP COSE COTS CP CPS CRAM CRP CSMA/CA CSS D2D D-Box DIFS DIS DNN DoS DR DRESG DTLS-ECC DTLS-PSK EAP ECC ED EDA EDHOC EDT eNB EPC ETSI E-UTRAN FCC FUOTA GEO

Acronyms

Bandwidth Channel Activity Detection Content Addressable Memory Campus Area Network Category M in the LTE chipsets that supports IoT applications Concise Binary Object Representation Coverage Enhancement Cluster Heads Stream Cipher for Transport Layer Security Confidentiality, Integrity, and Availability Cellular IoT Ciphering Key Code based MAC Constrained Application Protocol CBOR Object Signing and Encryption Commercial-Off-The-Shelf (NB-IoT) Control Plane Cyber-Physical-Systems A cryptographic frequency hopping MAC protocol Challenge Response Pairs Carrier Sense Multiple Access with Collision Avoidance Chirp Spread Spectrum Device-to-Device Dynamic Box Interframe Space DODAG Information Solicitation Deep Neural Network Denial of Service Data Rate Distance-Ring Exponential Stations Generator Datagram Transport Layer Security-ECC Datagram Transport Layer Security-Pre-Shared Key Extensible Authentication Protocol Elliptic Curve Cryptography End Device Energy Depletion Attacks Ephemeral Diffie Hellman Over COSE Early Data Transmission evolved Node B Evolved Packet Core European Telecommunications Standards Institute Evolved Universal Terrestrial Radio Access Federal Communications Commission Firmware Upgrade Over The Air Geosynchronous Earth Orbit

Acronyms

GNSS GNU GSM GW HSS HTS IAB IDPS IDS IK IoT IPS ISL ISM ITU KPI LAN LEO LNS LO-CoAP-EAP LoRa LoRaWAN LPADA LPWAN LR-FHSS LTE MAC(1) MAC(2) MAN MCU MEO MIC MitM ML MME mMTC Msg NAK NAS NB-IoT NFC NFV NPBCH NPDCCH

xxi

Global Navigation Satellite System A free software development toolkit Global System for Mobile Gateway Home Subscriber Server High Throughput Satellite Internet Architecture Board Intrusion Detection and Prevention System Intrusion Detection System Integrity Key Internet of Things Intrusion Prevention System Inter-Satellite Link Industrial, Scientific and Medical International Telecommunication Union Key Performance Indicator Local Area Network Low Earth Orbit LoRaWAN Network Server A low-overhead bootstrapping protocol integrating an EAP lower layer for constrained IoT devices Long Range radio technology Long Range Wide Area Network Low-Power AES Data encryption Architecture Low-Power Wide Area Network Long Range Frequency Hopping Spread Spectrum Long Term Evolution Medium Access Control protocol Message Authentication Code Metropolitan Area Network Micro Controller Unit Medium Earth Orbit Message Integrity Code Man in the Middle attack Machine Learning Mobile Management Entity Massive Machine-Type Communications NB-IoT message Network Access Key Non-Access-Stratum protocol Narrow-Band Internet of Things Near Field Communication Network Function Virtualization Narrow-band Physical Broadcast Channel Narrow-band Physical Down-link Control Channel

xxii

NPDSCH NPRACH NPSS NPUSCH NSSS NTN NwkKey NwkSKey OFDMA OSS OTAA OTP(1) OTP(2) OVS PAN PANA PANATIKI PDR PER PFS P-GW PHY PHYSEC PII PKC PKI PK-OTAA PLR PRB PRESENT PS PSM PUF QoS RE RF RREP RREQ RRC RSA RSSI RWP RX

Acronyms

Narrow-band Physical Down-link Shared Channel Narrow-band Physical Random Access Channel Narrow-band Primary Synchronization Signal Narrow-band Physical Up-link Shared Channel Narrow-band Secondary Synchronization Signal Non-Terrestrial Networks Network Encryption Key Network Session Key Orthogonal Frequency Division Multiple Access Operation Support System Over The Air Activation One Time Pad cipher One-Time Password Open Virtual Switch Personal Area Network Protocol for Carrying Authentication for Network Access Open-source lightweight version of a PANA client (PaC) for the Contiki Operation System (OS) Packet Delivery Ratio Packet Error Rate Perfect Forward Secrecy Packet Gateway Physical Layer Physical Layer Security Personally Identifiable Information Public Key Cryptography Public Key Infrastructure Public Key Over the Air Activation Packet Loss Ratio Physical Resources Block Lightweight block cipher, developed by the Orange Labs (France) Process Sharing Power Saving Mechanisms Physical Unclonable Function Quality of Service Resource Element Radio Frequency Route Reply Route Request Radio Resource Control Rivest–Shamir–Adleman is a public-key cryptosystem Received Signal Strength Indicator Random Way Point mobility model Receive

Acronyms

S2KG SAN S-box SCEF SC-FDMA SDR SeLPC SF S-GW SHA-2 SNR SRA TCP/IP TCP TDMA TLE TLS ToA TSCH TX UE UP URLLC UNB USIM WAN Wi-Fi WuC WuRx

xxiii

Server Session Key Generation System Area Network Substitution Box Service Capabilities Exposure Function Single-Carrier Frequency-Division Multiple Access Software Defined Radio Secure Low Power Communication Spreading Factor Serving Gateway Secure Hash Algorithm-2 Signal to Noise Ratio Security Risk Analysis Transmission Control Protocol/Internet Protocol Transmission Control Protocol Time Division Multiple Access Two Line Element Transport Layer Security Time on the Air Time-Synchronized Channel Hopping Transmit User Equipment User Plane Ultra Reliable and Low-Latency Ultra Narrow-Band Universal Subscriber Identity Module Wide Area Network Wireless Fidelity Wake-up Call Wake-up Radio receiver

Part I

Preliminaries, Design Principles and Challenges of LPWANs

Chapter 1

Theoretical Landscape of LPWANs Mahnoor Anjum, Muhammad Abdullah Khan, Syed Ali Hassan, and Haejoon Jung

1.1 Introduction The sequence of industrial revolutions, from mechanization (1IR), electrification (2IR), automation (3IR) to digitization (4IR) and personalization (5IR), directly evolve the social, political, industrial, and interpersonal processes. The technical advancements transform real-life processes to seamlessly enable cyber-physical systems, amalgamating biological, physical, and digital worlds [37]. While the start of the twenty-first century enabled mass inclusion of AI, robotics, IoT, and blockchain technologies into the real-world processes, 5IR envisions a deeper, multi-level cooperation, between people and machines. This revolution brings creativity into the technological progressions of the past, and enables personalization of systems, with consumer needs and preferences at the heart of modern solutions. The technologists aim to connect billions of people, sensors, actuators, and robots, with extraordinary processing capabilities, storage capacities, energy efficiencies and intelligent decisions. These systems are expected to coexist in harmony, with the industrial, environmental, agricultural, commercial, personal, and interpersonal ecosystems, and enhance their efficiency, longevity, welfare, and productivity.

M. Anjum · M. A. Khan · S. A. Hassan () Department of Electrical Engineering, School of Electrical Engineering and Computer Science (SEECS), National University of Sciences and Technology (NUST), Islamabad, Islamabad Capital Territory, Pakistan e-mail: [email protected]; [email protected]; [email protected] H. Jung Department of Electronic Engineering, Kyung Hee University, Giheung-gu, Yongin-si, Gyeonggi-do, South Korea e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 I. Butun, I. F. Akyildiz (eds.), Low-Power Wide-Area Networks: Opportunities, Challenges, Risks and Threats, https://doi.org/10.1007/978-3-031-32935-7_1

3

4

M. Anjum et al.

The personalized nature of 5IR requires technologies and systems, that provide intuitive user interfaces for deeper interaction with the developing cyber-physical world. These technologies enable customized, intelligent and consumer focused services. These applications are built on the foundations of advanced wireless structures, efficient internetworking paradigms, feasible processing architectures and manageable mass-scale device deployments.

The machine-to-machine (M2M) technologies are the key wireless systems, which enable immersive real-world applications [25]. They offer seamless service to massive numbers of active, smart, and energy efficient devices, and enable large-scale sensing, monitoring, actuating, and management of real-world processes. These technologies are used to design cyber-physical systems, which combine different electrical, mechanical, thermal, and chemical processes, using communication technologies, control components, and smart computations. These systems enhance the internet of things (IoT), which enables data exchange between different devices, e.g., sensors and actuators, thus providing the infrastructure for computerization of modern processes. These applications are designed in a layered architecture, by using the internet for connectivity, M2M technologies for communication, IoT infrastructures for information gathering and exchange, and cyber-physical systems on the computation and control plane. While the mass-adoption of IoT systems has been observed in recent years, the term was coined in 1999, by Kevin Ashton [16, 21]. Increased popularity of the concept motivated its inclusion in the 2005 international telecommunications union (ITU) internet report [17]. This report envisioned a world where everything; from tires to toothbrushes, is connected and introduced the concept of ubiquitous networks, ubiquitous computing, and next generation networks. These concepts extended the idea of a connected world to everyday objects, where short-range, energy efficient communication will enable smart collaboration between machines and people. These concepts, paired with the idea of multi-service networks, have encouraged the integration of information processing capabilities in everyday devices. Therefore, IoT is a collection of everyday objects, connected with each other, using a variety of protocols under use-case specific constraints, to exchange information and decisions. The quantity, importance, and lifetime of the exchangeable information impacts the design of the infrastructure. The infrastructure dictates the type of deployment, the communication technology and network topologies based on the requirements of the specific application. The communication architecture follows a layered technological stack with specialized and specific functionalities realized at each layer. The end-to-end model consists of the following layers: 1. Physical layer controls the realization of data transmission by providing modulation and multiplexing services. 2. Data link layer reorganizes data into frames for hop-to-hop data transmission.

1 Theoretical Landscape of LPWANs

5

3. Network layer controls and provides the physical route of data propagation between communicating devices. 4. Transport Layer provides end-to-end message delivery services. 5. Session layer controls the formation, termination, and management of different network sessions between communicating devices. 6. Presentation layer is concerned with data representation. It translates raw data into the correct syntax for transmission and reception. 7. Application layer is concerned with the human-device interaction aspects of the networked use-case. The chosen infrastructure decides the low-level, physical layer and data link layer technicalities, such as the encoding scheme and modulation techniques et cetera. With an estimated market size of $308.97 billion and a growth rate of 23.1% in 2020, the IoT market is expected to reach $1.8 trillion by 2028 [2]. The rapid growth of the industry has encouraged further investments and has attracted the attention of industrial and academic researchers, who have developed novel systems using the design concepts of IoT infrastructures. Modern cyber-physical systems demand geographically remote and mobile deployments, where wired exchange of information is infeasible and sometimes impossible. While the wired communication mediums are less vulnerable, and provide higher data rates, the wireless medium suffers from excessive interference. Effective channel access is key design constraint for wireless communication systems, affected directly by the low-level modulation and coding schemes, environmental factors, and network densities. Since large-scale cyber-physical systems connect a massive number of devices, channel allocation and channel access become more challenging. The development of modern sophisticated techniques for digital information transfer enables futuristic applications with improvements in communication delays and effective data rates. Low-level technological developments, such as modulation schemes, medium access techniques, routing protocols and forward error correction codes, pave way for the development of large scale IoT networks for personalized services and intercommunicating devices. The evolution of cellular communication standards from 1G to 4G generally focused on the technological advancements that increase the bandwidth, reliability, and effective data rates of the system. These generations focus on human-centric applications; voice calls, data exchange, video telephony, multimedia applications et cetera. The standards did not address the low-energy, scalability, and massive device density requirements of the cyber-physical systems. Large scale deployments, consisting of millions of devices sharing information on a massive scale, became a key design motivation for the 5G systems [32]. These systems were designed to provide ultra-reliable low latency communications (URLLC), and massive machine type communications (mMTC). The mMTC requirements demand a support of 1 million devices per kilometer squared [18], and allow 5G to support IoT based application scenarios. With the vision of beyond 5G (B5G) communications, this number has been projected to be 10 times that of 5G [1]. Therefore, the emergence and popularity of IoT devices, has enabled and motivated research into the technical

6

M. Anjum et al.

demands of these systems; enabling the development of novel machine intelligent applications.

With the development and popularity of IoT devices, and the emergence of novel data-driven applications, the diversity in the requirements of wireless standards has considerably increased. IoT devices can be characterized by the constraints under which they operate. These constraints can be realized in the form of heterogenous networking protocols, small size, low power usage et cetera. Depending on the type of application and the unique constraints associated with them; the type of data, the sensitivity of the information being transmitted, the nature of the environment surrounding the deployment, and the future requirements of the application et cetera, the type of technologies enabling the IoT infrastructure, vary significantly.

Low powered communication technologies enable remote deployments of IoT applications. These standards efficiently manage their signal strengths, duty cycles, MAC protocols, and bandwidths et cetera, and minimize their net energy footprint. Due to their extremely low energy consumption, they traditionally had a small area of coverage, smaller bandwidths and consequently, lower data rates. These designs made traditional low powered wireless systems unsuitable for long range IoT applications. Bluetooth low energy (BLE) is an example of a short-ranged, low powered, broadcast oriented wireless standard [15]. Traditional IoT applications use low powered technologies to transmit data over the network. In most applications, this data must be transmitted to an aggregator node for collection and subsequent forwarding to the processing entity. IoT deployments usually cover a wide geographical area, and the data collected by the IoT nodes, must often travel large distances to reach the computing or managing entities. This functionality is usually achieved by message passing through multiple nodes, till the destination is reached. This approach is energy inefficient and decreases network lifetime. Retransmissions also waste channel bandwidth and introduce delays. Modern methods optimize delays and energy consumption, but can not outperform a direct connection to the aggregator node. LPWANs have emerged as the key-enablers of the long-range low-energy footprint applications. They provide extremely large coverage area, and consume negligible power compared to traditional long-range communication technologies. Owing to these unique characteristics, they enable a wide variety of cyber-physical systems. The extremely low power consumption is realized by using very low data rates, ranging from several bits/sec to kbits/sec, depending on the technology [3]. Hence, the range of these communication technologies has been extended at the cost of extremely low data rates and bandwidth. They enable long-range IoT applications e.g., process regulation [34], alarm systems [30], trigger-based monitoring systems

1 Theoretical Landscape of LPWANs

7

[22]. They are usually ideal for applications requiring low data rates for long periods of time. Long-ranged networks emerged in the late 1980s and early 1990s. The earliest known network resembling LPWANs is the AlarmNet, developed by ADEMCO [23]. It operated on the 928 MHz band, and used the same principles as followed by modern LPWANs. It had a very low effective data rate and worked by transmitting small amounts of data in the form of messages. ARDIS was another technology similar to modern LPWANs, which surfaced in the 1990s. It was designed exclusively for data communication, and was specialized for sending messages and emails, for fleet tracking et cetera [23]. The arrival of 2G systems enabled data transmission over existing networks, and therefore, most applications adopted 2G as the underlying wireless technology for data transmission [28]. Many LPWANs have emerged with varying popularity including, LoRaWAN, SigFox, NB-IoT, LTE-M et cetera [19]. These LPWANs utilize different technologies and techniques to achieve the long-range of communication, with different strengths and weaknesses with respect to data rates, security, and latency et cetera [36]. The IoT industry has expanded its horizon from home automation to smart city architectures [8], secure military communications [31], and automated industrial process [6]. The IoT revolution directly impacts consumer, commercial, industrial and military processes on general and specialized levels. Common machines, such as fridges, coffee machines, toasters, and air-conditioners et cetera., are now able to communicate intelligently over wireless infrastructures. They communicate the risks of potential failures or provide power consumption alerts. Specialized industry processes, previously managed manually, are also being replaced by reactive automated solutions. Due to the low cost of deployment and a huge potential for automation, IoT systems and consequently LPWANs, are rapidly becoming an integral part of our lives.

1.2 Characteristics of Communication Systems A variety of communication standards have been developed with a directed focus on specific use cases, ranging from short range to long range, wide band to narrow band, low latency to latency insensitive applications et cetera. The characteristics of a communication technology specify the type of network architecture it can support. Short coverage and low data rate systems cannot be used for large scale deployments, as sequential densification of serving stations would increase deployment costs out of bounds. Furthermore, the minimum data rate, latency and QoS requirements will also suffer significantly. Similarly, using a large coverage communication technology for a small-scale deployments will expend more energy, cause more interference, increase network congestion and require high cost, sophisticated hardware. Therefore, using the right technology for the right communication scenario is essential for the development of a sustainable, scalable, and stable network.

8

M. Anjum et al.

The process of turning human understandable information to machine readable language and transmitting it to the receiving machine requires a series of steps. Different modules are involved in the design and implementation of a viable communication system. Data collected from a source can be directly converted to signals and transmitted using an antenna, but such a system will have unacceptable practical performance. Wireless medium of propagation is an extremely vulnerable environment with rapid random fluctuations, and therefore, demands developmental efforts on the transmitter and receiver ends for acceptable practical usage. A modern communication system has three functional blocks: transmitter, channel, and the receiver. The transmitting and receiving blocks have three major functionalities, source coding, channel coding and modulation. Demodulation, channel decoding and source decoding serve to translate the received signals back to the transmitted information on the receiver side. Source coding removes redundancy from the source information and represents it in the smallest number of bits to optimize data transfer, and minimize channel bandwidth usage. These bits are passed to the channel coding block, which adds redundancy to enable error correction and error detection on the receiver side. The ratio of information bits to the total number of transmitted bits is known as the coding rate. The bits are finally passed to the modulation block, where they are converted into symbols and the signals are transmitted using the antenna block. These signals, when received, are converted into bits using the demodulation block. The demodulated bits are then passed to the channel decoder that performs error correction. Finally, the source decoder translates information back to the original format. The complexity of these schemes and energy consumption are directly correlated. This functional view of a communication system signifies the trade-offs involved in the selection of one technology over the other. Figure 1.1 illustrates the different blocks involved in the communication chain. Transmitter Information Source

Source Coding

Channel Coding

Modulation

Channel

Receiver Information Sink

Source Decoding

Channel Decoding

Fig. 1.1 Components of a communication system

Demodulation

1 Theoretical Landscape of LPWANs

9

1.2.1 Types of Networks Communication networks can be segregated based on their characteristics to provide structure to their study, maintenance, and development. The geographical scale of the communication networks is a high-level classification which affects the underlying technical developments, management methods and deployment costs. Early communication systems enabled communication between a handful of stationary computing devices. These networks gradually evolved from connecting computers to connecting offices, floors, buildings and finally, cities and countries. The evolution of networks quickly indicated that the protocols working between offices in the same locality, could not support large scale networks efficiently. The geographical scale of communication networks can be used to broadly subcategorize them in the following: • • • • •

Personal area networks (PANs) Local area networks (LANs) Campus area networks (CANs) Metropolitan area networks (MANs) Wide area networks (WANs)

Each type has unique challenges, constraints, and requirements, and therefore, have different enabling technologies. The following text introduces the different types of networks with respect to their applications. The overview of different networks is provided in Fig. 1.2 and Table 1.1.

Wireless Earphones Wireless Car keys Smart watch

Wireless Internet Access Wireless Surround Sound Attendance System

Fire Alarm System Transport Tracking Traffic monitoring

PAN (Personal Area Network)

LAN (Local Area Network)

CAN (Campus Area Network)

Water Management Waste Management Traffic Monitoring

Forest Fire Detection Weather Monitoring Power Grid Management

MAN (MetropolitanArea Network)

WAN (Wide Area Network)

Fig. 1.2 Networks with respect to their area and device density

10

M. Anjum et al.

Table 1.1 Types of networks Parameter Area of coverage Scale

PAN Up to 10 m

LAN Up to 10 km

CAN Up to 10 km

MAN Order of 100 km

WAN >100 km

Personal

Home

Corporation

City

Data rate Reliability Security Mobility Energy efficiency Device density

Usually high Diverse High Low Low

Usually high Diverse High Low Low

Diverse Usually high High High Diverse

Diverse Usually high Diverse High High

Country and continent Diverse Diverse Diverse High Diverse

Low

Medium

Medium to high

High

1.2.1.1

Medium to high

Personal Area Networks

Personal area networks (PANs) operate in the vicinity of an individual user. They have a coverage area of few feet squared, and are responsible for the communication between devices within a certain geographical vicinity. The connected devices are usually battery powered and enable smart home applications, user productivity systems, and smart healthcare monitoring processes. They aid in everyday tasks, e.g., shopping, temperature regulations, et cetera. They may also be used to enable critical applications, e.g., indoor security systems. These technologies, therefore, are designed to provide good data rates, have a small range-of-operation, and have secure network authentication and encryption algorithms. Multimedia applications usually have higher data rate requirements than IoT systems. Bluetooth, Zigbee and Near Field Communication (NFC) are examples of technologies that form IoT enabling PANs. Wi-Fi technology, in comparison, mainly provides user mobility for high data-rate applications, with the central routing station having a wired connection to the internet.

1.2.1.2

Local Area Networks

Local area networks (LANs) are the most common networks used for day-today communications. They allow devices in a geographical area to talk to each other. This area can be a house, a corporate building, or an institute, carrying out information exchange. Internetworking of devices was first commercialized in office environments, after extensive use in the academic communities. Primary networks were wired in nature, and therefore, limited user mobilities. Nowadays, the wireless version of a LAN, named WLAN, has become a standard for commercial and personal networks. It allows the formation of dynamic networks, which can connect and remove network devices in real-time. These networks are usually used

1 Theoretical Landscape of LPWANs

11

to exchange information in the form of files and have a coverage range of a few feet. These networks have high data rates; up to several Mbps, but do not have a large coverage area. They are, therefore, designed for devices that have frequent access to energy sources. A challenging aspect of WLANs is the shared channel, which makes communication vulnerable and requires special medium access and security algorithms for service fairness and privacy respectively. The problem of channel access has become a common theme in high-speed wireless technologies operating in large area networks.

1.2.1.3

Campus Area Network

A campus area network (CAN) is formed within a geographical area and interconnects multiple buildings. Conceptually, it is a collection of multiple LANs, within an institution or a cooperation. CANs can be wired, wireless or both, depending on the application. Wired CANs are used to manage intra-organization communication, transferring its own data using its own infrastructure, therefore, providing security. This logical segregation from the public network enables independent network management, increasing organization security. Wireless CANs are not focused on high-speed data transfer, but enable critical information exchange throughout the organization, between remote and mobile user devices. This information can be in the form of emergency safety alerts, or notifications of important events within the organization. CANs usually have a hybrid wired and wireless infrastructure, and therefore, do not have energy efficiency constraints. The development of LPWANs has decreased the cost of deployment and system maintenance in CANs, on the expense of extremely low data rates.

1.2.1.4

Metropolitan Area Network

A metropolitan area network (MAN) is formed by the interconnectivity of multiple LANs within a metropolitan area. The need for MANs was realized when organizations began mass-scale communications from their main offices to offsite facilities. MANs are a collection of heterogeneous networks, interconnected to form a large-scale geographically contiguous network, that could enable high data rate communication between different entities. MANs can also be connected to a larger network infrastructure to provide greater connectivity. They can only be feasibly deployed using communication technologies that have a very long range, e.g., LPWANs. Short-ranged technologies do not scale feasibly with MAN architectures. SigFox, an LPWAN technology, can form an independent MANs owing to its long range, low power, and ease of deployment. Sigfox is ideal for tracking and monitoring applications over a large area [14, 26], and is extensively used in dedicated application specific, cyber-physical MANs.

12

1.2.1.5

M. Anjum et al.

Wide Area Network

A wide area network (WAN) is a large-scale network composed of multiple MANs. This network spans a non-restricted geographical area and is not limited to an organization or an institution. The entities within a WAN can exchange information across multiple geographical regions. Internet is an example of a WAN, connecting a multitude of heterogeneous networks across the world. LPWANs support the formation of WANs and use hybrid network configurations to enable internet connectivity. SigFox, for example, has the most developed LPWAN, spanning more than 70 countries and forming a wirelessly interconnected IoT network [27]. LoRaWAN also enables WAN formation and spans across 42 countries [27]. Other long-range technologies like LTE-M and NB-IoT also have the capability to form specialized WANs, specifically for low data rate IoT applications. The technical requirements for low powered IoT communication technologies have also been added to the 5G standard. In the future, long ranged IoT communication technologies are expected to hold a considerable position, forming a well-connected, safer and smarter world.

1.2.2 Entities in Communication Systems Traditional communication systems realized the transferal of knowledge and information between humans via cellular devices. The quality constraints, and technical advancements, were collectively focused on the net gain in user QoE’s. Modern communication systems integrate processing devices that imitate enhanced human functions. Room temperature control, for example, has been enhanced by using electro-mechanical sensors, which automatically sense, process, regulate and actuate the temperature of the building [5]. These systems use quantifiable metrics, and are more accurate than the corresponding qualitative human senses. Owing to the mass adoption of novel cyber-physical systems, communication can, now, be realized between humans and machines, and has two broad types:

1.2.2.1

Human-to-Human Communication (H2H)

Communication between two persons, via voice or video telephony, constitutes the H2H paradigm of communication. It is also termed human-type communication (HTC) in literature. Systems developed for H2H use-cases have quality-of-service (QoS) requirements based on communication delays, packet loss, mobility, and end-to-end network throughputs. As deployment of serving stations is a tedious and costly venture, and over-densification of base-stations can be infeasible, these systems use long-range wireless technologies, and usually have a large area-ofcoverage. Since large communication delays hinder voice and video telephony, and drastically degrade the quality-of-experience (QoE) of the users, complex low-level

1 Theoretical Landscape of LPWANs

13

techniques are employed to keep latencies under minimum human recognizable ranges e.g., spatial diversity, adaptive modulation, turbo coding et cetera. Packet loss during user mobility also affects user QoEs, and is a key metric for the design of H2H communication systems.

H2H systems do not have stringent energy efficiency constraints, owing to the mobile and rechargeable nature of cellular devices. Traditional cellular telephony has provided human-centric communication systems, with 1G providing half-duplex push-to-talk abilities, 2G enabling text messaging, and 3G enhancing data rates with internet connectivity. 4G systems introduced heterogeneous standards of communication technologies; multiple access, modulation and coding techniques, enabling wearable devices and extremely high data rates; almost up to 100 Mbps. 5G and beyond 5G technologies (B5G) are also actively working for massive device connectivity [7], and interoperability of human and machine-based communication systems.

1.2.2.2

Machine-to-Machine Communication (M2M)

M2M is the interaction of machines and devices, with minimal or zero human intervention. The devices are programmed to measure, monitor, actuate, and report information of different physical processes and events. This information is exchanged with two logical networks; intranet and internet. The intranet carries out the exchange of information between the nodes of the network without a shared infrastructure. The intranet then connects to the internet for data aggregation, processing and decision-making purposes. M2M is the enabling technological paradigm for IoT applications. These systems are usually deployed for remote process management, and therefore must have energy efficient communication techniques on the edge devices [29]. M2M use-cases sometimes require AI integration and extensive computations. For feasibility, these systems are usually connected to a cloud infrastructure to migrate massive processing, big data gathering and optimal decision making to a remote computing agent, thus maintaining sensible energy consumption on the edge. M2M systems also demand seamless scalability of the deployed network. Scalable networks have routing and medium access protocols implemented in an efficient manner to promote uniform operability as more objects are connected. Another constraint for some M2M systems is the latency of data transfer. The age-of-information must be minimized for optimal process management of these systems. The latency requirements can span the orders of sub-milliseconds to 100s of milliseconds, based on the requirements of the specific use-cases [35]. M2M systems have versatile data rate requirements; from Kilobits per second for trigger-based applications, to Megabits and sometimes Gigabits per second for monitoring and high stakes actuation use cases. Since

14

M. Anjum et al.

H2H

M2M LTE

1G

(Mobile and data terminal communication)

(Voice Communication)

(Data and Voice Communication)

3G (Video Calling and Online Gaming)

4G (HDTV and Online Gaming)

RFID

Blueooth

2G

(Product Interface)

(Non-contact identificiation)

H2M

Zigbee

5G

(Device Control)

(MTC and MBB)

WLAN (Internet Communication)

EnOcean (Energy Harvesting)

NFC (Short range radio communication)

Fig. 1.3 Technologies existing in H2H, H2M and M2M communication systems

cellular traffic usually has longer but infrequent sessions, H2H systems do not have session frequency constraints. M2M systems usually have shorter but frequent sessions of information exchange, and therefore have stringent session handling constraints. Since 90% of all IoT use cases are stationary [4], M2M systems are less constrained on mobility metrics. These systems are also severely constrained on packet loss ratio, as the process management without human intervention demands reliability of communication. M2M is an enabler for IoT communications and is a key metric for 5G and B5G communication systems (Fig. 1.4). In literature, we have hybrid communication paradigms enabling interoperability of H2H and M2M communications, thus amalgamating the digital and physical worlds. They are termed human-to-machine (H2M) and machine-to-human (M2H) communication systems. H2M systems have revolutionized the healthcare and fitness industries [9], actively providing personalized and custom healthcare programs such as diets, fitness schedules et cetera. M2H systems assist human beings in dayto-day interactions and processes and increase productivity and efficiency. These systems have versatile requirements for latency, communication delays, data rates, and reliability. These systems usually demand data privacy. A diagram illustrating the communication technologies used in these paradigms is shown in Fig. 1.3.

1.3 Key Metrics of Communication Technologies Communication systems can also be distinguished based on their characteristic metrics of operation. Different wireless technologies offer different effective data rates, ranges of operation, device densities, communication architectures, security features, privacy considerations, reliability metrics, chip sizes, energy efficiencies,

1 Theoretical Landscape of LPWANs

Characteristics

Human to Human

15

Machine to Machine

Device Size

Usually large

Usually small

Session duraton

Long

Small

Activity frequency

Frequent

Less frequent or more frequent

Unit of exchange

Knowledge / Information

Data

Common topology

Star topology

Mesh, Star of Star, Point to Point

Reliability

High

High for sensitive workloads Low for automation

Mobility

Rarely stationary Slow to fast mobility

Mostly stationary Rarely mobile

Direction of communication

Usually both uplink and downlink Equal for voice, downlink for multimedia

Mostly uplink, Sometimes downlink

Packet Size

Large

Small

Traffic size

Usually large

Usually small

Network density

Less dense

Extremely dense

Coverage

Large coverage area

Usually small area of deployment

Battery

Orders of hours, days or weeks

Order of years

Fig. 1.4 Characteristics of H2H and M2M communication

unit costs and communication delays. These characteristics directly affect the quality of service (QoS) and quality of experience (QoE) requirements of the usecases and the users.

16

M. Anjum et al.

1.3.1 Data Rate Different wireless standards support different data rates, based on the underlying modulation and coding schemes. Modulation schemes e.g., BPSK, QPSK, 16QAM and 64QAM, progressively increase the bits per symbol ratio, and therefore increase the effective data rates. Wireless technologies standardize modulation schemes based on the use-cases they are focused on. The Bluetooth standard, for example, was developed for device-to-device, dedicated, short ranged, low data rate communications such as audio streaming. LPWANs are designed for low bit rate communications between things (connected devices) for smart city and industrial sectors, and standardize low-rate BPSK, GFSK, and chirp spread spectrum (CSS) based modulation schemes. A higher modulation rate usually consequents a higher bit-error-rate at the same signal to noise ratio (SNR). Therefore, modulation schemes are also decided based on the range of operation. A higher order modulation scheme will provide a higher rate but limit the effective area of coverage. This design tradeoff has motivated the development of adaptive schemes, which change modulation schemes based on the outage probabilities at different distances of operation from the serving stations. The general trends between effective data rate and system reliability is inversely correlated, as shown in Fig. 1.5. A high data rate, keeping the transmission power constant, will decrease symbol energy, and the decodability of the signal at the receiver will become infeasible. This will decrease the end-to-end link reliability. The effective data rate increases with an increase in transmission power, as it provides a better signal-to-noise ratio, as shown in Fig. 1.5.

HD Video Streaming Gaming

Constant TX Power Wireless Audio

Gaming Video Streaming

Effective Data rate

Wi-Fi LTE

BLE Zigbee

Voice Calls

BLE Zigbee

Home Automation Wireless Audio

Industrial Process Control

Reliability

LoRa Sigfox

LoRa Sigfox

Forest Fire Detection Water Monitoring

Tx Power

Fig. 1.5 Effect of reliability and transmission power on data rate

Wi-Fi LTE

1 Theoretical Landscape of LPWANs

17

1.3.2 Coverage The range of operation is a key design metric for communication systems and directly affects network architectures. If a short-ranged, central system is standardized, the serving systems will be deployed in a dense configuration, increasing the capital costs. Systems providing smaller areas of coverage usually provide higher data rates, e.g., Wi-Fi technology, which provides hundreds or thousands of Mbps, depending on the standard. While Wi-Fi technology provides high data rates, it enables a range of 70–100 m [33]. Long ranged communication technologies usually provide lower data rates, e.g., SigFox, LoRa, NB-IoT provide data rates in tens of Kbps, but span tens of kilometers in range. The use-cases primarily consider range of communication for their choice of communication, e.g., smart metering and agricultural applications demand long ranged systems, thus minimizing deployment costs, and increasing cost effectiveness. High-rate standards are usually required for real-time use cases, e.g., large-scale monitoring applications, such as patient monitoring systems. In general, the coverage area of a wireless standard decreases with an increase in data rate, as shown in Fig. 1.6. This behaviour is a direct consequence of the signal power attenuation during propagation. Larger transmitterreceiver (TR) distances will decrease the effective signal-to-noise ratio, therefore, decreasing the data rate. Furthermore, a larger coverage area also increases the endto-end delays of the communication link, as shown in Fig. 1.6.

1.3.3 Network Densities Different wireless standards enable different device densities based on the implemented multiple access techniques, and network topologies. Wi-Fi routers, for example, support 250 devices, in a centralized topology. Bluetooth classic supports 7 simultaneous active connections [24], and up to 248 devices in the sleeping or idle Waste Management Water Management

LoRa Sigfox

Constant TX Power

Traffic Monitoring

Agricultural Automation

Audio Streaming

Industrial Automation

BLE Zigbee

Coverage

Audio Devices

BLE Zigbee

Online Gaming

Water Management Home Automation

Home Automation Video Streaming

Wi-Fi LTE

Video Streaming Competitive Gaming

Online AR/VR

Data rate

Fig. 1.6 Effect of data rate and delay on coverage area

LoRa Sigfox

Wi-Fi LTE Delay

18

M. Anjum et al.

state, in a master-slave configuration. These metrics directly affect the deployment configurations of IoT applications, e.g., forest fire monitoring applications demand a large-scale deployment of radio-enabled sensors, and therefore, must use wireless technologies that enable high device density networks. High density networks can either use high-density enabling centralized networks, or ad-hoc, deviceto-device, distributed, low-density enabling technologies, which will effectively provide a larger network density. The ad-hoc networks only support geographically contiguous communications in a star-of-stars topology, and therefore, increase the net network device capacity in an exponential manner. Densification of networks also directly increases the capital costs required for deployments. Networks with short-range wireless technologies will require a denser node configuration to provide larger areas of coverage, and therefore, would increase network setup costs. Wireless technologies have versatile unit costs for their respective RF-modules. BLE modules, for example, is less costly in terms of hardware, as compared to Wi-Fi enabling RF-modules.

1.3.4 Network Architecture The type of communication architecture is of critical importance to the use-case. Most monitoring applications demand that the information be aggregated on a single processing, managing or decision-making device. Broadly, networks can either be centralized or distributed in nature. Centralized networks have dedicated base stations or serving devices which enable master-slave connections with multiple slave devices. The slave devices can usually not communicate with each other directly i.e., without the serving base station. The traditional Wi-Fi router is an example of such serving station.

Many topologies are realized in centralized networks e.g., star topology, bus topology et cetera. Distributed architectures are formed with devices which can communicate with each other without a central station. Each device has a limited number of connections, which are used for information exchange and data aggregation. These topologies have motivated research communities to create modern, energy-efficient, redundancy minimizing routing protocols for optimal information exchange.

BLE, for example, supports device-to-device communication, and forms complex mesh topologies while adhering to the energy constraints [24]. It allows a network formation of up to 32,000 devices, and is widely used in smart home automation and trigger-based industrial monitoring applications. Hybrid architectures can also be effectively realized, by using mesh topologies to aggregate data to a single high power device, using aggregating routing algorithms.

1 Theoretical Landscape of LPWANs

19

1.3.5 Network Security Network architectures directly affect the security and privacy features of communication systems. Centralized systems require authorizations and eavesdropping is not topologically difficult, as each node must directly connect to the serving station. The ad-hoc distributed networks have a broadcast-oriented architecture, and therefore, eavesdropping is possible. To enable privacy in dynamic, secure, and decentralized network configurations, computationally efficient encryption algorithms have been developed. These encryption and authorization algorithms are widely implemented in privacy demanding, smart home automation applications.

Wireless standards enable different encryption levels, with the computation needs directly correlated to the level of privacy. Complex encryption algorithms require complex computations which directly cost energy, and therefore, indirectly affect the battery life constraints of IoT use cases. M2M systems, therefore, implement efficient authorization algorithms to keep the computational device complexity, in a specified range.

The Wi-Fi standard, for example, has undergone many iterations of encryption, from the shared-key authentication of WEP, to the standardized WPA, and WPA2 algorithms. The Bluetooth specifications also define four different security modes, with increasing levels of privacy. ZigBee provides enhanced security features, and is therefore a widely used home automation standard. ZigBee has not been designed for long-range communications. LPWANs, providing long-range of operation, can lead to security issues, as most offer mesh and star topologies, with extremely high energy efficiency. SigFox, for example, does not encrypt data frames, and any encryption algorithm is implemented on the application layer, by the developer. LoRaWAN provides a star topology, but does not encrypt the network joining requests, which can enable eavesdropping. Mitigating such security risks is a challenge, and the research community is actively working on efficient authentication, encryption and hardware security mechanisms for LPWANs.

1.3.6 Reliability Information integrity is a crucial evaluation metric of communication technologies. The transmitted information must reach the receiver such that it can be decoded reliably. Wireless standards employ different forward error correction mechanisms to mitigate the errors caused by a noisy, vulnerable propagation environment. In dedicated communication mediums, such as copper wires, optical fibers et cetera, there are very few errors caused during the propagation of information. These

20

M. Anjum et al.

systems do not have random reflection, scattering and diffraction effects, and provide lower bit error rates at the same transmit powers as compared to wireless propagation mediums. Mission critical industrial applications require high reliability communication infrastructures. Such applications monitor high stakes processes, and a high packet loss ratio might cause drastic consequences. Wi-Fi technology, for example, can experience interference from other Wi-Fi enabled access points, and must therefore, be deployed in areas without interfering stations. The fifth generation of cellular systems (5G) has been designed to provide ultra-reliable communications. Reliability has been a key design metric, and the standardized systems provide a reliability score of 99.999%, signifying that this percentage of packets is reliably transferred over the communications channel from the transmitter to the receiver. Next generation systems aim to provide seven sigma reliability, i.e., 99.9999999% for massive M2M systems [7].

1.3.7 Chip Size The hardware implementation of transceivers requires radio-frequency chips, interfaced with processing interfaces, powered by a single or multiple energy sources. The modulation schemes, multiple access techniques, and coding algorithms determine the computational complexity of the communication chain on the transmitter and receiver ends. Higher complexities require larger chips for implementation, which directly affect the size of the end-devices. The frequency of operation and bandwidths also affect the size of RF modules and add to the net size of the transceivers. The size of edge-devices can be a critical factor for applications with remote and complex environmental structures. Industrial applications have sensitive equipment, and added weights in the form of larger edge-devices can cause drastic changes in sensor data and actuations. Smart consumer applications do not have to manage sensitive processes and, therefore, the transceivers on smart devices are relatively large.

1.3.8 Energy IoT applications consist of three functional modules with distinctive functions: sensors for monitoring and measurement, actuators for regulating and managing different characteristics of the environment, and processing nodes for data aggregation, data cleaning, data processing, data analysis, forecasting and decision making. The locality of these functional modules defines network topologies considering the energy consumption and recharging capabilities. The sensors nodes are usually deployed remotely, and frequent maintenance and battery replacements is a tedious, sometimes infeasible task. To minimize computations on edge devices, the sensor or monitoring nodes are programmed to redirect information to a central processing

1 Theoretical Landscape of LPWANs

Video Streaming

Energy Consumption

Wi-Fi LTE

21 Video Streaming

Competitive Gaming

Wireless Audio

Online Gaming

BLE Zigbee

Smart Devices

BLE Zigbee

Online AR/VR

Wi-Fi LTE

Image Sharing

Home Automation

Industrial Automation Water Management

Waste Management

LoRa Sigfox

LoRa Sigfox

Delay

Water Management

Data rate

Fig. 1.7 Effect of data rate and delay on energy consumption

node, or the cloud. While migrating data processing from the edge to a central entity enhances battery lives of end-devices, the transceivers, implementing the computational chain might still make efficient deployment and maintenance of the IoT ecosystem infeasible. Modern IoT focused wireless standards have energy efficiency documented as a key design metric. These systems have extremely low energy idle states, which enable extreme energy saving, and increases battery lives from weeks to tens of years. BLE, a low energy protocol, consumes ten times less energy than Wi-Fi, enabling battery lives of up to 10 years. Figure 1.7 shows the general trend of end-to-end communication delay with an increase in energy consumption. A higher energy footprint will enable repetitive, high frequency transmission states, and therefore, decrease communication delays. Energy consumption is directly correlated with the effective data rate of a communication link, as shown in Fig. 1.7. High energy consumption consequences a higher transmit power, which increases the signal-to-noise ratio of the communication link, therefore, improving the data rate.

1.3.9 Delay The latency limitations of information transfer directly affect the feasibility of the use-cases in IoT systems. IoT applications can have high stakes automation and monitoring processes, which require immediate detection, reporting and disaster aversion or management. Wireless technologies, with low energy standards, usually have high latency of communication. This presents a trade-off between maintenance and effectiveness of the system. (continued)

22

M. Anjum et al.

Environmental Monitoring

Sigfox LoRaWAN NB-IoT Heathcare

Water Monitoring Outdoor Fingerprinting Forest Fire Detection Warehouse Automation

Sensing

Latency

Air Quality Monitoring

Smart Indoor Localization Safety Monitoring

BLE Zigbee

Automated Micropayments

Irrigation System Home Automation

Vehicle Tracking

Utility Meter Communication Indoor Positioning

Wi-Fi LTE

Sign Language Recognition

Energy Consumption

Fig. 1.8 Relationship between energy consumption and latency

Modern standards are improving the low-energy standards to provide ultralow latencies. 5G standards have developed technological standards for low latency communication, evolving from a latency of hundreds of milliseconds (4G), to sub millisecond end-to-end delays. B5G systems aim to provide microsecond latencies [7].

The energy footprint of a wireless standard is inversely related to the end-toend link latencies, as shown in Fig. 1.8. A higher energy footprint will enable high frequency of data transmissions, and a higher transmit power, which will increase the effective data rate of the communication link. Information will rarely be queued for transmission, therefore, the communication delay will be minimized.

1.4 Characteristics of Applications Cyber-physical systems serve an extremely diverse set of use-cases e.g., agricultural, environment and healthcare industries. The following subsections segregate different usage scenarios based on the characteristics of applications in IoT enabled systems.

1 Theoretical Landscape of LPWANs

23

1.4.1 Frequency of Activity The frequency of active sessions directly impacts the choice of the wireless infrastructure for the application. Frequent updates directly impact node energy consumption, and consequently affect the network lifetime. Frequently active networks have the constituent end-devices mostly active, and therefore, require efficient channel access mechanisms to avoid network congestion, collisions, and re-transmissions. Re-transmissions further degrade the battery lives of network devices. Frequently active networks also require lower latencies, to avoid interference between subsequent transmissions. Frequent updates directly correspond to the generation and aggregation of more data. Larger amounts of data cost higher chip areas, when stored on the edge-devices. It also requires additional network activity for reliable routing of information to the processing entities. Intermittently active networks have their edge-devices mostly in the idle state and, therefore, provide a higher network lifetime. LPWANs are usually employed in applications with trigger-based or scheduled network activities. Video and voice telephony are infrequent but high data rate applications. The average cell phone user engages in 5 voice calls a day. Laboratory temperature managing cyber-physical system is an example of a high frequency network. Laboratory temperature plays a crucial role in the integrity of chemical compounds and biological samples. It must be monitored and regulated in real time, using a high data rate, reliable wireless system. Figure 1.9 shows the landscape of cyber-physical applications with respect to the frequency of network activity. Infrastructure and environment monitoring applications have low frequency of activity as transmissions are triggered with system failure or disaster detection et cetera. Consumer applications such as fitness bands, wireless earphones et cetera, have moderate frequency of activity. Military and healthcare applications have high frequency of activity, with drastic circumstances in case of communication failure.

Smart Lighting Environment Infrastructure Smart Parking

Home Automation Fitness bands Air/ Water Quality Monitor

Virtual Assistants Military

Smart City

Agricultural

Healthcare

Attendance System Railway Management

Smart Grid Industry

Bridge/ Road Monitoring Wearables

Auto Irrigation Smart Home

Smart Shopping Pet Tracking Patient Tracking Supply Chain Campus Automation Patient Monitoring

Frequency of Activity

Fig. 1.9 Frequency of network activity in cyber-physical systems

24

M. Anjum et al.

1.4.2 Network Lifetime The network lifetime is defined as the time until the first edge-device runs out of energy. It is usually a key performance metric for wireless sensor networks, with remote deployments and portable energy storage devices. Factors such as the data rate, frequency of activity, range-of-operation, locality of computations, and locality of energy source, directly impact the lifetime of the network. A higher data rate either has a higher transmit power or has a higher ordered modulation scheme, having more on-chip computations and, therefore, more energy usage. Frequent data exchanges cost energy, and therefore, decrease net lifetime. A higher range-ofoperation requires a higher transmit power to provide the same data-rate using the same modulation and coding schemes. A higher transmit power would inevitably exhaust all energy reserves on edge-devices. Distributed processing degrades pernode energy faster than the corresponding centralized processing architecture. If the edge-devices do not have continuous energy sources, the system architecture must be optimized to maximize network lifetime. LPWANs provide extended network lifetimes using several approaches. They use broadcast-based star topology, which eliminate power consumption from routing algorithms. They also use continuously powered gateways to carry out data aggregation and processing, thus migrating computational complexities from the edge-devices to a central node. They further increase energy efficiencies by limiting effective data rates of communication [12].

Network lifetime directly impacts the choice of wireless standard for a cyberphysical system. Remotely deployed sensing systems, for example, require battery lives of years, and use low powered technologies such as ZigBee, Z-Wave, and BLE. Cellular systems do not use network lifetimes as a key performance indicator. Owing to the rechargeable and portable nature of most cellular devices, their battery reserves are designed to last an average of 12 hours, and the recharge times are minimized, therefore, enhancing the QoE of the users.

Figure 1.10 shows the landscape of cyber-physical applications with respect to the importance of energy efficiency at the edge-devices. Healthcare applications usually have dedicated and continuous energy sources, therefore, they do not have stringent energy efficiency requirements. Infrastructure and environmental applications have remote deployments where frequent maintenance is infeasible, therefore, wireless standards in these deployments have high energy efficiency requirements. Military applications, depending on the use case, can have mediocre or extreme energy conservation requirements. Consumer applications assume mobile devices, and therefore, have mid-level energy constraints.

1 Theoretical Landscape of LPWANs

Home Automation Virtual Assistants Patient Monitoring Smart Lighting Smart Shopping Healthcare Smart Grid Attendance System Smart Parking Railway Management

25

Environment Infrastructure Military Smart City Patient Tracking Pet Tracking

Industry Campus Automation Wearables Fitness bands

Agricultural Supply Chain Bridge/ Road Monitoring Air/ Water Quality Monitor Auto Irrigation

Smart Home

Energy Efficiency

Fig. 1.10 Importance of energy efficiency in cyber-physical systems

1.4.3 Network Architecture Wireless standards provide different network topologies based on the serving capabilities of network devices. Some standards define types of devices in the network based on their serving capabilities. The Wi-Fi standard, for example, has a central access point; the serving, routing station, and the connected devices which create point-to-point links with the routing device. It supports a star-like topology, and the connected devices do not have the ability to directly communicate with each other, bypassing the router. This peer-to-peer configuration is also observed in Bluetooth technology, which supports a master-slave link between connected devices. Traditional cellular systems also have a centralized network architecture, with handoff capabilities between different serving stations.

IoT applications motivated the development of mesh-enabling wireless standards, e.g., LoRa, BLE, et cetera. Functionally, mesh topology has one-to-many device connections, thus enabling direct, device-to-device communication, without a central control authority. Wireless mesh topologies can functionally behave as centralized architectures using data aggregating routing algorithms. Additionally, device-to-device capabilities increase the effective range-of-operation of the network. Trigger-based applications usually have effective centralized architectures, with one decision-making entity aggregating data generated from the entire network.

An example of a purely distributed IoT application is the indoor fire management system. It usually has dedicated connections between locality contiguous fire monitoring sensors, and water sprinklers. A fire detected in one locality will immediately open water sprinklers in and around the target area. Low-powered technologies, e.g., BLE, ZigBee, LoRa, SigFox, usually form mesh and star

26

M. Anjum et al.

Hybrid

Centralized

Distributed Military

Infrastructure Healthcare Environment

Smart City Wearables

Industry Agricultural

Smart Home

Network Architecture

Fig. 1.11 Dominant network architectures in cyber-physical systems

topologies. LPWANs predominantly have one-hop star topologies, with multi-hop algorithms implemented on the application layer, by IoT application developers. Figure 1.11 shows the landscape of cyber-physical applications with respect to the dominant network architectures, from centralized to distributed. Remote applications e.g., infrastructure monitoring, environment safety, precision farming et cetera, usually have a high distributed architecture with data aggregation protocols. Consumer applications have centralized architectures for intelligent process scheduling. Healthcare and industry applications usually have hybrid network architectures. Commercial applications, e.g., smart city use-cases, have distributed monitoring and sensing structures, programmed for centralized processing and decision making.

1.4.4 Direction of Communication In centralized networks, two different directions of communication are observed with respect to the role of the serving station. If the serving station is transmitting to network devices, it is observing downlink traffic. The transferal of data from network devices to the serving station is called uplink traffic. Owing to the processing capabilities, mobility constraints and energy reserves, downlink and uplink traffics usually have different QoS requirements. In 4G LTE-A systems, for example, the maximum uplink data rate is 500 Mbps, while the downlink data rate is up to one Gbps. As the serving station (cellular tower), has continuous energy sources, stationary deployments, and higher processing capabilities, the higher downlink data rate is observed in all cellular systems. While most IoT enabled applications have an ad hoc configuration of communication, they can realize centralized architectures in a functional manner using aggregation routing algorithms. If a larger percentage of network traffic is uplink in a specific application, the enabling wireless technology must be optimized for energy efficiency. More uplink

1 Theoretical Landscape of LPWANs

27

traffic initiates more RF transmissions from the edge-devices and depletes energy reserves on the edge. LPWAN specifications observe the difference in the direction of communication. SigFox, for example, limits the number of messages in each direction; 140 uplink messages per day, and 4 downlink messages per day [19]. Another LPWAN technology, LoRaWAN, defines different device classes based on the scheduling of receive slots. Monitoring applications, for example, have a higher percentage of uplink traffic. Industrial processes regulation systems usually have balanced network traffics, owing to the two core functionalities: monitoring (uplink) and actuation (downlink).

1.4.5 Traffic The amount of network traffic directly affects the choice of wireless standard. More network traffic will take more energy reserves, and have higher collisions, which would further increase traffic by initiating re-transmissions. The traffic generated in a wireless network depends on the type of application. If a network is expected to support a small number of devices which sporadically exchange small amounts of data, then the net traffic will be low, and a variety of lowpowered communication technologies will present viable network infrastructures. When intermittent transmissions are observed, the number of devices does not have adverse effects on the network performance. High device density consequents communication blockades if the devices frequently contest for channel access. The amount of transmitted data also has a direct impact on the performance of the network. The transmission of a larger packet size in a LoRa network, for example, greatly degrades the network performance, causing a sharp increase in the packet loss ratio [13]. Similarly, continuous active scanning of a dense BLE deployment causes network congestion and makes communication infeasible. Opportunistic scanning algorithms, have been introduced to alleviate this bottleneck to a large extent [10].

5G systems, for example, have heterogeneous design metrics, corresponding to the versatility in target use-cases. The enhanced mobile broadband (eMBB) applications of 5G systems require higher data rates, and consequently have higher network traffics. High traffic networks enable immersive multimedia, mobile video telephony, and mission-critical military, healthcare, and safety applications. The technological advancements enabling extreme traffic networks are mmWave systems, and massive multi-input multi-output (MIMO) antenna configurations. LPWANs are designed for low data rate communications. They provide data rates from Kbps to a few Mbps. Smart building applications, for example, do not have stringent QoS constraints, and can use SigFox or LoRaWAN for automation and monitoring purposes.

28

M. Anjum et al.

Environment Bridge/ Road Monitoring Supply Chain Military

Infrastructure Smart Parking Air/ Water Quality Monitor

Virtual Assistants

Smart City Railway Management

Healthcare Fitness bands

Agricultural Wearables Auto Irrigation Smart Lighting

Smart Grid Industry Pet Tracking Home Automation Smart Home

Attendance System

Smart Shopping

Patient Tracking

Campus Automation

Patient Monitoring

Traffic Intensity

Fig. 1.12 Scale of network traffic in cyber-physical systems

Figure 1.12 shows the landscape of cyber-physical applications with respect to scale of data traffic generated and propagated in the network. Monitoring and surveillance applications in agricultural, environmental and infrastructure deployments usually have low traffic intensities. Wearable electronics have frequent, but small data packets, therefore, having low net traffic intensity. Industrial applications e.g., process control, have mid-level traffic intensities. Critical applications in the healthcare and military deployments have extremely high traffic, with extreme reliability constraints.

1.4.6 Mobility The development of wireless communication technologies was heavily motivated by the lack of node mobility support in wired networks. While wireless standards inherently provide node mobility, the data rates, QoS requirements, and network availability are directly affected by the speed of motion of end-devices. Higher speeds of mobility cause more channel fluctuations in the propagation environment, and consequent higher bit error rates and outage probabilities, thus, decreasing network availability. Additionally, mobility of nodes increases or decreases the received power of the transmitted signal, based on the distance between the transmitter and the receiver. This distance is directly defined by the choice of wireless standard, e.g., BLE has a range of a few meters, while LPWANs provide kilometers of coverage.

The international telecommunication union have classified user devices based on mobility for cellular wireless systems. The mobility cases are segregated based on the speed and nature of device mobility. The devices can be (continued)

1 Theoretical Landscape of LPWANs

29

stationary, pedestrian, vehicular, or high speed vehicular in nature. The stationary and pedestrian mobility cases have similar QoS requirements defined by similar uplink and downlink data rates. Vehicular and high-speed vehicular cases have lower data rates, owing to the added vulnerabilities in the propagation environment. High-speed vehicular cases motivate the development of sophisticated handoff mechanisms to make communication feasible. LPWANs have different levels of support for mobile devices. LoRaWAN works well in motion and is used in excessively used in GPS assisted outdoor asset tracking applications. SigFox provides received signal strength-based positioning of nodes, and is also a viable wireless standard for low-energy asset tracking [19].

Figure 1.13 shows the landscape of cyber-physical applications with respect to the demands of mobility in the wireless infrastructures. Infrastructure applications e.g., bridge and railway monitoring systems, have static sensor deployments. Environmental and healthcare applications have stationary to low-mobility deployments, with diverse traffic requirements. Consumer applications have versatility in mobility constraints. Smart home applications, for example, have stationary deployments, whereas, vehicular and wearable applications have high mobility requirements. Military applications require extreme mobility support.

1.4.7 Age of Information The age of information indicates freshness of the data transmitted from the generating, monitoring, or reporting device to the receiving device. It is a quantitative measure of end-to-end communication latency with respect to the functionality of the system. In contrast to the latency of the wireless standard, which measures Virtual Assistants Smart Lighting Railway Management Auto Irrigation Patient Monitoring Home Automation Air/ Water Quality Monitor Smart Shopping Bridge/ Road Monitoring Environment Infrastructure Smart Parking

Smart Grid

Fitness bands Pet Tracking Patient Tracking

Supply Chain Military

Healthcare Smart City

Agricultural Industry Smart Home

Campus Automation

Attendance System

Mobility

Fig. 1.13 Demands of mobility in cyber-physical systems

Wearables

30

M. Anjum et al.

end-to-end transceiver delays, the age of information actively considers the type and importance of information to quantify freshness of received data. Modern cellular systems use latency as a key design metric for technological advancements. 5G systems, for example, tremendously decrease the latency as compared to the previously standardized 4G systems, from tens of milliseconds to sub-milliseconds. This advancement is a key enabler of the URLLC use cases of the 5G standard. LPWANs offer versatility in network latencies and therefore can enable a multitude of applications. SigFox, for example, is good for latency insensitive applications. LoRaWAN addresses different latencies in IoT applications using multiple communication classes of edge-devices [19]. NB-IoT, however, is the best fit for latency sensitive IoT applications and provides synchronous communication, on the expense of a higher power consumption [20]. Figure 1.14 shows the landscape of cyber-physical applications with respect to the importance of the age of information propagated in the network. Healthcare and military applications are extremely sensitive in nature. They require low latency and therefore, minimum age-of-information, for feasible deployments. Environmental, agricultural and infrastructure deployments have mid-level age-of-information requirements, with disaster monitoring systems having stringent latency requirements. Consumer applications e.g., home automation, fitness tracking et cetera, have flexible latency requirements.

1.4.8 Locality of Computations Cyber-physical systems consist of edge-devices for data collection or system actuation, and computing nodes for data aggregation, cleaning, processing, and modeling of system applications. The data generated or collected on the edgenodes, must either be stored on the device, or transmitted to a central entity for further processing and decision making. The central entity can either have a direct connection with each edge-device, as is the case for internet enabled edge-devices or can have aggregated data routed to it.

Air/ Water Quality Monitor

Military

Smart Lighting

Infrastructure Railway Management

Patient Monitoring Environment

Auto Irrigation

Patient Tracking

Agricultural

Bridge/ Road Monitoring Healthcare

Fitness bands

Smart Grid Smart City

Home Automation

Supply Chain

Campus Automation Smart Parking Wearables Smart Shopping

Virtual Assistants Industry

Pet Tracking

Age of Information

Fig. 1.14 Age of information in cyber-physical systems

Smart Home Attendance System

1 Theoretical Landscape of LPWANs

31

The locality of computations is a major design factor in the application layer development of a cyber-physical system. The computations can either be carried out on the edge-devices or have central processing nodes for data aggregation and computations. Processing on the edge can either be carried out on dedicated edgedevices or be shared on the data collection or system actuating devices. To enable accurate and sensible decision-making capabilities while processing on the edge, the data is usually broadcasted and shared with all nodes in the geographic locality. This enables each node to make accurate decisions by independently processing and modeling the data collected from its locality. This architecture motivates the need for mesh topology enabling wireless standards. Centrally computing IoT infrastructures usually require wireless standards with star topologies. LPWANs offer a broadcast architecture, which can be geographically expanded using more serving devices. They are usually used for central processing architectures but can also enable edgeprocessing structures using re-transmission queues on the application layer.

1.4.9 Locality of Deployment The geographical nature of the deployment of edge-devices has a direct impact on the battery life, routing algorithms, and frequency of computations in the cyberphysical system. A remote deployment of edge-devices rarely has live energy sources, and therefore, requires low powered wireless communication standards which enable battery lives of years. Remote deployments make system maintenance difficult, and sometimes infeasible. The networks in these systems usually have trigger-based, or scheduled transmissions, with no channel contention. These systems also have high reliabilities to avoid re-transmissions due to packet losses, thus, further improving energy efficiencies. Easily accessible networks are easy to maintain, and can have live energy sources, or frequent battery recharges. The network lifetime requirements in geographically accessible networks are usually much less constrained than the corresponding remotely deployed networks. LPWANs can provide extremely long-ranged connectivity and therefore enable remote IoT applications. The end-devices in LPWANs have extremely low energy consumptions, and are ideal for remotely located, extended battery lifetime applications. Most LPWANs have similar battery lives e.g., SigFix and LoRaWAN. NB-IoT, owing to its synchronized nature, has a higher energy consumption than SigFox and LoRaWAN [20].

1.4.10 Reliability Owing to the vulnerable wireless propagation channel, the transmitted signals experience noise and interference during signal propagation. If the noise and interference levels cross receiver sensitivity thresholds, signal decoding at the

32

M. Anjum et al.

receiver would be impossible, causing communication failure. Since the propagation channel is a random, uncontrolled entity, many data link (Layer 2) and physical layer (Layer 1) techniques are applied at the transmitter and receiver blocks, to keep the number of errors as low as possible. The extent of errors that can be tolerated at the receiver, depends on the type of application. Remotely controlled aerial equipment; UAVs, for example, require error-free low-latency communication for trajectory control. Smart agriculture systems, with monitoring sensors deployed in the field, require a longer batter life, and therefore, re-transmissions must be minimized by design. Modern 5G cellular systems have identified ultra-reliability as a key enabler of cyber-physical systems, and B5G systems are evolving technologies to provide 99.9999999% i.e., seven sigma reliabilities [7]. LPWANs can have different packet loss ratios, depending on the configuration of wireless standards. LoRaWAN, for example, has a higher packet loss ratio than SigFox and NB-IoT, in medium and far distance communications. NB-IoT is steadily reliable over long distances. Extreme reliability also serves industrial and military applications, e.g., high precision machinery automation, military cobots and robots et cetera. Figure 1.15 shows the landscape of cyber-physical applications with respect to the importance of reliability in the wireless infrastructure. Mission critical applications e.g., healthcare and military deployments, have extreme reliability requirements. Minor communication failures can lead to drastic consequences in these scenarios. Commercial applications, e.g., smart parking, smart lighting et cetera, have low reliability constraints. Industry applications have versatile reliability requirements depending on the processes involved in the system. Consumer applications have flexible mid-level reliability constraints.

1.4.11 Security Security and privacy requirements of the specific use-case dictate the choice of network architecture and the enabling wireless standard in the technological

Smart Shopping

Environment

Virtual Assistants Smart Lighting

Fitness bands Smart Parking

Railway Management Auto Irrigation

Military Pet Tracking

Smart City Campus Automation

Supply Chain

Industry

Bridge/ Road Monitoring Agricultural Air/ Water Quality Monitor Smart Grid Home Automation

Wearables Smart Home

Attendance System

Reliability

Fig. 1.15 Importance of reliability in cyber-physical systems

Infrastructure

Patient Tracking

Healthcare Patient Monitoring

1 Theoretical Landscape of LPWANs

33

infrastructure of the application. Many commercial and domestic environments have major concerns regarding the security and privacy features of the underlying communication infrastructure. Data transmission in domestic and military deployments must guarantee privacy, and architecturally disable eavesdropping in the systems. This aspect of security and privacy has to be embedded in the communication technology for efficient and feasible deployments. Most LPWANs provide security by encrypting data before transmission. Encryption algorithms, when implemented in the hardware device, consume less energy and provide lower latencies, as compared to the corresponding software-based implementations. While hardware implementations provide performance enhancements, they increases the complexity and cost of the communication device. Critical use cases of these technologies include, industrial automation, home automation, and healthcare services et cetera. LoRaWAN and DASH7 use AES-128, while NB-IoT uses LTE encryption for securing its traffic during communication. These technologies can, therefore, be used in application scenarios requiring secure message based communications. SigFox does not provide native security features in its data transmissions, but the IoT developers can add security on the application layer [20]. Most IoT enabling wireless standards are broadcast oriented in nature. They transmit data to nearby devices for maximum information propagation in the network, thus, inherently decreasing system privacy. Owing to this transmission structure, the LPWANs must provide native encryption capabilities. While encryption enhances the net security level of an infrastructure, these systems are prone to man-in-the-middle attacks, which steal the keys involved in data encryption and manipulate the exchange of information between authorized network entities. To combat these attacks, IoT technologies employ scheduled key-updates and reauthorizations to continuously monitor network entities and block invalid devices from accessing the networks. Industrial process control architectures, human message transmission and other consumer applications require a moderate degree of security. Figure 1.16 shows the landscape of cyber-physical applications with respect to the importance of network security. Environmental, infrastructure and

Home Automation Virtual Assistants

Environment

Military

Infrastructure

Smart Lighting

Pet Tracking Smart City

Fitness bands Healthcare

Smart Shopping Smart Parking

Campus Automation Agricultural Smart Grid

Industry Attendance System Bridge/ Road Monitoring Auto Irrigation Air/ Water Quality Monitor

Supply Chain

Patient Monitoring

Wearables Smart Home Patient Tracking

Railway Management

Security

Fig. 1.16 Importance of network security in cyber-physical systems

34

M. Anjum et al.

agricultural applications require mid-level security and privacy in the network. Consumer applications have high privacy demands owing to the personalized nature of use-cases. Military and healthcare systems demand extreme security owing to the drastic consequences in case of data corruption and privacy failures.

1.4.12 Locality of Energy Source The locality of energy sources directly affects the design of the application architecture. LPWANs offer extremely low energy consumption, with battery lives in tens of years. This enables remote deployments, with minimal to no network maintenance. For accessible deployments, energy efficiency is not a key design metric as frequent battery replacements are feasible. Some remote deployments have live, continuous energy sources, therefore, removing the energy constraints of telecommunication networks. In commercial deployments, due to the availability of power grids, Wi-Fi is the preferred communication technology owing to its high effective data rate. LPWANs are not feasible for extreme data rate applications. They offer ideal solutions in remote deployments, with stringent network lifetime requirements, and high energy efficiency demands. They offer long-lifetime solutions with low to no network maintenance requirements, therefore, decreasing management costs. For monitoring and surveillance applications with data aggregation methods, the uplink energy consumption is much more important as compared to downlink energy footprint. In 12 byte packets, for example, LoRaWAN uses the least amount of energy (132 mW), NB-IoT uses 186 mW and SigFox consumes 980 mW [11]. The overall energy consumption of SigFox is lower than NB-IoT due to the limited number of message transmissions allowed per day. A major advantage of LPWANs is their ability to extend their operational lifetime using energy harvesting techniques. LPWANs, in conjunction with energy harvesting-enabled technologies, form truly long-term application deployments. Owing to the suitability of LPWANs for battery powered and energy harvesting architectures, they are ideal enablers of applications where line power is not available, essentially shifting their locality of energy from the grid to a distributed battery operated network.

1.5 Conclusion This chapter details the technological fundamentals, functional concepts, development motivation, and characteristics of LPWANs. It also discusses the need for LPWANs in the mass-scale, densely connected internet-of-things (IoT) paradigm of communications, and allocates the IoT enabling networks based on the characteristics of cyber-physical applications.

1 Theoretical Landscape of LPWANs

35

We first describe the basic conceptual blocks of the wireless communication chain, and characterize modern networks based on their geographical scale. We then explore the nature and technical requirements of different inter-networking entities included in IoT-enabled systems and introduce the two major communication categories: human-to-human (H2H) and machine-to-machine (M2M) communications. These categories are employed in the technical introduction and explanation of the major characterizing attributes of wireless technologies i.e., data rates, coverage, network service densities, network architectures, security, reliability, chip sizes, delays and energy usage. We then employ these attributes to define the major functional characteristics of networking-enabled cyber-physical applications, and analyze different systems based on these characteristics to further explain the usecases of LPWANs.

References 1. European Vision for the 6G Network Ecosystem (2021). https://5g-ppp.eu/wp-content/ uploads/2021/06/WhitePaper-6G-Europe.pdf. Accessed 22 Mar 2022 2. Internet of Things [IoT] Market Size, Share & Trends, 2028 (2022). https://www. fortunebusinessinsights.com/industry-reports/internet-of-things-iot-market-100307. Accessed 22 Mar 2022 3. Al-Kashoash, H.A.A., Kemp, A.H.: Comparison of 6LoWPAN and LPWAN for the Internet of Things. Aust. J. Electr. Electron. Eng. 13(4), 268–274 (2016). https://doi.org/10.1080/ 1448837X.2017.1409920 4. Boswarthick, D., Elloumi, O., Hersent, O.: M2M Communications: A Systems Approach. Wiley, Chichester (2012) 5. Casado-Vara, R., Vale, Z., Prieto, J., Corchado, J.M.: Fault-tolerant temperature control algorithm for IoT networks in smart buildings. Energies 11(12), 3430 (2018) 6. Condry, M.W., Nelson, C.B.: Using smart edge iot devices for safer, rapid response with industry iot control operations. Proc. IEEE 104(5), 938–946 (2016). https://doi.org/10.1109/ JPROC.2015.2513672 7. Dang, S., Amin, O., Shihada, B., Alouini, M.S.: What should 6G be? Nat. Electron. 3, 20–29 (2020). https://doi.org/10.1038/s41928-019-0355-6 8. Gaur, A., Scotney, B., Parr, G., McClean, S.: Smart city architecture and its applications based on iot. Proc. Comput. Sci. 52, 1089–1094 (2015) 9. Gupta, R., Tanwar, S., Tyagi, S., Kumar, N.: Tactile-internet-based telesurgery system for healthcare 4.0: an architecture, research challenges, and future directions. IEEE Netw. 33(6), 22–29 (2019) 10. Harris III, A.F., Khanna, V., Tuncay, G., Want, R., Kravets, R.: Bluetooth low energy in dense iot environments. IEEE Commun. Mag. 54(12), 30–36 (2016). https://doi.org/10.1109/ MCOM.2016.1600546CM 11. IoT, D.T.: Nb-iot, lorawan, sigfox: an up-to-date comparison. Deutsche Telekom AG, Bonn 222 (2021) 12. Ismail, D., Rahman, M., Saifullah, A.: Low-power wide-area networks: opportunities, challenges, and directions. In: Proceedings of the Workshop Program of the 19th International Conference on Distributed Computing and Networking, pp. 1–6 (2018) 13. Lavric, A.: LoRa (Long-Range) high-density sensors for Internet of things. J. Sens. 2019, e3502987 (2019). https://doi.org/10.1155/2019/3502987

36

M. Anjum et al.

14. Lavric, A., Petrariu, A.I., Popa, V.: Long range sigfox communication protocol scalability analysis under large-scale, high-density conditions. IEEE Access 7, 35816–35825 (2019) 15. Lee, J.S., Dong, M.F., Sun, Y.H.: A preliminary study of low power wireless technologies: Zigbee and bluetooth low energy. In: 2015 IEEE 10th Conference on Industrial Electronics and Applications (ICIEA), pp. 135–139. IEEE (2015) 16. Liu, T., Lu, D.: The application and development of iot. In: 2012 International Symposium on Information Technologies in Medicine and Education, vol. 2, pp. 991–994 (2012). https://doi. org/10.1109/ITiME.2012.6291468 17. Liu, Y., Zhou, G.: Key technologies and applications of internet of things. In: 2012 Fifth International Conference on Intelligent Computation Technology and Automation, pp. 197– 200 (2012). https://doi.org/10.1109/ICICTA.2012.56 18. Loghin, D., Cai, S., Chen, G., Dinh, T.T.A., Fan, F., Lin, Q., Ng, J., Ooi, B.C., Sun, X., Ta, Q.T., Wang, W., Xiao, X., Yang, Y., Zhang, M., Zhang, Z.: The disruptions of 5g on datadriven technologies and applications. IEEE Trans. Knowl. Data Eng. 32(6), 1179–1198 (2020). https://doi.org/10.1109/TKDE.2020.2967670 19. Mekki, K., Bajic, E., Chaxel, F., Meyer, F.: Overview of cellular LPWAN technologies for IoT deployment: Sigfox, LoRaWAN, and NB-IoT. In: 2018 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), pp. 197–202. IEEE (2018). https://doi.org/10.1109/PERCOMW.2018.8480255 20. Mekki, K., Bajic, E., Chaxel, F., Meyer, F.: A comparative study of LPWAN technologies for large-scale IoT deployment. ICT Express 5(1), 1–7 (2019). https://doi.org/10.1016/j.icte.2017. 12.005 21. Neha, S., Madhavi, S., Singh Inderjit, e.V.E., Kumar, S.V., Raghvendra, K., Manju, K.: The History, Present and Future with IoT, pp. 27–51. Springer International Publishing, Cham (2019). https://doi.org/10.1007/978-3-030-04203-5_3 22. Olatinwo, D.D., Abu-Mahfouz, A., Hancke, G.: A survey on LPWAN technologies in WBAN for remote health-care monitoring. Sensors 19(23), 5268 (2019) 23. Onumanyi, A.J., Abu-Mahfouz, A.M., Hancke, G.P.: Low power wide area network, cognitive radio and the internet of things: potentials for integration. Sensors 20(23), 6837 (2020) 24. Pau, G., Collotta, M., Maniscalco, V.: Bluetooth 5 energy management through a fuzzy-PSO solution for mobile devices of internet of things. Energies 10(7), 992 (2017) 25. Pereira, C., Aguiar, A.: Towards efficient mobile m2m communications: survey and open challenges. Sensors 14(10), 19582–19608 (2014) 26. Pitu, F., Gaitan, N.C.: Surveillance of sigfox technology integrated with environmental monitoring. In: 2020 International Conference on Development and Application Systems (DAS), pp. 69–72. IEEE (2020) 27. Poddar, N., Khan, S.Z., Mass, J., Srirama, S.N.: Coverage analysis of NB-IoT and Sigfox: two Estonian university campuses as a case study. In: 2020 International Wireless Communications and Mobile Computing (IWCMC), pp. 1491–1497. IEEE (2020) 28. Rama, Y.: A comparison of long-range licensed and unlicensed LPWAN technologies (2019). https://acikbilim.yok.gov.tr/handle/20.500.12812/95178 29. Ratasuk, R., Prasad, A., Li, Z., Ghosh, A., Uusitalo, M.A.: Recent advancements in m2m communications in 4g networks and evolution towards 5g. In: 2015 18th International Conference on Intelligence in Next Generation Networks, pp. 52–57. IEEE (2015) 30. Roque, G., Padilla, V.S.: Lpwan based iot surveillance system for outdoor fire detection. IEEE Access 8, 114900–114909 (2020) 31. Routray, S.K., Javali, A., Sahoo, A., Sharmila, K., Anand, S.: Military applications of satellite based iot. In: 2020 Third International Conference on Smart Systems and Inventive Technology (ICSSIT), pp. 122–127. IEEE (2020) 32. Saad, W., Bennis, M., Chen, M.: A vision of 6g wireless systems: applications, trends, technologies, and open research problems. IEEE Netw. 34(3), 134–142 (2020). https://doi. org/10.1109/MNET.001.1900287 33. Sadowski, S., Spachos, P.: RSSI-based indoor localization with the internet of things. IEEE Access 6, 30149–30161 (2018). https://doi.org/10.1109/ACCESS.2018.2843325

1 Theoretical Landscape of LPWANs

37

34. Saravanan, M., Das, A., Iyer, V.: Smart water grid management using lpwan iot technology. In: 2017 Global Internet of Things Summit (GIoTS), pp. 1–6. IEEE (2017) 35. Song, Q., Nuaymi, L., Lagrange, X.: Survey of radio resource management issues and proposals for energy-efficient cellular networks that will cover billions of machines. EURASIP J. Wirel. Commun. Netw. 2016(1), 1–20 (2016) 36. Vejlgaard, B., Lauridsen, M., Nguyen, H., Kovacs, I.Z., Mogensen, P., Sorensen, M.: Coverage and capacity analysis of SigFox, LoRa, GPRS, and NB-IoT. In: 2017 IEEE 85th Vehicular Technology Conference (VTC Spring), pp. 1–5 (2017). https://doi.org/10.1109/VTCSpring. 2017.8108666 37. Viswanathan, H., Mogensen, P.E.: Communications in the 6g era. IEEE Access 8, 57063– 57074 (2020). https://doi.org/10.1109/ACCESS.2020.2981745

Chapter 2

IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT) Amar Amouri, Vishwa Teja Alaparthy, and Ismail Butun

2.1 Introduction Low Power Wide Area Network (LPWAN) is a subclass of IoTs that deal with interconnected electronic devices with low-rate (Kbps), long-range (>10 km) radio communications technology [17]. Three major LPWAN technologies namely LoRa, Sigfox, and NB-IoT are competing for large scale IoT deployment [55]. The strong demand for sustained data connectivity makes the LPWAN technologies serve as a pillar in the global telecommunications market with revenue that is expected to exceed 80 billion USD by 2027 [33]. Security is considered a major challenge that surfaces after the large-scale deployment of such devices, due to the inherent wireless communication nature and scarcity of power/memory resources. Such restrictions require thoughtful and practical solutions that facilitate the use of efficient intrusion detection and prevention techniques.

A. Amouri () Abu Dhabi Polytechnic, Abu Dhabi, United Arab Emirates e-mail: [email protected] V. T. Alaparthy Department of Electrical Engineering, University of South Florida, Tampa, FL, USA e-mail: [email protected] I. Butun Division of Network and Systems Engineering, School of Electrical Engineering and Computer Science, KTH Royal Institute of Technology, Stockholm, Sweden e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 I. Butun, I. F. Akyildiz (eds.), Low-Power Wide-Area Networks: Opportunities, Challenges, Risks and Threats, https://doi.org/10.1007/978-3-031-32935-7_2

39

40

A. Amouri et al.

Recent Russian-Ukrainian war (21 February 2022) has been shown that twenty-first-century wars will be also executed in the cyber domain, as experts and several institutions declared that the cyberattacks against Ukraine were started at least a month earlier than the real clashes. “Russian cyber capabilities are very advanced in the field of defence and deterrence, and are always able to monitor and respond to cyberattacks, detect gaps in enemy systems, and plan effective and painful attacks that incur heavy losses to the enemy” [59]. And as mentioned in [13], the future wars might be only cyberwars as even expected in this conflict: “.. . .the idea that Russia might use some cyber operations instead of invading.. . .But I think it’s quite, it’s a huge distraction raised this idea that, well they might just use some hypothetical future cyber Pearl Harbor scenario that everyone has been afraid of and that districts resources and energy away the needs of the actual military aggression.”

“On May 6, 2021, Colonial Pipeline was attacked by ransomware suspected to have originated in Eastern Europe or Russia, allowing cybercriminals to penetrate a major utility with significant impact on the entire US eastern seaboard’s economy. From the perspective of vulnerability, the Colonial Pipeline attack was a significant wake-up call - a Pearl Harbor moment for cybersecurity.” [67]. Colonial Pipeline attack and many similar cases have proven that cyberattacks cause major monetary losses. We expect a similar pattern within the IIoT networks and industrial businesses, i.e. they are projected to have significant losses due to the cyberattacks on LPWANs (emanating from them and/or using them as a penetration point). Considering the fact that it took 10 days to restart the colonial pipeline and even more to restore normalcy, attacks on such critical domains are not easy to deal with and will require a lot of time and effort. Very few works from the existing literature present a holistic security review of the LPWANs. A review on Intrusion detection, in particular, has been of little importance. To this end, this chapter provides a concise summary on the state of the art Intrusion prevention and detection techniques designed specifically for LPWAN systems. This includes an overview of the datasets used in the literature, segregation of security schemes for different LPWAN technologies and for various attack vectors, and an analysis of the advantages and disadvantages of the aforementioned techniques. Apart from this, the chapter aims to paint the conventional security requirements such as integrity, authenticity, confidentiality etc and their importance in the LPWAN communication layers, while also talking about the functional and specification requirements which are specific to the LPWANs. In addition, we also plan to discuss the various problems associated with LPWANs including the potential security vulnerabilities, both on a hardware and software level, and also the various attack scenarios that can be imposed by an adversary. This chapter also focuses on the challenges (and sheds light on the future work such as federated learning, etc.) associated with

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

41

the implementation of the traditional Intrusion prevention systems (IPS) [9] and Intrusion detection systems (IDS) [5] at the newly designed LPWAN system.

2.2 Background The Background Section of this chapter lays the foundation for the readers, in order to understand the prominent LPWAN technologies, such as LoRaWAN, NBIoT, and Sigfox, as well as the comparison of all these technologies including the security.

2.2.1 LoRaWAN LoRaWAN stands for Long Range Wide Area Network and is one of the prominent LPWAN technologies having market leadership. LoRa is a proprietary radio protocol developed by Semtech Inc. to provide very long distance wireless communication (30 km) along with low power consumption. It uses the Chirp Spread Spectrum (CSS) modulation technique which allows consumes less energy and allows long-lasting battery life (up to 10 years) for the end devices. LoRa-based communication is executed on the ISM band which is an unlicensed (free to use) spectrum, and can forward the packets about 2–5 km indoors and up to 50 km in rural areas [15, 16, 58, 81].

The overall security in LoRaWAN is evolving with each release and technically challenging. It uses end-to-end encryption along with AES 128-bit-key encryption operating in CTR mode; moreover, every message is signed [58]. Security features of LoRaWAN1 can be summarized under 3 main categories, which should take place in an orderly and sequential fashion:

2.2.1.1

Key Agreement

There are 2 rootkeys in LoRaWAN (NwkKey and AppKey, namely) which are used to generate the session (live transactions) keys. In principle, rootkeys are embedded to the end devices during or right after the production cycle. The root keys are required during OTAA, and not for ABP.

1 Readers

are suggested to refer to these resources for further reading: [15, 16, 26, 52, 58].

42

A. Amouri et al.

• NwkKey: This key is specifically used to generate the NwkSkey session key. • AppKey: This key is specifically used to generate the AppSKey session key.

2.2.1.2

Join Procedure (Activation Methods)

There are 2 activation methods defined in LoRaWAN description document: • OTAA (Over The Air Activation): OTAA provides a more flexible and secure way of establishing session keys with the servers. • ABP (Activation By Personalization): ABP can be considered an easy way to simplify the deployment at the cost of reduced security, as ABP devices use the same session keys for their lifetimes.

2.2.1.3

Sessions

MIC (Message Integrity Code) is appended to all uplink-downlink data messages to ensure the integrity of the messages distributed from the network servers. • NwkSKey: To be used to encrypt the packets in between the end-device and the Network Server, generated from the NwkKey root key. • AppSKey: To be used to encrypt the packets in between the end-device and the Application Server, generated from the AppKey root key.

2.2.2 NB-IoT Narrow-Band IoT (NB-IoT) is a cellular Internet-of-Things technology standardized by 3GPP which uses licensed spectrum. Because NB-IoT is based on the LTE standard, it benefits from LTE’s tried and true security measures. NB-IoT provides three different operation modes [74]. The narrow-band is deployed within an LTE carrier in the in-band mode. In guardband mode, NBIoT can take advantage of LTE’s idle resources. The narrow-band is deployed in a separate spectrum in the standalone mode.

The architecture of an NB-IoT network as shown in the Fig. 2.1 [80] is composed of the following major components: Mobile Management Entity (MME), Service Capabilities Exposure Function (SCEF), Serving Gateway (S-GW), Evolved Node B (eNB) which is the base station at the user’s end, Cellular IoT (CIoT), and Packet Gateway (P-GW). Note that the vertical blue lined between different entities represents the communication interface.

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

43

Fig. 2.1 NB-IoT network architecture

Before establishing secure communication between end nodes and the NB-IoT network, mutual authentication is required. The USIM has a unique identifying number that incorporates the IMSI in addition to a 128-bit long master key K for this purpose. Every valid SIM, as well as its master key K and authorizations, are stored in the HSS. The end device and the HSS must both show that they have the master key for mutual authentication to work. • The end device sends an Attach Request command with the IMSI to the MME. • The MME requests an authentication vector (AV) from the HSS. • The HSS generates the AV from the master key K, a counter (SQN) and a random nonce (RAND). The final vector includes RAND, a token for network authentication (AUTN), an expected response during user authentication (XRES) and a key (KASME ). • The MME forwards RAND and AUTN to the user’s USIM. • The USIM verifies the received AUTN’s MAC and freshness. After that, USIM calculates RES and sends it to MME. • RES and XRES are compared by the MME. If both values are equal, the network and USIM have demonstrated that they have the secret key K. The connection to the user equipment is terminated if the user authentication fails. Once the mutual authentication obtained, a secured communication can be established. Simple descriptions of the keys mentioned in Fig.2.2 are listed as follows:2 • KASME : is used for the derivation of two keys for integrity and confidentiality protection: KN ASenc and KN ASint . • KeN B : is used for the derivation of KRRCint , KRRCenc and KU P enc . This key is derived by UE and MME from KASME .

2 For

more details, visit these resources: https://www.atis.org/wp-content/uploads/3gppdocuments/Rel15/ATIS.3GPP.36.411.V1500.pdf https://iot.telekom.com/resource/blob/data/ 489050/f9fb87f65ada3528c8c08a1cb0364a1d/security-aspects-lorawan-nb-iot.pdf.

Fig. 2.2 Attach request and key agreement/exchange

44 A. Amouri et al.

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

45

• KN ASenc : must only be utilized to safeguard the Non-Access-Stratum (NAS) protocol traffic with particular encryption algorithm. This key is derived by UE and MME from KASME . This key is derived by UE and MME from KASME . • KN ASint : must only be utilized to safeguard the NAS communication using a specific integrity algorithm. UE and MME obtained this key from KASME . • KRRCint : must only be utilized to safeguard the Radio Resource Control (RRC) protocol traffic with particular integrity algorithm. This key derived by UE and eNB from KeN B . • KRRCenc : must only be utilized to safeguard the RRC protocol traffic with particular encryption algorithm. This key is derived by UE and eNB from KeN B . • KU P enc : is used for the protection of UP traffic which is a type of the X2 interface traffic. This key is derived by UE and eNB from KeN B .

2.2.3 Sigfox Sigfox is a French worldwide network operator that was established in 2009 and constructs wireless networks to connect low-power gadgets such as: smart meters. This technology employs ultra narrow-band (UNB) modulation techniques. To comply with the sub-GHz duty cycle limitation, Sigfox limits up-link communications to 140 12-byte payload transmissions per day and per device, and down-link communications to 4 8-byte payload transmissions per day and per device [29].

The Sigfox has the lowest data rate among all the LPWANs technologies of 100 bps. An architecture of a typical Sigfox network is show in Fig. 2.3 [48]:

Fig. 2.3 Architecture of a typical Sigfox network

46

A. Amouri et al.

Fig. 2.4 Different checks performed on the message during the uplink trip

Security practices occur at different levels and components in the Sigfox network such as: • • • •

Security on message processing. Security on base station. Security on key generation. Security on data center.

The security on message is based on different checks (refer to Fig. 2.4) performed on the message during the uplink trip which can be summarised in three main components: • Sequence number: which consists of 12-bit to protect against reply attacks and transmitted with every uplink frame [86]. • MAC verification: During the manufacturing process, each device is given a unique symmetrical authentication key. • Message Encryption: according to [64], the message confidentiality is optional with AES- 128-bit encryption Note that due to the short payload, encryption techniques such as asymmetric cryptography and elliptic curve algorithms won’t be suitable for Sigfox applications [31].

2.2.4 Security Considerations LPWAN, owing to its limitations as a network of low power and low computational power devices has to satisfy various security measures to shield itself from the inherent vulnerabilities and threats that LPWAN devices are largely prone to. Although protocols such as LoRaWAN are enabled by low(continued)

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

47

power chirp-spread spectrum (CSS) which is difficult to intercept, considering the fact that LPWAN can be exposed to unrestricted domains and its ability to support only lightweight approaches, there is an inherent need to provide at least a few of the common security prerequisites to render a secure end-to-end communication channel.

Below are a few security considerations that an LPWAN network needs to adhere to:

2.2.4.1

Confidentiality and Privacy [1]

The data transmitted through LPWANs need to be confidential enough so that external entities are not able to interpret and decipher the data that it transmits. Passive attacks such as eavesdropping establish a connection to an LPWAN node to gain unauthorized access to the data. This is particularly unwarranted when dealing with mission-critical applications. Encryption plays a notable role in providing confidentiality to LPWANs.

2.2.4.2

Integrity [2]

The network also needs to make sure that the data transmitted from the source is identical, consistent and commensurate to the data that is being received at the intended destination. The adversaries can alter or manipulate the data thereby compromising the reliability of the network. Lapses in integrity can also be due to faulty communication signals or due to the ability of an attacker to masquerade and drop the data packets transmitted across the network. Attacks such as Wormhole or Blackhole tend to drop data packets to be received by a node or move them to a different node other than the intended node.

2.2.4.3

Authentication [38]

New devices/users that are supposed to be connected to the network, need to be authenticated so that the access is restricted to unauthorised devices. LPWAN devices should also be capable of mutual authentication with external gateways. It should also be noted that a typical LPWAN device is not equipped with adequate authentication measures. Most notable authentication measures in LPWAN use secure hashing protocols such as SHA-3 and Public Key Infrastructures (PKI).

48

2.2.4.4

A. Amouri et al.

Availability [1]

The devices that are supposed to relay or receive the data that is transmitted through the layers of an LPWAN are required to be functional and accessible at every instance during the communication packet relay, to avoid the loss or corruption of data. Availability also ensures there are minimal bottlenecks in the network.

2.3 Security Vulnerabilities and Threats Considering the wireless nature and the architecture of LPWAN devices in general, as the network scales, it can get increasingly difficult for the devices to be devoid of any vulnerabilities. Constraints in size, computational resources and the location of deployment can potentially expose the network to both physical and software threats, which can be exploited by adversaries. Here are vulnerability categories:

2.3.1 Physical Altercations The perception layer includes LPWAN devices which are vulnerable to environmental changes and physical attacks from an adversary. Below are a couple of vulnerabilities that an adversary can exploit in an LPWAN. 2.3.1.1

Node Tampering

When an adversary gains access to an end node, they possess the ability to alter the device firmware, disrupt the functioning of the node and gather confidential information about the device and the network [1]. The attacker can enable spoofing attacks to gain access or information about the neighbour nodes and also can forge the data resulting in loss of data integrity. Tampering also enables the attacker to capture the network keys, which can have a cascading effect on the network. LPWAN traditionally possess an extra encryption layer to counter device tampering. 2.3.1.2

Node Deletion and Injection

The attacker completely removes a legitimate node from the network which eventually causes disruption in the information flow and segregation in the network [86]. On the other hand,node injection can enable the attacker to propagate fabricated information. Especially, it might result in the unavailability of the compromised node (to the other nodes) or loss of integrity. Node injection also would enable the attacker to launch further attacks on the neighboring nodes, making it is more dangerous than the node deletion attack.

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

2.3.1.3

49

Jamming

Jamming an LPWAN device is considerably easy to achieve due to the fact that the devices, which can transmit the same radio frequencies as an LPWAN device, are readily available off the shelf. Transmitting a wide-band signal which can overpower the LPWAN frequencies can enable a Jamming attack [20]. Jamming can easily be detected by discerning the network behavior. However, selective Jamming is challenging to identify. Aside from completely jamming the node, the attacker can also induce an RF interference to the node, impeding its operation.

2.3.2 Resource Constraints Aside from a basic level of end-to-end encryption techniques such as AES-128, most intrusion detection or prevention techniques tend to impart excess overhead on an LPWAN network, increasing the end-to-end delay and thereby resulting in loss of packets. This is a potential vulnerability that adversaries tend to exploit resulting in depletion of network resources [64] and making the network unstable. Attacks such as Denial of service (DoS), tend to exploit such vulnerabilities and try to deplete the network off its resources.

2.3.3 Software Vulnerabilities 2.3.3.1

Attacks

Despite the defense and monitoring mechanisms set in place, LPWANs are prone to a variety of attacks. The attacker can exploit each of the vulnerabilities noted and can device various attacks to hinder or alter the functioning of the network. Also, various layers of the LPWAN stack are prone to different attacks. As mentioned earlier, perception layer is prone to attacks such as Jamming, which is enabled by transmitting multiple parallel signals which can overpower the original signal. Apart from the mentioned attacks, attacks such as replay [60], DoS [70], wormhole [20], the Man in the Middle (MitM) [85], spoofing, ack spoofing [10] tend to deplete the network resources and sometimes compromise the network integrity. Passive attacks such as eavesdropping compromises the data confidentiality.

2.3.3.2

Key Management

Key management is the vulnerability that most adversaries try to exploit, which can allow the attacker to enforce various attacks on the network [46]. Keys both at the network layer and the application layer (e.g. in LoRaWAN the NwkSKey and

50

A. Amouri et al.

AppSKey for the network and application layers, respectively) can be compromised enabling the attacker access to IoT gateways and servers. Most common misuse of this vulnerability stems from the fact that LPWAN source code is open access and is not replaced before deployment. Generation of easy to hack keys can also lead to the attacker gaining access to the network. Metadata related to the key generation or data as such can allow the malicious entity to easily gain access to the data transmitted. Further, it is sometimes difficult to update the keys due to the factors such as node location, hard coded keys and lack of ability to obtain over-the-air updates.

2.3.3.3

Cryptographic Primitives

LPWAN technologies such as LoRaWAN provides end-to-end encryption. However, most of the encryption standards used in LPWAN, such as Advanced encryption standard (AES) are not suitable for low power devices [20]. In spite of this fact, LPWAN has a two layered security architecture, where the network security layer authenticates the node and application security layer authenticates the user [41]. This makes providing services such as Authentication and Integrity challenging in LPWAN environment. Therefore, it is imperative that more encryption techniques, suitable for low powered devices such as LPWAN should be researched upon.

2.3.4 Network-Based Vulnerabilities 2.3.4.1

Open Environment

LPWANs are not always deployed in a secure environment. Therefore, geo-location of the node can result in physical node tampering or key storage access. The attacker can destroy or alter the functioning of the node, making it unstable or unusable and this potentially levies extra overhead on the other nodes, thereby creating bottlenecks. Creating a collaborative environment among the nodes, such that they can detect any anomalies in the neighbor nodes is a possible way to counter such malicious actors. Some IDSs [4] can help detecting such malicious intent by monitoring the data transmitted through the nodes to the gateway.

2.3.4.2

Untrusted Middleware (Gateways) [1]

LPWAN nodes relay their data to the gateway, which aggregate and processes it to send it over to the server. Therefore, a comprised gateway leads to loss of data confidentiality of all the nodes in the network, which are connected to the compromised gateway. Furthermore, it can also result in relaying falsified data to the server, rendering modified data from the LPWAN.

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

51

Fig. 2.5 Security vulnerabilities in LPWAN

2.3.5 Summary of Vulnerabilities LPWAN, owing to its limitations are not immune to various attack vectors imposed by an adversary. As mentioned earlier, most of the attacks on LPWAN tend to deplete the resources and make the network dysfunctional. Fig. 2.5 summarizes the vulnerabilities of a LPWAN that can be exploited by the malicious node or agent. These vulnerabilities range from perception layer to the application layer. Physical node alterations such as node tampering etc. have the ability to compromise the authentication keys, thereby exposing all the nodes in the network. Depleting a resource of an intermediate node can affect the network as a whole, causing more end-to-end delay or packet loss. Software vulnerabilities such as key management and outdated cryptographic techniques enable the adversaries to penetrate the network. Inadequate security measures at the network gateways and unauthorized network devices provide access to the network and expose the data to external entities.

2.4 Intrusion Detection in LPWAN In this section, we will present a state-of-the-art literature review dealing with IDS for LPWANs. Although we are noticing an increasing number of available datasets for IoT IDS studies, the amount of work conducted on IDS in LPWAN environments

52

A. Amouri et al.

is still very limited. This could be due to the limited datasets available, whether private or public, to test the performance of the corresponding IDS. The IDS will be divided based on the network configuration by listing every literature into its corresponding subgroup of LPWAN (Sigfox. LoRaWAN, etc).

2.4.1 Sigfox Based Networks Le Bars and Kalogeratos [49] established a probabilistic approach for detecting node-level anomalies, focusing on traffic abnormalities at the node level. At the node level, activity is depicted as a clique stream, with each different event represented as a binary fingerprint. The communication volume is given a node anomaly score, which is used to detect any divergence from typical behavior. The authors provided a public data set which contains data spanning from the beginning of January 2017 till the end of May 2017. The complete training part of the dataset contains 35,457 rows and 34 columns. The columns represents the base stations with 0 or 1 to show whether the message was received by the corresponding base station or not. In another work, Franzin et al. [30] presented a frame work for anomaly detection called it Phileas. Several outlier detection techniques, such as: rule-based and time series analyses, clustering-based algorithms, and auto-encoders were implemented. While auto-encoders are used to trace lost packets, the time stamp of each message and its related Received Signal Strength Indicator (RSSI) are utilized to identify devices that exhibit unusual behavior. The data set used in their investigation comprises of around 2.6 million packets obtained from 500 devices over the course of a year.

2.4.2 LoRa Based Networks Danish et al. [22] presented an experimental testbed for LoRaWAN join procedure and launched a jamming attack on it. They proposed a LoRaWAN based Intrusion Detection System (LIDS) using two different schemes: Kullback Leibler Divergence (KLD) based LIDS and Hamming distance- (HD) based LIDS. The KLD based LIDS detection rate outperformed the HD based LIDS. The authors generated their own dataset which is collected from a hardware testbed in which Arduino with LoRa mbed shield is used as LoRa end node, raspberry pi as a gateway, and a laptop as network server. Yakin et al. [91] implemented an anomaly-based IDS and network monitoring system called NeMo-IoT (Network Monitoring for IoT). They used AggreGate platform by Tibbo systems, PostgreSQL, NoSQL and round-robin databases. The implementation of a one-class support vector machine was also used for anomaly detection. The implemented system was tested on a real network for quality-ofservice monitoring and intrusion detection (for jamming and self-replay attacks).

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

53

2.4.3 NB-IoT Based Networks Savic et al. [79] proposed an architecture that integrates anomaly detection module using auto-encoders at IoT devices ADM-EDGE, and at the mobile core network ADM-FOG. Due to computational, storage, and memory limitations of the edge node devices, auto-encoders are trained offline and the inference engine is directly integrated into its firmware. The authors generated two real-world datasets, which are available to the public, to evaluate the performance of ADM-EDGE and ADMFOG. The first dataset contains 12,678 data points and is used to train both schemes, while the second dataset contains 571 data points with 42 intentionally caused anomalous events. A small portion of the training part of the dataset [79]. Santos et al. [77] revealed a means to improve security for IoT devices via the cellular network through their proposed solution and proof-of-concept. It will be possible to secure connected devices by using authentication and authorization procedures in both the application and network layers if an identity management system and an identity federation are employed. In line with this, they have a machine learning platform that does anomaly detection analysis on data flow, allowing them to reduce the impact of an attack or exploit by combining the efforts of both systems to isolate infected devices. In another work, Santos et al. [78] introduced and compared various machine learning techniques for anomaly detection in the context of cellular IoT. The performance of five supervised machine learning algorithms, namely KNN, Naive Bayes, Decision Tree, and Logistic Regression, is analyzed. This work is an extension for their previous work presented at [77].

2.4.4 Multiple Platforms (More than One Network Architecture) Gresaka et al. [34] concentrated on detecting end-device movement in a network using qualitative radio metrics such as the Received Signal Strength Indicator (RSSI). The authors worked on two LPWANs LoRaWAN, and Sigfox solution operated by SimpleCell Networks in the Czech Republic. They used the testbed on the campus network to simulate the attacker’s behavior. Users should be safeguarded from bogus sensor assaults (Replay attacks) while maintaining their current connection status. A security architecture for IoT and fog computing networks was proposed by Soukup et al. [82]. All components of the authors’ architecture, can be implemented on a single network node or distributed over several nodes, allowing for easy scaling. A software IoT gateway is included in their system, which allows them to examine traffic from non-IP IoT sensors. Because it includes collectors, detectors, and administration tools, this framework offers a full-stack security solution. It consists entirely of software components that have no connection to any particular

54

A. Amouri et al.

Table 2.1 Comparison of IDSs for LPWAN Ref.

Dataset Public

[49]

✓

Private

Performance metrics

URL

ROC

✓a

[30]

✓

N/A

✗

[22] [91]

✓ ✓

ROC N/A

✗ ✗

Precision, Recall, and F1-Score N/A

✓b

[79]

✓

[77] [78]

✓ ✓

[34]

✓

[82]

✓

✗ ✗

N/A

✗

F1 score, and Accuracy

✓c

Algorithm(s) used for detection Non-parametric regression, and Random Forest regressor Rule-based and time series analyses, clustering-based algorithms, and autoencoders KLD and HD One-class support vector machine Auto-encoders

k-NN, uCBLOF, S-H-ESD K-NN, SVM, Naïve-Bayes, Decision Tree, and Logistic Regression Simple statistics for the Variation of the RSSI RF and LoF

Publication date 2019 2020

2018 2021 2021

2020 2021

2019 2019

URLs: https://kalogeratos.com/psite/material/the-sigfox-iot-dataset/ b https://zenodo.org/record/4686782#.YgT_uN9BxPY c https://github.com/CESNET/NEMEA-SIoT/tree/master/datasets a

physical device Their detectors are capable of detecting vulnerabilities in Z-Wave, LoRaWAN, BLE, and IP-based IoT protocols. Table 2.1 summarizes IDSs for LPWAN in a comparative way:

2.5 Intrusion Prevention Systems for LPWANs In this section, we study different schemes and techniques proposed by researchers, to help secure the communication process in LPWANs. The prominent technique adopted by Intrusion Prevention Systems is based on using ciphered messaging which makes it hard for the intruders to gain knowledge, thereby preventing distortions during the data exchange between the network nodes and servers. Several techniques have been proposed based on their location in the network hierarchy (layers), functionality, and complexity. The investigated literature is separated into 3 subsections based on the network technology being used:

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

55

2.5.1 LoRaWAN Yang et al. [92] investigated the key generation security under small-scale and large-scale fading conditions. Indoor and outdoor experiments were conducted on commercial out of the self LoRa-based key generation testbed. They proposed a high-pass filtering-based countermeasure for the colluding-eavesdropping attack as the impact of large-scale fading variation continues for long periods of time. The authors also verified that the RSSI sequences generated in a large-scale fading varying channel are more foreseeable than no large-scale fading variation leading to higher secret keys being compromised. A key generation scheme based on Rabbit PRNG is proposed by Chen et al. [21], to substitute the recommended AES algorithm for its better computing efficiency for LoRaWAN v.1.1. The authors proposed a complete key management scheme that includes key updating, key generation, key backup, and key backward compatibility. A dual key-based activation scheme is proposed by Kim and Song [47], which uses NwkKey and AppKey to perform the initial join procedure. Session keys, which are created in the previous join procedure, are used for the second join procedure. Both, the original and the proposed schemes were compared under realworld experiments. A key management protocol for LoRaWAN networks that can support session key updates and defense against key attacks is proposed by Abdel Hakeem et al. [35]. One master secret key is used to generate n secret keys using a one-way hash function h(.). In contrast to LoRaWAN, which is vulnerable to key compromising assaults, salt encryption is supported for the produced hashed keys to protect them against physical attacks. This study offered two key management protocol case studies: one enabling stronger security while consuming less power, and the other supporting extremely low power consumption. Danish et al. [23] proposed a two-factor authentication mechanism for LoRaWAN join procedure to enhance authentication security based on blockchain technology. The proposed scheme integrates the standard authentication of the join procedure with a blockchain-based authentication. The blockchain is an independent network which is working in parallel with the LoRaWAN network. The proposed scheme is simulated using the Ethereum blockchain and Python client. A key generation scheme using information theoretic techniques for physical layer is proposed by Gao et al. [32]. According to the authors, this scheme can operate at all data rate settings, featuring a model-based key generation method. An optimal window size was derived to calculate the parameters of the channel model withe random way point (RWP) mobility model. The security of LoRaWAN 1.1 is examined by Han and Wang [36], and a root key update technique is proposed to improve LoRaWAN security. According to the authors, the suggested root key update strategy consumes fewer computer resources than other key derivation schemes, including the scheme utilized in the LoRaWAN session key update, according to simulation. The results also reveal that the key generated in the proposed technique has a high degree of randomness, which is a necessary feature for a security key.

56

A. Amouri et al.

An enhanced LoRaWAN security protocol was proposed by You et al. [93]. It has two options: the Default Option (DO) and the Security-Enhanced Option (SEO). The second option is used to stop a malicious network server from breaching into the end-to-end secured communications between a device and its application server. A case study based on smart factory-enabled parking system was used for secure and efficient parking management in smart cities. According to the authors, the proposed protocol showed significant improvements and better performance for the proposed protocol in comparison with other security protocols, namely Datagram Transport Layer Security-Pre-Shared Key (DTLS-PSK) and Datagram Transport Layer Security-Elliptic Curve Cryptography (DTLS-ECC). The suitability of authenticated preambles to cope with exhaustion attacks in LoRaWAN networks is studied by Suciu et al. [83]. The impact of DoS attacks in Class B deployments is analyzed, and authentication preambles to reduce the attacker capability from draining the batteries of the sensor nodes, is implemented. Energy consumption overhead of less than 4% in operational networks was achieved using a short 4 bytes preamble. The work of Kaven et al. [45], describes a method for extending the LoRaWAN architecture by adding a second phase of direct communication between end nodes to improve network security. This is achieved by providing an additional LoRamesh phase for LoRaWAN. The increased security is accomplished by extending the authenticity of the nodes’ identities through their location, using a proof-oflocation technique. This means, based on this technique, that the position of a node inside the network is treated as an attribute of its identity. This allows RSSI-based localization to confirm the position of a LoRa end-device. Tsai et al. [87] proposed a secured communication scheme called the Secure Low Power Communication (SeLPC) method, to further reduce end-devices data encryption power by reducing encryption cycles of AES. Authors derived an encryption key that generates the corresponding dynamic box (D-Box) to substitute for the primary substitution box (S-Box) which highly boosts the security of the AES. Aras et al. [8] proposed an IoT MAC protocol called CRAM. It uses cryptographic frequency hopping to mitigating selective jamming attacks and make efficient use of all available frequency space. The frequency selection approach of CRAM is an extension of the standard AES128-CTR encryption scheme which is used in LoRa communication. multiple experiments were performed using a large physical testbed consisted of 1000 nodes to evaluate the performance of CRAM. The authors report major performance improvement compared to the conventional LoRaMAC with negligible memory and energy overhead. Milani and Chatzigiannakis [56] proposed a secure method to refresh the root keys which can be performed at any time during the operation of an LPWAN. This scheme uses Elliptic Curve Cryptography to enable the secure exchange of the new root keys. This scheme was tested under different attacks such as; the MitM and Replay attacks. Although the proposed method performed well against the previous attacks, it the is still vulnerable to a Replay Attack jointly performed with a selective RF jamming attack.

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

57

Durand et al. [25] used the LoRa protocol to create a fully decentralized lowpower wide-area network (LPWAN) infrastructure for the Internet of Things (IoT). They propose a trust-less paradigm in which network servers are resolved with the help of a blockchain application. A novel security model is developed that uses digital signatures to add non-repudiation. Finally, the effect of this model on message size and energy consumption is investigated. For secure LPWAN communication, Han et al. [37] implemented a distributed and lightweight physical layer key generation system. To produce the first key sequences, they used an adaptive lossy quantizer and the level-crossing technique. Based on the original technique, they improved the Cascade algorithm and effectively reduced the amount of information contacts. A secure architecture for the key management mechanism in LoRaWAN networks based on a permissioned blockchain network is presented by Ribeiro et al. [69]. A smart contract is responsible for key management in the LoRaWAN environment which enables a secure and distributed storage. This paradigm ensures high availability for the security keys that are used in the authentication of enddevices. Sanchez-Iborra et al. [76] presented a lightweight and authenticated key management approach. The suggested approach is based on the Ephemeral Diffie Hellman Over COSE (EDHOC) protocol and is defined as a practical solution because to its flexibility in session key updates, low computational cost, and restricted message exchanges. A wireless key generation method designed specifically for LoRa and LoRaWAN Class A devices is proposed by Ruotsalainen et al. [72]. Passive eavesdropper model to verify the security of the secret key generation model is used in this experiment. The achievable AES128 key refreshment periods for different eavesdropper key disagreement rates are studied. Extensive experiments on scenarios such as: deep in-building penetration and line-of-sight outdoor communication up to 7 km were tested. Navarro-Ortiz et al. [61] proposed a low-cost solution to improve hardware security in LoRaWAN by using Universal Subscriber Identity Module (USIM) cards as cheap cryptographic chips. They proposed using the 128-bit ciphering and integrity keys CK and IK as the LoRaWAN application and network session keys (AppSKey and NwkSKey). A signaling procedure between the LoRaWAN end-nodes and the application server based on the 3GPP Authentication and Key Agreement (AKA) is used in this scheme. An intuition based on the difficulty to separate between well-synchronized jamming chirp and a legitimate LoRa chirp in the time domain led Hou et al. [40] to propose a novel countermeasure, which controls the difference between the received signal strength of legitimate chirps and jamming chirps in the power domain. The experiments conducted using COTS LoRa nodes and software defined radios. A secret key generation scheme is proposed by Junejo et al. [43] for LoRaWAN networks named LoRa-LiSK. This scheme is composed of several pre-processing techniques: timestamp matching, two sample Kolmogorov Smirnov tests, and a Savitzky-Golay filter, multi-level quantization, information reconciliation using

58

A. Amouri et al.

Bose–Chaudhuri–Hocquenghem (BCH) codes, and privacy amplification using secure hash algorithm SHA-2. Their scheme is tested on real-world practical cases, with four end devices covering indoor-to-outdoor, and long-range outdoor configurations. Mayer [53] proposed a theoretical and practical IoT design based on the LoRaWAN protocol and the Hyperledger Fabric network. The former describes a low-power, secure end-node network, while the latter provides a secure, unassailable sequential data ledger with permission controls. Tsai et al. [88] proposed a low power consumed AES encryption architecture. Their scheme named Low-Power AES Data Encryption Architecture (LPADA). Three low-power design techniques are implemented in the LPADA: low-power CAM for SBox, power gating to gate the functional blocks’ supply voltages, and power management to control the functional blocks’ power states. Verilog HDL is utilized to implement the AES circuit which is then synthesized with Synopsys Design Complier and Synopsys 32 nm cell library. Thomas et al. [85] proposed a mitigation technique against the MitM attack using a Galois Counter Mode (GCM) cryptographic algorithm implementation. In this work, a modified cryptographic counter mode algorithm is implemented instead of the normal Counter (CTR) mode of encryption of data used in LoRaWAN module. Within LoRaWAN, Weinand et al. [6] proposed the use of PHYSEC-based key management. In comparison to traditional key management methods, the experimental results demonstrate that it can be a promising way for enabling key management at a low cost in terms of energy usage and complexity, according to the authors. Na et al. [60] proposed a XOR operation used to mask the join-request packet with a unique token. As a result, even if an attacker intercepts join-request packets, they cannot be used since they are masked with various tokens. The preceding NetSKey is used to produce tokens. However, in circumstances when the end node forgets the previous NetSKey owing to a reset or other event, such a method is still susceptible. Raad et al. [66] proposed adding a second encryption layer utilizing a new adaptive elliptic curve cryptography approach, as well as a digital signature on the encrypted data. To combat security concerns such as livestock moving out of the LPWAN range or the device battery not being enough charged to complete the update procedure, Heeger et al. [39] suggested a secure and reliable firmware updating mechanism that is applicable to any mobile or energy-constrained LoRa device using Adaptive Data Rate (ADR) techniques. To test the proposed system’s performance and security properties, it is first simulated and then implemented. McPherson and Irvine [54] demonstrated how to make LoRaWAN device deployment and re-keying easier by demonstrating how to use a smartphone’s camera flash to send the necessary credentials. According to authors, smartphones were chosen as the transfer mechanism because they are plentiful and powerful enough to generate and transfer safe keys. Smartphones and light also eliminate the

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

59

requirement for a laptop, a cable connection, and programming software, allowing devices to be provided in the field without calibration or specialized gear. A session key generation method is proposed is proposed by Tsai et al. [89]. The goal is to generate session keys where a pair of servers can securely communicate with each other. the session keys for different pairs of servers are created by integrating elliptic curve cryptography and AES-128. LoRaWAN Server Session Key Generation (S2KG) method is deployed to secure the communications among different LoRaWAN servers. Danish et al. [24] proposed a blockchain based distributed framework for the LoRaWAN join procedure, to establish a secure and reliable authentication system for LoRaWAN networks. A scalable and easy to manage authentication system for the LoRaWAN join procedure, endorsed by a PoC prototype is proposed. Pospisil et al. [65] proposed a design of an SDR and GNU Radio-based testbed for assessing and experimenting with the on-air security in LoRaWAN. The authors showed that the developed testbed enables practical experiments for on-air security in real-life conditions by implementing two man-in-the middle attacks: The replay attack and the bit-flipping attacks. This was achieved by intercepting the over-the-air activation procedure by an external to the network attacker device. Aras et al. [7] proposed a solution to mitigate the threats of selective jamming and contention in a higher density LoRaWAN network through secure random frequency selection on end devices. This is achieved by Implementing cryptographic frequency hopping technique to select N-possible number of evenly optimized channels from available frequency spectrum. Ruotsalainen and Grebeniuk [71] inspected the effects of LoRa setup on the key generation performance. They presented the utilization of LoRa modulation technique in wireless key agreement. The authors applied key generation with LoRaWAN specification and carried out extensive experiment scenarios and environments such as: Symmetric/asymmetric payloads, LoRa parameters: SF and the bandwidth of the LoRa modem, Deep In-building penetration, Static indoor, Static outdoor, and Eavesdropper statistics. Noura et al. [63] proposed systematic countermeasures against two well-known Activation by Personalization (ABP) attacks namely: eavesdropping and replay. The proposed solution is based on the dynamic key derivation scheme. The authors presented two variants of dynamic key derivation: counter-based and channel information-based. Based on a set of security and performance tests, the proposed countermeasures have a low overhead in terms of computation and communication resources while also providing a high level of security. Mårlind and Butun [52] offered to design a new process for assigning root keys to the devices in LoRaWAN by using Public Key Cryptography (PKC). This process is used to propose a new activation method called Public Key Over the Air Activation (PK-OTAA). The feasibility of the proposed method is also evaluated scientifically via experiments. The new activation method allows a device to get the root keys dynamically and for them to be replaced at will. However, PKC requires longer keys to get equivalent cryptographic strength to a symmetric encryption scheme. This increased key size in turn requires more processing power to use, thus increasing

60

A. Amouri et al.

battery consumption. The feasibility of the new method is evaluated based on the increase in power usage since Internet of Things (IoT) devices are usually battery powered. It has been shown that by sacrificing very small portion of the energy.

2.5.2 Sigfox Fujdiak et al. [31] examined the performance, security, and cost of three cryptographic encryption systems (AES, ChaCha, and OTP) in an end-to-end Sigfox network. The authors inspected the aforementioned encryption technologies and measured their energy consumption in a real-world setting. Takehisa et al. [84] presented a CMAC for the Sigfox network based on the Lightweight Blockcipher Piccolo. They claim that their approach would be a good security solution for IoT devices with minimal resources that use the Sigfox network. Piccolo-CMAC is implemented by encrypting messages with Piccolo-80 without utilizing any additional resources. Ferreira [28] showed two new Sigfox based attacks as well as a weakness in the encryption method. The attacks are: MAC Tag Forgery and Frame Replay and proposed Counter-measures by using CMAC mode for the first vulnerability and Extended (implicit) message counter for the second vulnerability. Alizadeh and Bidgoly [3] proposed a novel deep learning-based mechanism for key re-synchronization. Deep learning, based on Deep Neural Network (DNN), is used to study message patterns and determine whether or not a message has been decrypted incorrectly. After then, this model is used to find the correct key to decode messages. The proposed solution allows two parties to maintain track of their key sequence without adding any additional payload overhead.

2.5.3 NB-IoT Van Noort and Kerssens [90] used AES-GCM and AES-CMAC to implement endto-end security measures on top of LoRa and NB-IoT in the application layer. They also investigated how their security enhancements affected the latency between the IoT sensors and the monitoring platform. Cao et al. [18] offer a rapid mutual authentication and data transfer system for massive NB-IoT devices. Their proposed protocol unifies the access authentication and secure data transmission processes, allowing them to simultaneously authenticate and transmit data from a collection of NB-IoT devices. According to the authors, this technique may not only considerably simplify the authentication process and reduce network traffic, but it can also provide powerful security protection, such as user anonymity and non-repudiation. Cao et al. [19] present a quantum-resistant access authentication and data distribution mechanism for large-scale NB-IoT devices. Based on lattice-based

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

61

homomorphic encryption technology, the scheme can provide access authentication and data transfer for a group of NB-IoT devices at the same time. According to the authors, this system not only reduces network load but also provides excellent security, such as privacy protection and anti-quantum assaults. Sanchez-Gomez et al. [75] proposed adapting lightweight bootstrapping methods for restricted IoT devices to provide a secondary authentication feature of 5G. To provide high flexibility and scalability in the bootstrapping process, this approach combines the adaptation and assessment of both PANA and LO-CoAP-EAP. They modified two EAP lower layers: I PANATIKI, an IETF-standard EAP lower layer, and II LO-CoAP-EAP, a novel EAP lower layer built specifically for IoT that provides a high level of flexibility and scalability during the bootstrapping process. By introducing the domestic cryptographic algorithm, extending the existing key derivation structure of LTE, and combining the physical unclonable function, a selfcontrollable NB-IoT application layer security architecture was designed by Liu et al. [51], to ensure the generation of encryption keys between NB-IoT terminals and power grid business platforms. Also, the authors provided an end-to-end secret protocol based on a physical unclonable function and the secret algorithm SM3. Salva-Garcia et al. [73] proposed using Network Function Virtualization (NFV) Management and Orchestration (MANO) to automatically create virtual firewalls to safeguard NB-IoT mMTC communications. The fundamental concept is to use NFV to deal with effective rule distribution across VNFs-based firewalls so that the number of controlled IoT devices can scale. Ren et al. [68] proposed a novel group authentication and data transmission technique for NB-IoT based on the physically unclonable function (PUF), in which the PUF output is seen as a shared root key to enable mutual authentication and key agreement. A Group Leader is used in this approach to aggregate and relay authentication information, lowering the signaling and communication costs associated with activating attach request signals from a large number of devices. In addition, the new security model and the formal verification tool Scyther are used to assess the scheme’s security. A differential constellation shifting RF watermark scheme for NB-IoT systems is proposed by Huang and Zhang [42]. According to the authors, utilizing the differential constellation shifting architecture improves covertness and security, which has been proven by simulation findings. RF watermarking is used to conceal the signals, and the properties of NB-IoT networks, which allow for recurrent broadcasts of host signals, are taken advantage of to improve reliability. The differential watermarked symbol pairs, which are made up of host and watermark symbols, are then built using a certain watermarking strength. Escolar et al. [27] developed an enhanced software firewall based on the Open Virtual Switch (OVS) that may provide firewall functionality to 5G IoT devices. According to the authors, the proposed software firewall can greatly increase the number of rules in order to meet the 5G Key Performance Indicator of regulating 1 million IoT devices per square kilometer. This research yielded extensive experimental findings, demonstrating the appropriateness of the suggested design for such a high level of scalability.

62

A. Amouri et al.

Bortnik et al. [12] proposed integrating a low-bandwidth NB-IoT communication module with a hardware security element to provide secure cloud connectivity while lowering communication overhead and offloading computationally demanding security algorithms from the host MCU. In comparison to widely used RSA-based TLS implementations, they achieved a 60% reduction in communication overhead during the handshaking phase by implementing TLS (v1.3) with an ECC-based key exchange technique. By integrating the PUF onto the chip of the NB-IoT user equipment, Lin et al. [50] proposed a chip binding and anti-counterfeiting technique. They designed a secure communication protocol based on PUF to meet the low power requirements of NB-IoT. The protocol streamlines the distribution of secret keys and certificates when compared to the PKI process. According to authors, the proposed protocol streamlines the key agreement procedure while maintaining a high level of security in comparison to the TLS protocol. Militano et al. [57] presented a trust-based solutions for effective D2D-enhanced cooperative content uploading in NB-IoT cellular contexts in this study. In order to reduce the impact of malicious nodes deleting or manipulating data packets in a cooperative multihop coalition, social awareness has been modeled to assess node dependability and appropriately weigh the recommendations exchange for reputation definition. The findings revealed that by screening out rogue nodes, the social-based trusted solution ensures faster content uploading, and lower energy usage. In this research, Zhang et al. [94] presented a multi-party authenticated encryption technique for NB-IoT terminals in 5G networks that is certificate-less. The suggested technique enables identity anonymity and non-repudiation in addition to multi-party authentication in the access authentication process. In their scheme, the operations of access authentication and data transmission are merged into one.

2.5.4 Generic LPWAN Bidgoly and Bidgoly [11] proposed a novel chaining mode of encryption based on the introduction of a new module called Appropriate Key Finder (AKF), which can assign a unique key to each message using hash functions. This technique is able to deal with message drops, according to the authors, during transmission without consuming any portion of its payload. Bui et al. [14] suggested multiple optimization solutions for the AES 32-b architecture in order to increase throughput while lowering area, power, and energy consumption. Their proposed AES implementation uses nearly as little energy as PRESENT, which is with an extreme lightweight data encryption algorithm, making it a good option for future ultra-low power IoT applications. A physical layer based lightweight and dynamic message authentication scheme is presented by Noura et al. [62]. The proposed scheme uses a dynamic key which is based on keyed hash function, is produced based on a secret session key and the

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

63

random parameters of the physical channel. Meet in the middle attack and birthday attack were described but not tested on the proposed scheme. Kambou and Bouabdallah [44] proposed a novel and secure mobile authentication mechanism. It employs a two-factor method that is reinforced by the diversity of network channels and devices. In addition to the smartphone, their solution combines a One-Time Password (OTP) based technique with an IoT object as a secondary device. The network’s channel diversity is based on the utilization of one of the LPWANs in conjunction with LTE or WiFi networks. This approach is further enhanced by end-to-end encryption of the sensitive data being sent.

Table 2.2 summarizes IPSs for LPWAN in a tabular and comparative way, including prevention methods used, specific prevention against, type of the systematic verification along with the performance metrics:

Table 2.3 summarizes IPSs for LoRaWAN in a tabular and comparative way, including prevention methods used, specific prevention against, type of the systematic verification along with the performance metrics:

2.6 Challenges and Future Scope As detailed previously, datasets related to LPWANs are scarce and are difficult to find. This manifests the extent of research undertaken in this area and also restricts any future work on LPWAN.

Overview Most of the work in LPWAN security has been centered around cryptography and key management. More importantly there is considerably minimal work on Intrusion detection systems for LPWAN as opposed to Intrusion Prevention Systems (IPSs). This can possibly be due to the apprehension that Intrusion Detection Systems (IDSs) for LPWAN needs to be light-weight. Adapting approaches such as machine learning is challenging due to its need for extensive computational resources. The impending integration of LPWAN into the last mile technologies such as a 5G ecosystem can only be successful, when there exists a highly secure end-to-end secure communication system in place.

General LPWAN

Sigfox

[3]

LPWAN technology General LPWAN

[14]

Ref. [11]

C

O

Prevention againsta N/A

Cipher Chaining key resynchronization using deep learning (DNN)

Optimization strategies for 32-b data path architecture for AES

Prevention method used Chaining Encryption Algorithm

A GPS sensor has been simulated in the Sigfox platform (specific hardware or software implementation has not been mentioned)

Type of the verification (PoC, testbed, software, simulation) STM32F100C4 microcontroller. In the transmitter node, this prototype is used as an interface between a home-made IoT device and the NRF24L01 transceiver Module. In the receiver node, the decryption algorithm is implemented on the server Proposed architecture implemented using VHDL, synthesized using Synopsys DC Compiler, and fully implemented using Cadence Innovus into the test chip SNACk using ST FDSOI 28-nm technology

Table 2.2 Comparison of IPSs for LPWAN technologies (other than LoRaWAN)

Leakage power at 10 MHz at different supply voltages at different corners. Dynamic power at 10 MHz at different supply voltages. Energy per bit of their AES implementation at typical corner at different working temperatures. Number of correct guessed key bytes (in 128-b key mode) by last round CPA attack Probability of resynchronization after N message loss in a row by KRM and AKRM. The average number of tries to resynchronize the cipher chaining. Number of correct consequence packet

Performance metrics Median of required clock numbers to find a sequence of keys. Ratio of correctly decryption of received packets in real scenarios with packet loss

2020

2017

Publication date 2019

64 A. Amouri et al.

General LPWAN

Sigfox

[62]

[31]

P, Q

M, N

Compares three selected cryptographic encryption solutions (AES, ChaCha and OTP)

Dynamic message authentication algorithm (keyed hash function) that makes use of a secret session key in addition to the random characteristics of the physical channel

Customized Arduino UNO board. The main parts are: 8-bit AVR CMOS microcontroller ATMEGA328P-PU (up to 0.1 .μA in sleep mode, max. 20 MHz), real time clock RTC—MCP7940N-I/P (Up to 1.4 .μA in sleep mode), temperature sensors DS18B20 (Up to 0.75 .μA in sleep mode), Sigfox node WISOL SFM10R1 (Up to 2 .μA sleep mode) open-source cryptography library for Arduino boards—Arduino Cryptography Library

MATLAB

Distribution of 1000 MAC values (1000 frames symbols) in complex representation using the proposed scheme for 256-QAM. The distribution of MAC values for CMAC variant (same frames but at the bit level). Variation of the entropy of MAC values versus its corresponding frame number using the proposed cipher. The Key Sensitivity (KS) and Plaintext Sensitivity (PS) values at the complex modulation symbols for 1000 input frames symbols Power consumption measurement for communication system with and without encryption. impact of different ciphers on power consumption of communication stack for 4/8/16 MHz CPU frequency

(continued)

2018

2020

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT) 65

LPWAN general

NB-IoT

NB-IoT

[44]

[50]

[57]

Ref. [84]

LPWAN technology Sigfox

Table 2.2 (continued)

A,B.∗

N/A

N/A

Prevention againsta N/A

Solution combines a One-Time Password (OTP) based technique with an IoT object as a secondary device Chip binding and anti-counterfeiting technique by having the PUF integrated in the chip of the NB-IoT user equipment Trust-based solutions for effective D2D-enhanced cooperative content uploading in narrow-band IoT cellular environments: reliability and reputation notions to model the level of trust among devices engaged in an opportunistic hop-by-hop D2D-based content uploading scheme

Prevention method used A Cipher-based MAC (CMAC) using a lightweight cryptosystem called Piccolo (Piccolo 80)

MATLAB

Type of the verification (PoC, testbed, software, simulation) Client environment Device: Raspberry Pi 3 Model A+, OS: Raspberry Pi OS with desktop, Sigfox Breakout Board: BRKWS01, Sensor: HS-SR04, Web server environment Device: Amazon EC2 Instance: type t2. small Node openid-provider, node openid-client, WebRTC, and WebSocket, OpenId Connect and OAuth 2.0 No hardware or software mentioned. Just proposed scheme Impact of malicious nodes percentage on: (a) Uploading time gain, (b) Average energy gain, (c) Data loss

N/A

Power consumption

Performance metrics The execution time, The RAM utilization of the Arduino Uno

2017

2018

2019

Publication date 2021

66 A. Amouri et al.

NB-IoT

NB-IoT

NB-IoT

Sigfox

NB-IoT

NB-IoT

[94]

[18]

[19]

[28]

[75]

[51]

B

N/A

S, T

R

A, B, H

A, B, H

Physical unclonable function and state secret algorithm SM3

Quantum resistance access authentication and data distribution scheme, lattice-based homomorphic encryption technology The author proposes counter measures without verification method Lightweight authentication and key establishment

Certificate-less multi- party authenticated encryption scheme, where the processes of access authentication and data transmission are combined into one process Mutual authentication and data transfer scheme

Arduino-compatible SmartEverything FOX board by Arrow and an NB-IoT compatible radio module Quectel BG96 NB-IoT modem N/A

Sigfox back-end network

Scyther

Scyther

JPBC library

2019

2020

2021

2019

2018

2019

(continued)

Communication Overhead, Storage Overhead, Long term key update, and Compatibility

Authentication process total run-time distribution. Total sum of authentication process messages and header sizes grouped by protocol

N/A

Signaling overhead, transmission overhead, total bandwidth overhead Signaling overhead, transmission overhead, total bandwidth overhead

Signaling overhead and signaling cost

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT) 67

LPWAN technology NB-IoT

NB-IoT

NB-IoT

Ref. [73]

[68]

[42]

Table 2.2 (continued)

A

B, H

Prevention againsta N/A

Group authentication and data transmission scheme using the physically unclonable function (PUF) in which the output of PUF is viewed as shared root key to achieve the mutual authentication along with key agreement Differential constellation shifting (DCS) radio frequency (RF) watermark scheme

Prevention method used Automatic deployment of virtual firewalls by leveraging Network Function Virtualization (NFV) Management and Orchestration (MANO)

N/A

Type of the verification (PoC, testbed, software, simulation) 10 Computers with Ubuntu 16.04 operating system and OpenStack Mitaka compose this infrastructure. The deployment utilizes Neutron and OpenDayLight as the SDN Controller. Mosaic5G project Scyther

BER performances of watermark and host signals of the proposed DCS system and the ICS system. The channel capacity performances. (a) The host BER is 10-3 at SNR = 12dB. (b) The watermark BER is 10-3 at SNR = 14dB. Covertness and security performance comparisons. The watermark BER is 10-3 at SNR = 14 dB in both ICS and DCS

Signaling overhead, transmission overhead, total bandwidth overhead, computational cost

Performance metrics Deployment times of vFirewalls with different number of machines and ramping times. Packet Loss Ratio, Transmission Time Overhead, Average of Jitter Configuration Time

2019

2022

Publication date 2019

68 A. Amouri et al.

N/A

N/A

Combine a low-bandwidth NB-IoT communication module with a hardware security element utilizes ECC-based key exchange scheme

Scalable 5G IoT firewall architecture IoT end device is shown in the work, but no model numbers are mentioned

OVS

Packet loss and average delay experienced by each packet N/A 2021

2020

Attack categories: A—Eavesdropping attack B—Reply attack C—Bit flipping attack D—key compromising attack E—Jamming attacks F—known-key attack G—Sybil attack H—man-in-the middle- attacks I—Denial of service attack J—key guessing attacks K—impersonation attack L—cloning attack M—Brute force attack N—cipher-text attack O—correlation power analysis (CPA) attack P—Cash collision attack Q—Timing attacks R—Quantum attack S—MAC tag forgery attack T—Frame-replay attack ∗ . Type A, where users forward corrupted packets. type B, where users drop the packets to exploit the benefits given by multi-hop D2D connections without forwarding any content further in the chain

NB-IoT

[12]

a

NB-IoT

[27]

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT) 69

Dual key-based activation scheme using AES 128 algorithm Hash chain generation using a one-way hash function

[47] B

AES-128 based SeLPC

[87] A, B, F

[32] A

Two factor authentication mechanism, based on blockchain Model-based key generation scheme takes advantage of real-time RSSI

[23] B, E

[35] B, D

[21] B,C

Prevention method used High-pass filter-based countermeasure Rabbit PRNG

Prevention Ref. againsta [92] A

Table 2.3 Comparison of IPSs for LoRaWAN

Ethereum blockchain and Python client and server implementation of LoRa end device and network server respectively Eleven nodes each node consists of a Raspberry Pi 3b+ and a mDot. The MultiTech mDot platform comprises a LoRa wireless chip SX1272, an ARM processor N/A

Type of the verification (PoC, testbed, software, simulation) Arduino Nano controlled LoRa SX1276 modules Simulation on laptop, not mentioning exact software Gateway: Raspberry Pi 2 with IC880A. End node: STM32L151CB MCU, 128K Flash, 10K RAM, IM880B-L Module NS-3 network simulator, HLPSL, AVISPA, SPAN

Data encryption power consumption, One-day power consumption

Randomness, Key matching rate, Key generation rate, Correlation, Correlation difference

Performance metrics Secret key capacity, intact key information ratio, and cross-correlation analysis Run time test, Frequency test within a block Server-side processing time, Join accept processing time, Time on air, Battery consumption, Join accept packet size Required Authentication time and Encryption time per message. Authentication overhead and Encryption overhead size. Battery lifetime, Time on the Air, Time to live The number of join request messages, a network server processes

2018

2021

2019

2021

2017

2021

Publication date 2019

70 A. Amouri et al.

B

A, B

M, N

G, H

E

B, H

[36]

[93]

[83]

[45]

[8]

[56]

Secure Rejoin mechanism refreshes root keys using the Elliptic-Curve Diffie-Hellman protocol (ECDH)

Root key update scheme is proposed to strengthen the security of session key derivation. Rabbit cipher embedded in a two-step Key Derivation Function (KDF) is used Suggests the DevNonce generation method. Elliptic Curve Diffie Hellman (ECDH)-based key exchange which is authenticated by the Elliptic Curve Digital Signature Algorithm (ECDSA) verification method at the PHY-layer: authentication preamble (AP) and token exchange scheme Proof-of-location approach/RSSI-based localization Cryptographic frequency hopping Burrows–Abadi–Needham (BAN) logic and the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool Loadsensing end device using 4x Li-SOCl2 primary batteries of 5.8 Ah each. PowerScale tool FLoRa, a framework for OMNeT++ Gateway: Raspberry Pi gateway equipped with two Semtech SX1276 End device: LoRa32u4-II, which is equipped with an ATMega32u4 Micro Controller Unit (MCU) End-device software is developed in C using a modified version of the Radio-Head library FIT IoT-LAB testbed, ARM Cortex-M family microcontrollers. RIOT Operating System

Built-in Windows C++ function QueryPerformanceCounter (QPC)

Time and energy efficiency: Time and power consumption for each ECC operation

2021

2020

2021

2018

2018

2018

(continued)

Message size and overhead Network latency (ms) vs. the number of intermediate hops. Network latency (ms) vs. transport delay. Signaling overhead vs, number of intermediate hops End device current consumption versus time for two cases: AP implemented and not implemented Position score for different end-devices in a network with two doppelgangers Max channel utilization in relation to network load, packet Loss in relation to network load, energy overhead /packet transmission

Key randomness, derivation computing times

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT) 71

N/A

I

B

A, J

[37]

[69]

[76]

[72]

Key generation protocol

Lightweight and Authenticated Key Management Approach: Ephemeral Diffie–Hellman Over COSE (EDHOC)

Physical Layer Key Generation: level-crossing quantization algorithm with an improved Cascade key agreement protocol to improve the key generation rate Adding a secure and distributed storage functionality based on blockchain to support the key management procedure

Prevention Prevention Ref. againsta method used [25] N/A Asymmetric cryptography plus digital signatures

Table 2.3 (continued)

ChirpStack project (previously known as LoRaServer). LoPy development boards, from Pycom, were used as end-devices. Equipped with a Semtech LoRa transceiver SX1276 and an Espressif ESP32 chipset End-device on a PIC32MX795F512L with 80 MHz, 512 KB ROM and 128 KB RAM. cipher-suite: TLS_PSK_WITH_ AES_128_CCM_8 Two units, a Raspberry Pi 3B+ and a SX1276RF1JAS LoRa evaluation board. LoRaWAN gateway was established with a Raspberry Pi 3+ and an iC880a multi-channel LoRa modem

Two LoRa shields, a LoRa LG01 gateway. The LoRa Shield is mounted on the Arduino Uno board using the SXl278 chip

Type of the verification (PoC, testbed, software, simulation) Python forwarding server, Solidity smart contract running on the Ethereum blockchain

Correlation, KDR, KPM

Time-on-Air (ToA) of EDHOC messages and maximum admissible transmission times for different LoRa SF configurations

Latency, Throughput, Execution time

Performance metrics Gas consumption from the JoinEuiRegisty smart contract. Message sizes without FOpts (in bytes). Minimum time between data packets for 1% duty-cycle. Current draw during ECDSA signing on SAML11. Energy budget for cryptographic operations RSSI of Alice Bob and Eve with mobile scenarios in the building

2019

2018

2020

2019

Publication date 2020

72 A. Amouri et al.

K, L

E

A

O

[61]

[40]

[43]

[53]

hybrid network using a long-range communication protocol (LoRaWAN) and a secure distributed ledger (Hyperledger fabric) architecture

Shared secret key generation scheme using RSSI channel measurements with a low correlation value

Propose a new protection method that can separate LoRa chirps from jamming chirps by leveraging their difference in the received signal strength in power domain

Adding 3GPP Security with USIM cards installed into the end-devices

LoRaWAN gateway is an IMST’s Lite Gateway based on Raspberry Pi B+ and an iC880A LoRaWAN concentrator. The components of this project (LoRa Gateway Bridge, LoRa App Server, MQTT Broker, Redis and PostgreSQL databases) and the new 3GPP Security Server designed are virtualized and executed in a laptop COTS LoRa node (i.e., LoRa shield, which consist of HopeRF’s RFM96W transceiver module embedded with the Semtech SX1276 chip. A low-cost receive-only RTLSDR dongle (i.e., yellow dot) is used as the LoRa gateway. USRP N210 to work as a jammer (i.e., red dot) Pycom FiPy development board and Raspberry Pi Model Zero. MultiConnect Conduit MTCDTIP-LEU1-266A-915 is used as the LoRa gateway Raspberry Pi 3 B (2,RPi), Pycom Lopy4 (3), Laptop (1), Intel i7 PC (1), Mini PC (1,MSI). N/A

Correlation, KDR, KGR, RSSI, and Key Update Time versus ADR

Countermeasure performance with different transmission power. Protege’s (a) PRR and (b) Throughput. Impact of (a) SF and (b) BW on Symbol Error Rate (SER) of Victim and Protege

N/A

(continued)

2019

2021

2021

2019

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT) 73

Two Raspberry Pi3 Modules for the peer-to-peer communication HackRF One SDR Module which is used as an attack module. Two LoRa SX 1272 RF1 Modules by Semtech Derive a secure session key from the wireless channel characteristics Adeunis LoRaWAN fieldtest device in class A device configuration as transceiver it uses Semtech SX1257 chipset. The Wirnet iFemtoCell from Kerlink as a gateway equipped with the Semtech SX1301 LoRa demodulator The sniffing device and end device are implemented using MTAC-LORA-915 with SX1301 chipset and SX1272MB2DAS-ND with SX1272 chipset, respectively Raspberry Pi3B have a network server installed on a Linux system. RHF0m301 hat on it as a gateway, RHF76-052 as an end-node device

H

A, B

B

C

[85]

[6]

[60]

[66]

Adaptive method including elliptic curve cryptography technology and a digital signature

A method of XOR is used to create a unique join request message as the proposed countermeasure

PHYSEC based session key management

GCM cryptographic algorithm

Type of the verification (PoC, testbed, software, simulation) Verilog HDL, Synopsys Design Complier and Synopsys 32 nm cell library

Prevention Prevention Ref. againsta method used [88] A, B Low power consumed AES encryption architecture LPADA using low power SBox, power gating technique and power management method

Table 2.3 (continued)

2017

2021

2020

Publication date 2019

The CPU times for encryption &decryption 2019

N/A

KGR for maximum allowed preliminary key BDR and quantization method

Performance metrics The power consumption and latency of the LPADA and traditional AES architecture given different operating voltages. Energy consumption comparison between the LPADA and traditional AES architecture under different message payload lengths N/A

74 A. Amouri et al.

K

N/A

A, B

A, B

H (B, C)

B, E

[39]

[54]

[89]

[24]

[65]

[7]

Implementing the two practical man-in-the middle attacks (i.e., the replay and bit-flipping attacks through intercepting the over-the-air activation procedure by an external to the network attacker device) Cryptographic frequency hopping approach

Session key generation method: integrating elliptic curve cryptography and AES-128, the session keys for different pairs of servers are created Two factor authentication framework Using blockchain based authentication mechanism

Smartphone’s LED camera flash is proposed

Firmware update process using ADR techniques

LoRa radio motes-RN2483 from Semtech

A geth Ethereum client, a Go language implementation of the Ethereum protocol, was used to run the private blockchain network and to deploy the smart contract End Devices: LoRaWAN module RHF PS01509 Gateway: single-board computer Raspberry Pi 3 B interfaced to the ic880a LoRaWAN concentrator SDR connected to a laptop

Printed Circuit Board (PCB) featuring a phototransistor, a MSP430FR6989 microcontroller and a LoRaWAN module Scyther

A Microchip SAMR34 Xplained evaluation board, and a Roper sensor printed circuit board (PCB) powered by a 200 mAh lithium polymer battery. MATLAB

Time on Air of LoRa packets w.r.t payload size. Average Packet Drop Ratio (PDR) when using (1) Standard LoRa approach. (2) Frequency Hopping over n-channels

N/A

Join server throughput, join server timeout messages, Join server latency

N/A

The convergence times of the different ADR search techniques. The energy consumption required to update a 128 kB firmware image. The energy consumed doing a firmware update at each Long Range (LoRa) setting Phones tested for led response time. Phototransistor light detection from 30 ms led flash

(continued)

2019

2021

2020

2020

2020

2021

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT) 75

Attack categories: A—Colluding-eavesdropping attack B—Reply attac C—Bit flipping attack D—key compromising attack E—Jamming attacks F—known-key attack G—Sybil attack H—man-in-the middle- attacks I—Denial of service attack J—key guessing attacks K—impersonation attack L—cloning attack M—Brute force attack N—cipher-text attack O—Replica attack

Activation method called Public Key Over the Air Python implementation was Activation (PK-OTAA): ECDH where the JS verified via hardware PoC using a static public key, and the device is using implementation an ephemeral public key

[52] B

a

Dynamic key derivation schemes: (a) counter-based (b) channel information-based

Type of the verification (PoC, testbed, software, simulation) Two Raspberry PIs (edition 3) equipped with SX1276RF1JAS evaluation boards from Semtech, which incorporate LoRa modem SX1276 N/A

[63] A, B

Prevention Prevention Ref. againsta method used [71] A Wireless key generation for the first time utilizing LoRa physical layer

Table 2.3 (continued)

Variation of the dynamic key 2020 sensitivity in function of reset counter (RC). Variation of the ciphertext and MIC sensitivity in function of reset counter (RC) Power measurements of one message 2020 for OTAA and PK-OTAA, Power measurements of three consecutive data messages

Performance Publication metrics date Correlation, KDR and KPM for High 2018 & low signal levels, respectively

76 A. Amouri et al.

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

77

2.7 Conclusion In this work, state of the art IDSs and IPSs for LPWAN systems for major LPWAN technologies such as Sigfox and NB-IoT have been investigated in a systematic and comprehensive manner. The chapter also summarizes the security considerations a LPWAN network needs to adhere to and also the vulnerabilities the network is prone to.

The chapter includes thorough security evaluations, which are provided for most of the works on LPWANs [provided in 2 set of classifications; (1) for LoRaWAN, and (2) for other than LoRaWAN (i.e. Sigfox, NB-IoT, etc.)] in a tabular and comparative way, including detection and prevention mechanisms used, type of the systematic verification along with the performance metrics.

According to our findings, there is limited work on IDSs when compared to the IPSs for LPWAN. Moreover, the quantum of available datasets is significantly scant for LPWAN systems, when compared to the other IoT devices. These shortcomings can potentially be minimized by adapting lightweight security algorithms of other IoT devices to LPWAN.

References 1. Adefemi Alimi, K.O., Ouahada, K., Abu-Mahfouz, A.M., Rimer, S.: A survey on the security of low power wide area networks: threats, challenges, and potential solutions. Sensors 20(20), 5800 (2020) 2. Alaparthy, V.: A Study on the Adaptability of Immune System Principles to Wireless Sensor Network and IoT Security. University of South Florida (2018) 3. Alizadeh, F., Bidgoly, A.J.: Cipher chaining key re-synchronization in LPWAN iot network using a deep learning approach. Comput. Netw. 179, 107373 (2020) 4. Amouri, A., Alaparthy, V.T., Morgera, S.D.: Cross layer-based intrusion detection based on network behavior for iot. In: 2018 IEEE 19th Wireless and Microwave Technology Conference (WAMICON), pp. 1–4. IEEE (2018) 5. Amouri, A., Alaparthy, V.T., Morgera, S.D.: A machine learning based intrusion detection system for mobile internet of things. Sensors 20(2), 461 (2020) 6. Andreas, W., de la Fuente, A.G., Christoph, L., Michael, K.: Physical layer security based key management for LoRaWAN. Preprint. arXiv:2101.02975 (2021) 7. Aras, E., Joosen, W., Hughes, D., et al.: Towards more scalable and secure LPWAN networks using cryptographic frequency hopping. In: 2019 Wireless Days (WD), pp. 1–4. IEEE (2019) 8. Aras, E., Nguyen, T.D., Michiels, S., Joosen, W., Hughes, D., et al.: Cram: Robust medium access control for LPWAN using cryptographic frequency hopping. In: 2020 16th International Conference on Distributed Computing in Sensor Systems (DCOSS), pp. 95–102. IEEE (2020) 9. Azeez, N.A., Bada, T.M., Misra, S., Adewumi, A., Vyver, C.V.d., Ahuja, R.: Intrusion detection and prevention systems: an updated review. In: Data Management, Analytics and Innovation, pp. 685–696 (2020)

78

A. Amouri et al.

10. Basu, D., Gu, T., Mohapatra, P.: Security issues of low power wide area networks in the context of lora networks. Preprint. arXiv:2006.16554 (2020) 11. Bidgoly, A.J., Bidgoly, H.J.: A novel chaining encryption algorithm for LPWAN IoT network. IEEE Sensors J. 19(16), 7027–7034 (2019) 12. Bortnik, D., Niki´c, V., Luki´c, M., Mezei, I.: Secured by hardware client-server communication based on nb-iot technology. In: 2021 Zooming Innovation in Consumer Technologies Conference (ZINC), pp. 48–53. IEEE (2021) 13. Brantly, A.F., Kostyuk, N., Lindsay, J.R., Maschmeyer, L., Pakharenko, G.: The cyber dimension of the crisis in Ukraine: an expert panel discussion (2022). https://smartech.gatech. edu/handle/1853/66284 14. Bui, D.H., Puschini, D., Bacles-Min, S., Beigné, E., Tran, X.T.: AES datapath optimization strategies for low-power low-energy multisecurity-level internet-of-things applications. IEEE Trans. Very Large Scale Integration (VLSI) Syst. 25(12), 3281–3290 (2017) 15. Butun, I., Pereira, N., Gidlund, M.: Analysis of LoRaWAN v1. 1 security. In: Proceedings of the 4th ACM MobiHoc Workshop on Experiences with the Design and Implementation of Smart Objects, pp. 1–6 (2018) 16. Butun, I., Pereira, N., Gidlund, M.: Security risk analysis of LoRaWAN and future directions. Future Internet 11(1), 3 (2018) 17. Butun, I., Österberg, P., Song, H.: Security of the Internet of Things: Vulnerabilities, attacks, and countermeasures. IEEE Commun. Surv. Tutorials 22(1), 616–644 (2019) 18. Cao, J., Yu, P., Ma, M., Gao, W.: Fast authentication and data transfer scheme for massive NB-IoT devices in 3GPP 5G network. IEEE Internet Things J. 6(2), 1561–1575 (2018) 19. Cao, J., Yu, P., Xiang, X., Ma, M., Li, H.: Anti-quantum fast authentication and data transmission scheme for massive devices in 5G NB-IoT system. IEEE Internet Things J. 6(6), 9794–9805 (2019) 20. Chacko, S., Job, M.D.: Security mechanisms and vulnerabilities in LPWAN. In: IOP Conference Series: Materials Science and Engineering, vol. 396, p. 012027. IOP Publishing (2018) 21. Chen, X., Lech, M., Wang, L.: A complete key management scheme for LoRaWAN v1. 1. Sensors 21(9), 2962 (2021) 22. Danish, S.M., Nasir, A., Qureshi, H.K., Ashfaq, A.B., Mumtaz, S., Rodriguez, J.: Network intrusion detection system for jamming attack in lorawan join procedure. In: 2018 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2018) 23. Danish, S.M., Lestas, M., Asif, W., Qureshi, H.K., Rajarajan, M.: A lightweight blockchain based two factor authentication mechanism for lorawan join procedure. In: 2019 IEEE International Conference on Communications Workshops (ICC Workshops), pp. 1–6. IEEE (2019) 24. Danish, S.M., Lestas, M., Qureshi, H.K., Zhang, K., Asif, W., Rajarajan, M.: Securing the lorawan join procedure using blockchains. Cluster Comput. 23(3), 2123–2138 (2020) 25. Durand, A., Gremaud, P., Pasquier, J.: Decentralized LPWAN infrastructure using blockchain and digital signatures. Concurr. Comput. Pract. Exp. 32(12), e5352 (2020) 26. Eldefrawy, M., Butun, I., Pereira, N., Gidlund, M.: Formal security analysis of lorawan. Comput. Netw. 148, 328–339 (2019) 27. Escolar, A.M., Calero, J.M.A., Wang, Q.: Highly-scalable software firewall supporting one million rules for 5G NB-IoT networks. In: ICC 2020-2020 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2020) 28. Ferreira, L.: Sigforgery: Breaking and fixing data authenticity in sigfox. In: International Conference on Financial Cryptography and Data Security, pp. 331–350. Springer (2021) 29. Foubert, B., Mitton, N.: Long-range wireless radio technologies: a survey. Future Internet 12(1), 13 (2020) 30. Franzin, A., Gyory, R., Nadé, J.C., Aubert, G., Klenkle, G., Bersini, H.: Philéas: Anomaly detection for IoT monitoring. BNAIC/BeneLearn 2020, 56 (2020)

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

79

31. Fujdiak, R., Blazek, P., Mikhaylov, K., Malina, L., Mlynek, P., Misurec, J., Blazek, V.: On track of sigfox confidentiality with end-to-end encryption. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–6 (2018) 32. Gao, J., Xu, W., Kanhere, S., Jha, S., Kim, J.Y., Huang, W., Hu, W.: A novel model-based security scheme for LoRa key generation. In: Proceedings of the 20th International Conference on Information Processing in Sensor Networks (co-located with CPS-IoT Week 2021), pp. 47– 61 (2021) 33. Global LPWAN market to cross 80 Bn by 2027, Global Market Insights, Inc (2021). https://www.prnewswire.com/news-releases/global-lpwan-market-to-cross-80-bnby-2027-global-market-insights-inc-301234145.html 34. Gresak, E., Jalowiczor, J., Rozhon, J., Rezac, F., Safarik, J.: Detection of changes in the qualitative parameters for lorawan and sigfox network. In: Disruptive Technologies in Information Sciences II, vol. 11013, p. 110130S. International Society for Optics and Photonics (2019) 35. Hakeem, S.A.A., El-Kader, S.M.A., Kim, H.: A key management protocol based on the hash chain key generation for securing lorawan networks. Sensors 21(17), 5838 (2021) 36. Han, J., Wang, J.: An enhanced key management scheme for LoRaWAN. Cryptography 2(4), 34 (2018) 37. Han, B., Peng, S., Wang, X., Wang, B.: Distributed physical layer key generation for secure LPWAN communication. In: 2019 IEEE 25th International Conference on Parallel and Distributed Systems (ICPADS), pp. 225–232. IEEE (2019) 38. Heeger, D., Plusquellic, J.: Analysis of IoT authentication over LoRa. In: 2020 16th International Conference on Distributed Computing in Sensor Systems (DCOSS), pp. 458– 465. IEEE (2020) 39. Heeger, D., Garigan, M., Eleni Tsiropoulou, E., Plusquellic, J.: Secure LoRa firmware update with adaptive data rate techniques. Sensors 21(7), 2384 (2021) 40. Hou, N., Xia, X., Zheng, Y.: Jamming of LoRa PHY and countermeasure. In: IEEE INFOCOM 2021-IEEE Conference on Computer Communications, pp. 1–10. IEEE (2021) 41. How LPWAN solutions can transform cybersecurity (2021). https://www.electronicdesign. com/technologies/iot/article/21162918/semtech-how-lpwan-solutions-can-transformcybersecurity 42. Huang, H., Zhang, L.: Reliable and secure constellation shifting aided differential radio frequency watermark design for nb-iot systems. IEEE Commun. Lett. 23(12), 2262–2265 (2019) 43. Junejo, A.K., Benkhelifa, F., Wong, B., McCann, J.A.: LoRa-liSK: A lightweight shared secret key generation scheme for LoRa networks. IEEE Internet Things J. 9, 4110 (2021) 44. Kambou, S., Bouabdallah, A.: Using structural diversity to enforce strong authentication of mobiles to the cloud. In: 2019 IEEE Conference on Communications and Network Security (CNS), pp. 1–9. IEEE (2019) 45. Kaven, S., Bornholdt, L., Skwarek, V.: Authentication by RSSI-position based localization in a LoRa LPWAN. In: 2020 6th IEEE Congress on Information Science and Technology (CiSt), pp. 448–454. IEEE (2021) 46. Key management concerns impact LoRaWAN IoT device security (2020). https://www. embedded.com/key-management-concerns-impact-lorawan-iot-device-security/ 47. Kim, J., Song, J.: A dual key-based activation scheme for secure LoRaWAN. Wireless Commun. Mob. Comput. 2017, 1–15 (2017) 48. Lavric, A., Petrariu, A.I., Popa, V.: Long range sigfox communication protocol scalability analysis under large-scale, high-density conditions. IEEE Access 7, 35816–35825 (2019) 49. Le Bars, B., Kalogeratos, A.: A probabilistic framework to node-level anomaly detection in communication networks. In: IEEE INFOCOM 2019-IEEE Conference on Computer Communications, pp. 2188–2196. IEEE (2019) 50. Lin, Y., Jiang, F., Wang, Z., Wang, Z.: Research on PUF-based security enhancement of narrow-band Internet of Things. In: 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA), pp. 702–709. IEEE (2018)

80

A. Amouri et al.

51. Liu, D., Liu, X., Zhang, H., Yu, H., Wang, W., Ma, L., Chen, J., Li, D.: Research on end-toend security authentication protocol of NB-IoT for smart grid based on physical unclonable function. In: 2019 IEEE 11th International Conference on Communication Software and Networks (ICCSN), pp. 239–244. IEEE (2019) 52. Mårlind, F., Butun, I.: Activation of LoRaWAN end devices by using public key cryptography. In: 2020 4th Cyber Security in Networking Conference (CSNet), pp. 1–8. IEEE (2020) 53. Mayer, I.V.: Lorawan-hyperledger robust network integrity on IoT devices. In: Disruptive Technologies in Information Sciences II, vol. 11013, p. 110130R. International Society for Optics and Photonics (2019) 54. McPherson, R., Irvine, J.: Secure decentralised deployment of lorawan sensors. IEEE Sensors J. 21(1), 725–732 (2020) 55. Mekki, K., Bajic, E., Chaxel, F., Meyer, F.: A comparative study of LPWAN technologies for large-scale IoT deployment. ICT Exp. 5(1), 1–7 (2019) 56. Milani, S., Chatzigiannakis, I.: Design, analysis, and experimental evaluation of a new secure rejoin mechanism for lorawan using elliptic-curve cryptography. J. Sensor Actuator Netw. 10(2), 36 (2021) 57. Militano, L., Orsino, A., Araniti, G., Iera, A.: NB-IoT for D2D-enhanced content uploading with social trustworthiness in 5G systems. Future Internet 9(3), 31 (2017) 58. Mohamed, A., Wang, F., Butun, I., Qadir, J., Lagerström, R., Gastaldo, P., Caviglia, D.D.: Enhancing cyber security of LoRaWAN gateways under adversarial attacks. Sensors 22(9), 3498 (2022) 59. Mohee, A.: Cyber war: The hidden side of the Russian-Ukrainian crisis (2022). https://osf.io/ preprints/socarxiv/2agd3/ 60. Na, S., Hwang, D., Shin, W., Kim, K.H.: Scenario and countermeasure for replay attack using join request messages in LORAWAN. In: 2017 International Conference on Information Networking (ICOIN), pp. 718–720. IEEE (2017) 61. Navarro-Ortiz, J., Chinchilla-Romero, N., Ramos-Munoz, J.J., Munoz-Luengo, P.: Improving hardware security for LoRaWAN. In: 2019 IEEE Conference on Standards for Communications and Networking (CSCN), pp. 1–6. IEEE (2019) 62. Noura, H.N., Melki, R., Chehab, A., Hernandez Fernandez, J.: Efficient and secure message authentication algorithm at the physical layer. Wirel. Netw., 2020, 1–15 (2020) 63. Noura, H.N., Salman, O., Hatoum, T., Malli, M., Chehab, A.: Towards securing LoRaWAN ABP communication system. In: CLOSER, pp. 440–447 (2020) 64. Pathak, G., Gutierrez, J., Rehman, S.U.: Security in low powered wide area networks: opportunities for software defined network-supported solutions. Electronics 9(8), 1195 (2020) 65. Pospisil, O., Fujdiak, R., Mikhaylov, K., Ruotsalainen, H., Misurec, J.: Testbed for LoRaWAN security: design and validation through man-in-the-middle attacks study. Appl. Sci. 11(16), 7642 (2021) 66. Raad, N., Hasan, T., Chalak, A., Waleed, J.: Secure data in LoRaWAN network by adaptive method of elliptic-curve cryptography. In: 2019 International Conference on Computing and Information Science and Technology and Their Applications (ICCISTA), pp. 1–6. IEEE (2019) 67. Reeder, J.R., Hall, C.T.: Cybersecurity’s pearl harbor moment: lessons learned from the colonial pipeline ransomware attack. Government Contractor Cybersecurity: Washington, DC, USA (2021) 68. Ren, X., Cao, J., Ma, M., Li, H., Zhang, Y.: A novel PUF-based group authentication and data transmission scheme for NB-IoT in 3GPP 5G networks. IEEE Internet Things J. 9, 3642 (2021) 69. Ribeiro, V., Holanda, R., Ramos, A., Rodrigues, J.J.: Enhancing key management in LoRaWAN with permissioned blockchain. Sensors 20(11), 3068 (2020) 70. Rim, K., Lim, D.: Dos attack control design of IoT system for 5G era. J. Inf. Commun. Converg. Eng. 16(2), 93–98 (2018) 71. Ruotsalainen, H., Grebeniuk, S.: Towards wireless secret key agreement with lora physical layer. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–6 (2018)

2 IDS and IPS in LPWAN (LoRaWAN, Sigfox, and NB-IoT)

81

72. Ruotsalainen, H., Zhang, J., Grebeniuk, S.: Experimental investigation on wireless key generation for low-power wide-area networks. IEEE Internet Things J. 7(3), 1745–1755 (2019) 73. Salva-Garcia, P., Chirevella-Perez, E., Bernabe, J.B., Alcaraz-Calero, J.M., Wang, Q.: Towards automatic deployment of virtual firewalls to support secure mMTC in 5G networks. In: IEEE INFOCOM 2019-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 385–390. IEEE (2019) 74. Sanchez-Gomez, J., Carrillo, D.G., Sanchez-Iborra, R., Hernández-Ramos, J.L., Granjal, J., Marin-Perez, R., Zamora-Izquierdo, M.A.: Integrating LPWAN technologies in the 5G ecosystem: a survey on security challenges and solutions. IEEE Access 8, 216437–216460 (2020) 75. Sanchez-Gomez, J., Garcia-Carrillo, D., Marin-Perez, R., Skarmeta, A.F.: Secure authentication and credential establishment in narrowband IoT and 5G. Sensors 20(3), 882 (2020) 76. Sanchez-Iborra, R., Sánchez-Gómez, J., Pérez, S., Fernández, P.J., Santa, J., HernándezRamos, J.L., Skarmeta, A.F.: Enhancing LoRaWAN security through a lightweight and authenticated key management approach. Sensors 18(6), 1833 (2018) 77. Santos, B., Dzogovic, B., Feng, B., Jacot, N., Van Do, T., et al.: Improving cellular IoT security with identity federation and anomaly detection. In: 2020 5th International Conference on Computer and Communication Systems (ICCCS), pp. 776–780. IEEE (2020) 78. Santos, B., Khan, I.Q., Dzogovic, B., Feng, B., Do, V.T., Jacot, N., Do, T.V.: Anomaly detection in cellular IoT with machine learning. In: International Conference on Smart Objects and Technologies for Social Good, pp. 51–64. Springer (2021) 79. Savic, M., Lukic, M., Danilovic, D., Bodroski, Z., Bajovi´c, D., Mezei, I., Vukobratovic, D., Skrbic, S., Jakoveti´c, D.: Deep learning anomaly detection for cellular IoT with applications in smart logistics. IEEE Access 9, 59406–59419 (2021) 80. Schlienz, J., Raddino, D.: Narrowband Internet of Things Whitepaper, pp. 1–42. White Paper, Rohde & Schwarz (2016) 81. Sornin, N., Luis, M., Eirich, T., Kramp, T., Hersent, O.: LoRaWAN specification. LoRa alliance (2015) 82. Soukup, D., Hujˇnák, O., Štefunko, S., Krejˇcí, R., Grešák, E.: Security framework for iot and fog computing networks. In: 2019 Third International conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud)(I-SMAC), pp. 87–92. IEEE (2019) 83. Suciu, I., Pacho, J.C., Bartoli, A., Vilajosana, X.: Authenticated preambles for denial of service mitigation in LPWANS. In: International Conference on Ad-Hoc Networks and Wireless, pp. 199–210. Springer (2018) 84. Takehisa, W., Fukushima, R., Sato, R., Hattori, D., Kodera, Y., Kusaka, T., Nogami, Y.: Proposal of Piccolo-CMAC for Sigfox network. In: 2021 36th International Technical Conference on Circuits/Systems, Computers and Communications (ITC-CSCC), pp. 1–4. IEEE (2021) 85. Thomas, J., Cherian, S., Chandran, S., Pavithran, V.: Man in the middle attack mitigation in LoRaWAN. In: 2020 International Conference on Inventive Computation Technologies (ICICT), pp. 353–358. IEEE (2020) 86. Torres, N., Pinto, P., Lopes, S.I.: Security vulnerabilities in LPWANS–an attack vector analysis for the iot ecosystem. Appl. Sci. 11(7), 3176 (2021) 87. Tsai, K.L., Huang, Y.L., Leu, F.Y., You, I., Huang, Y.L., Tsai, C.H.: AES-128 based secure low power communication for LoRaWAN IoT environments. IEEE Access 6, 45325–45334 (2018) 88. Tsai, K.L., Leu, F.Y., You, I., Chang, S.W., Hu, S.J., Park, H.: Low-power AES data encryption architecture for a LoRaWAN. IEEE Access 7, 146348–146357 (2019) 89. Tsai, K.L., Leu, F.Y., Hung, L.L., Ko, C.Y.: Secure session key generation method for LoRaWAN servers. IEEE Access 8, 54631–54640 (2020) 90. van Noort, N., Kerssens, J.: End-to-end security in lora and NB-IoT sensor networks. Technical Report by University of Amsterdam, 1–15, 2020 91. Yakin, N., Zhitkov, M., Chernikov, A., Pepelyaev, P.: Security threats and service degradation detection in LoRaWAN networks. In: 2021 Ural Symposium on Biomedical Engineering, Radioelectronics and Information Technology (USBEREIT), pp. 0455–0458. IEEE (2021)

82

A. Amouri et al.

92. Yang, L., Gao, Y., Zhang, J., Camtepe, S., Jayalath, D.: A channel perceiving attack on longrange key generation and its countermeasure. Preprint. arXiv:1910.08770 (2019) 93. You, I., Kwon, S., Choudhary, G., Sharma, V., Seo, J.T.: An enhanced LoRaWAN security protocol for privacy preservation in IoT with a case study on a smart factory-enabled parking system. Sensors 18(6), 1888 (2018) 94. Zhang, Y., Ren, F., Wu, A., Zhang, T., Cao, J., Zheng, D.: Certificateless multi-party authenticated encryption for NB-IoT terminals in 5G networks. IEEE Access 7, 114721– 114730 (2019)

Part II

Challenges, Opportunities, Risks and Threats in LPWANs

Chapter 3

Pervasive LPWAN Connectivity Through LEO Satellites: Trading Off Reliability, Throughput, Latency, and Energy Efficiency Zheng Zhou, Mohammad Afhamisis, Maria Rita Palattella, Nicola Accettura, and Pascal Berthou

3.1 Introduction Low Power Wide Area Network (LPWAN) is becoming a revolutionary technology for the Internet of Things (IoT) due to its low power consumption, long distance coverage, and low cost of the devices [16]. Many LPWAN technologies have been developed over the last few years. 3GPP standardized Cat-M and Narrow Band IoT (NB-IoT) [48], two complementary technologies targeting reliable applications over the licensed spectrum. At the same time, the unlicensed spectrum was recently populated by other loss tolerant LPWAN technologies, quickly dominating the IoT landscape and market for their easy deployment. Among them, Sigfox[45] and the Long Range (LoRa) technology [52]. With the cost reduction of CubeSat Low Earth Orbit (LEO) satellites, and the low latency achievable with large LEO constellations, satellite LPWAN recently became a new solution to connect a large set of IoT devices deployed in remote and even inaccessible areas [13]. Many IoT companies and satellite operators have invested a lot in making such a solution feasible. While few real deployments already exist, many research challenges still need to be addressed to make such network architecture a reality and bring IoT connectivity everywhere [40]. Clearly, satellite communications are still unable to support the low-latency requirements demanded by some IoT applications, like mission-critical applications, tactile Internet, factory

Z. Zhou · N. Accettura () · P. Berthou Laboratory for Analysis and Architecture of Systems (LAAS-CNRS), Université de Toulouse, CNRS, UPS, Toulouse, France e-mail: [email protected]; [email protected]; [email protected] M. Afhamisis · M. R. Palattella Environmental Research and Innovation Department (ERIN), Luxembourg Institute of Science and Technology (LIST), Esch-sur-Alzette, Luxembourg e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 I. Butun, I. F. Akyildiz (eds.), Low-Power Wide-Area Networks: Opportunities, Challenges, Risks and Threats, https://doi.org/10.1007/978-3-031-32935-7_3

85

86

Z. Zhou et al.

automation, and Ultra-Reliable and Low-Latency (URLLC) systems [17]. On the contrary, they can easily meet the requirements of delay-tolerant applications, such as smart agriculture, smart grid, cross-border tracking systems, and maritime Internet of Things [51] and surveillance [31].

Interestingly, both LoRa and NB-IoT are highly configurable protocols that provide the possibility to choose among multiple link layer communication schemes to tackle different reliability requirements. Higher reliability is usually achieved at the price of larger latency. Notably, this trade-off between reliability and latency is highly susceptible to the amount of offered traffic, making the network throughput an additional element to be taken into account when designing the network. As a matter of fact, reliability, latency, and throughput are the three main Key Performance Indicators (KPIs) for any communication network [47]. Remarkably, the subset of IoT networks is featured by an additional KPI, i.e., energy efficiency. Indeed, a typical IoT network includes numerous cheap smart devices equipped with batteries, whose most energy-expensive activity is related to the radio module. Hence, IoT communication protocols should be designed to prolong the battery lifetime without requiring frequent substitutions or recharges. All in all, trading-off among reliability, latency, throughput and energy efficiency results as the sole approach able to tackle the need of any application. In this book chapter, a methodological approach to evaluate the performance of a satellite LPWAN network is presented, considering the challenges introduced by satellites.

The rest of the chapter is organized as follows. Section 3.2 introduces and compares NB-IoT and LoRa technologies by highlighting those technological facets making them easily exploitable for ground-to-satellite low power communications. Then, Sect. 3.3 investigates how the communication KPIs are strictly dependent on a set of parameters, with some of them being unmodifiable physical properties and the others being configurable protocol settings. Section 3.4 describes the opportunities and challenges inherent to the integration of LPWAN with LEO satellites. Section 3.5 shows how the LPWAN KPIs are impacted by the satellite features. Finally, Sect. 3.6 draws conclusions and envisages future research directions.

3.2 LPWAN Technologies: LoRa vs NB-IoT In the IoT landscape, the Low Power Wide Area Network (LPWAN) technology emerged as the best choice for enabling very low-cost long-range connections. Many LPWAN technologies have been developed over the last years, e.g., LoRa, Sigfox,

3 Pervasive LPWAN Connectivity Through LEO Satellites

87

Table 3.1 Comparative matrix: LoRaWAN vs NB-IoT Technology Feature Specifications Uplink modulation Downlink modulation Frequency band Bandwidth Maximum data rate Coverage range Security

Technology LoRaWAN Non-3GPP CSS CSS ISM unlicensed band 125/250/500 kHz 50 kbps 5–20 km [39] AES 128 bit

NB-IoT 3GPP SC-FDMA OFDM Cellular licensed band 180 kHz 200 kbps 1–10 km 3GPP (128–256 bit)

NB-IoT, and CAT-M. This chapter focuses on LoRa and NB-IoT, whose integration with LEO satellites has already been investigated in the research community and partly implemented in the context of ongoing 3GPP work items [13]. Since the approach described throughout this chapter aims at picturing the integration of any LPWAN technology on ground-to-satellite IoT links, the key features of LoRa and NB-IoT are described in parallel according to a comprehensive mindset, in order to provide useful insights for the proper choice of the most fitting communication pattern. To help the reading, a very high-level comparison is provided in Table 3.1. In details, LoRa was introduced by Semtech Corporation1 and adopts a Chirp Spread Spectrum (CSS) modulation scheme to enable long range communication even in noisy environments [32]. Herein, a narrowband input signal is spread over a wider bandwidth and immediately transmitted; then, it can be correctly decoded very far away, even if severely attenuated. The LoRa modulation further enables the use of several Spreading Factors (SFs) to increase the ability of the receiver to decode simultaneous signal transmissions on the same frequency channel. Each SF is associated with a specific data-rate, transmission range, and energy consumption. Such communications happen on the unlicensed Industrial, Scientific, and Medical (ISM) band, thus competing for the use of the radio resources with other interfering technologies operating in the same frequency bands. The enormous interest of companies on such a cutting-edge technology pushed for the creation of the LoRa Alliance with the aim of promoting LoRa and designing a Medium Access Control (MAC) layer able to manage the communication resource exploitation in LoRa Wide Area Networks (LoRaWAN). The LoRaWAN protocol was initially defined as an open specification for LPWAN IoT, and, in December 2021, it has been finally recognized as a standard by the International Telecommunication Union (ITU2 ). The transposition as an ITU-T Recommendation (ITU-T Y.4480) validates the market trend in adopting LoRaWAN as an internationally recognized standard and defines

1 Semtech:

https://www.semtech.com/lora. Formally Recognized as ITU International Standard for Low Power Wide Area Networking: https://lora-alliance.org/lora-alliance-press-release/.

2 LoRaWAN.o ˝

88

Z. Zhou et al.

the path ahead toward even wider adoption. More interestingly, several companies have been working with Semtech to ensure a pervasive availability of IoT services through LEO satellites equipped with LoRa transceivers. Among such companies, it is worth mentioning Lacuna Space,3 Thuraya,4 ACTILITY,5 and WYLD.6 Instead, NB-IoT employs a narrow band modulation and works into the licensed spectrum. It was conceived by 3GPP and proposed for the first time in Release 13 [48] to make current cellular networks ready to support IoT applications with low cost, low power consumption, and low data rates. The development of the NB-IoT standard was initially based on the existing Long-Term Evolution (LTE) functionalities. Such an approach (i.e., leveraging on existing technology) allowed minimizing the development effort and shortening the time to market. The NB-IoT specification is still evolving, and the most recent releases, i.e., Rel-17 and Rel18, focus on IoT over Non-Terrestrial Networks (NTN) to provide broader global coverage. Their objective is to address the challenges inherent to the integration of NB-IoT over ground-to-satellite links, i.e., initial synchronization, high propagation delays, Doppler variation rate, high paging load with a considerable number of users, etc. Several companies, like Sateliot,7 Ligado,8 and GateHouse,9 have invested in designing and developing global NB-IoT satellite networks and can already offer such service. From the Network Architecture point of view, LoRaWAN and NB-IoT present a similar hierarchical structure with two tiers, as depicted in Fig. 3.1. With LoRaWAN, low power End Devices (EDs) communicate through LoRa links with all the LoRaWAN Gateways (GWs) in their transmission range. The GWs are totally controlled by the LoRaWAN Network Server (LNS), and their function is to encapsulate uplink LoRa frames received by EDs within TCP/IP packets and forward them to the LNS. The GWs also forward the downlink traffic from LNS to EDs. In fact, the LoRaWAN MAC protocol is established between any ED and the LNS. In turn, the LNS can be interconnected with several application servers. Similarly, the NB-IoT network architecture can be divided into two main parts: the core network, namely the Evolved Packet Core (EPC), and the access network, namely the Evolved Universal Terrestrial Radio Access Network (E-UTRAN). EPC is responsible for transmitting the collected IoT data to the cloud platform for further processing and managing mobile devices [48]. The access network includes the User Equipment (UE) and the evolved Node B (eNB). Clearly, an NB-IoT UE plays the same network role as a LoRaWAN ED. Indeed, UEs and EDs are equipped with one or more sensors, a microcontroller, and

3 Lacuna

Space: https://lacuna.space/. https://thuraya.com/. 5 Actility: https://www.actility.com/. 6 Wyld networks: https://wyldnetworks.com/. 7 Sateliot: https://sateliot.space/en/. 8 Ligado: https://ligado.com/. 9 Gatehouse: https://gatehouse.com/. 4 Thuraya:

3 Pervasive LPWAN Connectivity Through LEO Satellites

89

Fig. 3.1 Comparison between NB-IoT and LoRaWAN architectures. (a) LoRaWAN. (b) NB-IoT

a radio transceiver, and they are in charge of collecting and transmitting IoT data to the Internet through respectively the EPC and the LNS. Instead, the eNB (as the LGW) is the base station connecting the UE to the core network. From the perspective of physical layer, LoRa achieves long range transmissions up to .∼20 km thanks to the CSS modulation [39]. When an ED has some data to transmit, the signal is spread over the air using a specific bandwidth (BW) and SF. According to the LoRaWAN specification, the SF can assume integer values from 7 to 12. The SF impacts other two parameters of the LoRa PHY layer protocol, i.e., the Data Rate (DR) and the Time on the Air (ToA). The DR is the number of bytes transmitted per second on the air. The ToA is the amount of time for a message to be delivered to the GW, and its length is directly proportional to the size of the transmitted frame and inversely proportional to the DR. The LORa DR can be calculated as

DR = SF ×

.

Bandwidth × CR. 2SF

(3.1)

The CR is the code rate, which is a fractional number that represents the proportion of useful (non-redundant) data in the encoded data stream to the total encoded data. In fact, a higher SF allows a longer coverage range and a higher resilience against noise. However, according to the Eq. 3.1, this comes at the cost of a smaller DR, that in turn implies a longer ToA and larger energy consumption.

90

Z. Zhou et al.

Fig. 3.2 LoRa PHY vs LR-FHSS

To overcome such limitations, Semtech recently designed a new LoRa PHY layer, namely Long-Range Frequency Hopping Spread Spectrum (LR-FHSS), also known as LoRa-Extended [12]. The LR-FHSS operates in the same channels as the regular LoRa PHY. But the LoRa bandwidth is divided into several smaller ones, named hops. In LR-FHSS, ED and GWs get synchronized using a pseudo random sequence, which specifies the specific hops to use for the data transmission. This sequence is exchanged using a header, with two or three replicas sent in randomly selected hops. Once the synchronization is established, then the ED starts transmitting the payload, which is divided into several small portions named fragments. Each fragment is sent over a different hop, following the pseudo random sequence previously exchanged. This results in a longer ToA, for transmitting the same payload, compared to the LoRa PHY (see Fig. 3.2). It must be noticed that LR-FHSS applies only to the uplink transmission. Downlink traffic still follows the regular LoRa PHY.

•

> Important

However, since LoRa uses the unlicensed ISM band, the duty cycle must be configured to limit the maximum amount of data each device can upload daily, while respecting the access policies. In Europe, the European Telecommunications Standards Institute (ETSI) enforces per sub-band duty cycle policies ranging from .0.1% to .10% [23]. In the Federal Communications Commission (FCC) regions, a maximum ToA of 400 ms is imposed, for the uplink transmissions, while there is no restriction on the duty cycle. Finally, concerning the bandwidth, 125 kHz can be adopted in both regions, while 250 and 500 kHz are allowed in the ETSI and FCC regions, respectively.

3 Pervasive LPWAN Connectivity Through LEO Satellites

91

Fig. 3.3 NB-IoT deployment modes

Fig. 3.4 Radio frame of NB-IoT

Like LTE, and differently from LoRa, NB-IoT adopts two different modulation schemes for downlink and uplink messages, respectively Orthogonal FrequencyDivision Multiple Access (OFDMA), and Single Carrier-Frequency Division Multiple Access (SC-FDMA). NB-IoT occupies the 180 kHz frequency band, corresponding to a block of resources in the LTE bandwidth. NB-IoT supports three deployment modes, illustrated in Fig. 3.3. The In-band mode occupies one of the Physical Resources Blocks (PRBs) of LTE. The Guard-band mode occupies only the protection band of LTE. In the stand-alone mode, NB-IoT can be deployed in any frequency spectrum, such as Global System for Mobile (GSM) frequency bands. Figure 3.4 illustrates the structure of NB-IoT radio frame. Each radio frame has a duration of 10 ms and is divided into 10 subframes. Each subframe is made up of 2 slots. One subframe consists of .12 × 14 Resource Elements (REs) with a 15 kHz subcarrier for downlink (3.75 or 15 kHz for uplink). 3GPP has defined several channels and signals with distinct functions for uplink and downlink, as described hereafter.

92

Z. Zhou et al.

Fig. 3.5 Downlink and uplink frames of NB-IoT

For the downlink, as shown in Fig. 3.5, two synchronization signals, Narrowband Primary Synchronization Signal (NPSS) and Narrowband Secondary Synchronization Signal (NSSS), are transmitted in the subframes 5 and 9 to synchronize UE and eNB in time and frequency. The first subframe is Narrowband Physical Broadcast Channel (NPBCH), which is used to exchange critical system information such as deployment mode. The remaining subframes are occupied by the other two channels: Narrowband Physical Downlink Control Channel (NPDCCH) and Narrowband Physical Downlink Shared Channel (NPDSCH). The control channel contains information on uplink and downlink resource scheduling, allowing the UE to know when to receive or send messages. In the shared channel, downlink data and other system messages are exchanged. Note that control and shared channels may occupy several subframes, depending on the size of the message, the number of repetitions, etc. Two different channels are defined for uplink transmission, as also pictured in Fig. 3.5. The first connection attempt (Random access preamble) of the UE to the eNB is transmitted in Narrowband Physical Random Access Channel (NPRACH), where the collision happens. The uplink data is transmitted in Narrowband Physical Uplink Shared Channel (NPUSCH). Those resources are allocated by the upper layer avoiding a-priori any collision. Therefore, this channel is also known as a noncontention channel. Finally, NB-IoT supports two transmission modes: Multiton and Singleton. Singleton uplink messages occupy only one subcarrier, while Multiton uplink messages occupy multiple (3, 6, 12) subcarriers. So multiple UEs can occupy the same channel, allowing more users to be connected simultaneously. Unlike NB-IoT, in a LoRaWAN network EDs do not negotiate the resource allocation with the GW, but they still need to join the network, before being able to transmit the data. To this aim, they should exchange some keys with the LNS, and ensure the secure data exchange over the end-to-end system. As shown in Fig. 3.6, two different join procedures are supported by the standard: Activation Before Personalization (ABP) and Over The Air Activation (OTAA). In the ABP, the keys are pre-stored in the ED. When there is a message to send, the keys are sent along with the data and authenticated by the LNS. Instead, in the OTAA mode, the

3 Pervasive LPWAN Connectivity Through LEO Satellites

93

Fig. 3.6 LoRaWAN join procedures: OTAA vs ABP

Fig. 3.7 The LoRaWAN communication mode: Classes A, B and C

EDs need to send a join request and receive join accept from the LNS, before being accepted in the network. The LoRaWAN protocol adopts an ALOHA-based random-access scheme [43] as Medium Access Control Protocol. EDs transmit without listening and sensing the channel before. The LoRa EDs can operate in three different communication classes, illustrated in Fig. 3.7. Class A is the simplest mode and the default class, supported by all the EDs. After each uplink transmission, two receive windows, Rx1 and Rx2, are opened, allowing the ED to receive downlink traffic from the LNS through the GW. The ED waits for 1s before opening the Rx1. If the ED cannot receive any downlink in the Rx1, then it opens the Rx2, after an additional delay of 1s. The ED switches into sleep mode after Rx2, till the next uplink has started. The class C is like Class A, with the difference that the receiving windows are never closed, and they stay open till the next uplink. Thus, the class C is less energy-efficient than Class A. In Class B, the EDs use beacon messages sent from the GW to synchronize with the LNS. It allows the EDs to open additional receive windows, named ping slots, without the need of prior uplink transmission. Since ED must be in RX mode during the ping slots, Class B implies additional energy consumption compared to Class A. It must be noticed that Class B devices still operate like Class A devices for uplink transmissions.

94

Z. Zhou et al.

Fig. 3.8 NB-IoT workflow

The UE of the NB-IoT must synchronize with the eNB by receiving the synchronization signals before connecting with the eNB. For LoRa, only Class B enables the synchronization between the ED and the GW using beacons. When a UE is covered by more than one eNB simultaneously, it measures the received power and then selects the one with the best available coverage (best signal quality). In LoRa, the ED transmits to any gateways in its coverage range. It is up to the LNS to select the best gateway for sending back downlink traffic. Moreover, while in LoRaWAN, the ED receives the configuration parameters from the LNS, in an NB-IoT network, the UE itself determines the Coverage Enhancement (CE) level according to its distance from the eNB and thus, chooses the number of repetitions of a message (2–1024 times). The higher the CE level (0–2), the higher the power consumption of the data transmission [29]. When the UE has a message to send or monitors paging, it will connect to the eNB as shown in Fig. 3.8. The random-access process will begin once the UE completes the synchronization with the eNB. A random-access preamble is sent to the eNB using the random-access channel (Msg1). The UE starts a timer and waits for a random-access response (Msg2). If no response is received, the UE will send a new preamble. After a successful reception of Msg2, Msg3 is sent from the UE to the eNB, which holds control information of radio resources, data volume, reconfiguration request, etc. Msg4 is the connection setup and the contention resolution, where the eNB accepts to establish the connection with a UE. After receiving Msg4, the UE will enter the connected state from the idle state. Then the eNB and UE exchange messages for authentication and AS security configuration (Msg6–9). After that, UE sends its uplink data and receives downlink data. Finally, the eNB releases the connection if it detects inactivity from the UE (Msg10). NB-IoT defines two optimization methods for data transmission to reduce message exchange: the User Plane (UP) and the Control Plane (CP) optimization. The CP carries the signaling responsible for accessing the UE, allocating resources (e.g., messages exchanged after random access), etc.; the UP carries the user data. It must be noticed that for sending and receiving a few bytes of data, the signaling overhead consumed by the UE from the idle state to the connected state is much more significant than the data load. To make data transmission more efficient, two

3 Pervasive LPWAN Connectivity Through LEO Satellites

95

Fig. 3.9 NB-IoT CP optimization

Fig. 3.10 NB-IoT UP optimization

optimization schemes have been proposed: Control Plane (CP) and User Plane (UP) optimization. With the CP optimization shown in Fig. 3.9, small packets can be added to the control message (Msg5) and bypass the security configurations to improve the speed for transferring small data. This mode is insecure compared to other modes. The UP optimization allows idle users to transfer data quickly through the suspend and resume process. After establishing the first connection (see Fig. 3.10), the user’s information can be stored in the eNB. No Connection Release message is transmitted. When there is new data to transfer, the UE can soon recover the connection without re-establishing the security information. In Release 15, 3GPP defined the Early Data Transmission (EDT) mode to reduce UE energy consumption and message latency by reducing the number of transmissions [30]. Specified for both UP and CP optimization, the EDT can be used when the UE is in idle mode and has less than the maximum broadcast uplink data to send. In this mode, only four messages between the eNB and the UE are required to complete the data transmission because the data is sent during the random-access procedure. As shown in Fig. 3.11, the data is included in Msg3. The method of encapsulating and transmitting uplink data is like the optimization of the CP. If the UE receives the Msg4 indicating that the procedure is terminated, it can go to the sleep state or stay in the idle state. Thanks to more complex synchronization and resource allocation techniques, NB-IoT can offer higher reliability compared to LoRa. This is paid with (1)

96

Z. Zhou et al.

Fig. 3.11 NB-IoT early data transmission

longer transmission delays, which can be reduced using CP, UP optimization, and EDT; and (2) higher energy consumption for the IoT device. LoRa, while being more energy-efficient, it suffers from high collision probability due to the randomaccess mechanism. Both reliability and throughput can be improved using resource allocation schemes, like TDMA approaches. In the following, an in-depth analysis of the performance achievable with the two technologies is conducted in order to identify key protocol metrics impacting the performance.

3.3 Methodological Approach for Performance Evaluation Evaluating the performances of NB-IoT and LoRaWAN is the very first step to effectively comparing their modes of operation. Then, the best communication protocol can be selected to fit the target application’s requirements expressed as a set of Key Performance Indicators (KPI). Remarkably, the typical KPIs for network performance evaluation are Reliability, Latency, and Throughput [47]. As already discussed in Sect. 3.1, IoT networks require the evaluation of another important KPI, i.e., Energy Efficiency. In this chapter, only these four most critical KPIs for LPWAN will be discussed and analyzed. The importance of evaluating all these aspects to choose the most fitting network technology can be intuitively understood as follows. NB-IoT is designed to be a reliable, delay-tolerant protocol on the licensed spectrum, while LoRa is a loss-tolerant protocol. Hence, they provide different link-layer solutions for different needs, making it possible to choose between reliable and delay-constrained protocols. With the goal of deeply understanding which parameters affect the identified KPIs, this section focuses on the analysis of the LPWAN terrestrial network, while an extension to ground-to-satellite communications will be discussed in the following sections. The most recent works on LPWAN modelling that drove the identification of the KPIs are listed in Table 3.2. Instead, Table 3.3 summarises the mathematical notation used in this section, and throughout the entire chapter.

3 Pervasive LPWAN Connectivity Through LEO Satellites

97

Table 3.2 Comparison of the models and their KPIs Modeled Technology NB-IoT [8, 21, 34] [4, 5, 34, 37] [21, 37, 49] [4, 5, 7, 37]

KPI Reliability Latency Throughput Energy efficiency

LoRaWAN [6, 9, 20, 35, 36, 46] [6, 46] [6, 9, 36] [38, 42]

Table 3.3 Symbol definitions Symbol g .gr PHY MAC .tp .tpr .tsb .tsync E EE .Esync .ET X .ERX .Epr .Etotal .aS DR d N M .m ˜ .rt L .Ls T .Ts R .Rs

Definition Traffic generation rate per single node Traffic successful transmission rate per single node PHY layer configurations MAC layer configurations Propagation time between the device and the gateway Message processing time Delivery time over the Satellite backhaul, from the satellite to the server Synchronization time between the UE and eNB Device energy consumption Energy efficiency of the network Energy spent for the synchronization Energy consumption in TX mode Energy consumption in RX mode Energy consumption for processing the data Total energy required to deliver the message to the satellite Satellite availability rate during a specific period Message data rate Density of devices operating in the network Number of devices operating in the network Maximum number of retransmissions Average number of retransmission Number of retransmissions e2e LPWAN network latency e2e satellite LPWAN network latency e2e LPWAN network throughput e2e satellite LPWAN network throughput e2e LPWAN network reliability e2e satellite LPWAN network reliability

First of all, a communication protocol is reliable if the transmitter can be notified through an acknowledgement (ACK) about the correct delivery of data frames from the receiver. The lack of any ACK mechanism makes the communication

98

Z. Zhou et al.

protocol unreliable. This is the case of unconfirmed Class A LoRaWAN frame transmissions.

Instead, the portion of acknowledged transmissions provides a measure of the Reliability of the communication protocol [28]. Such a KPI can be evaluated for LoRaWAN confirmed-based communications and for NB-IoT. When the analyzed protocol enables re-transmission of unacknowledged frames up to a maximum of M times, then the reliability R of the protocol is R = 1 − P LR M ,

.

(3.2)

where P LR is the measured Packet Loss Ratio.

Clearly, being the PLR a positive real number lower than 1, a higher value for M translates into increased communication reliability [34]. At the same time, a higher PLR negatively impacts such a KPI. As a consequence, the communication reliability can be kept over a given threshold value by properly tuning either the maximum number of retransmissions M or the PLR. While M can be quickly configured as a parameter setting within the device firmware or via a remote MAC command, the PLR is not a directly configurable parameter since it depends on several variables, as follows: P LR = f (MAC, P H Y, g, d),

.

(3.3)

As a matter of fact, it is worth noticing that the PLR depends on both MAC and P H Y layer configurations. More specifically, a collision-free MAC strategy makes the PLR only dependent on the Signal to Noise Ratio (SNR) [21]. Contrariwise, when the MAC layer is contention-based, frames are correctly delivered if they do not incur collisions. Moreover, the P H Y layer configuration, such as LoRa’s SF value [9, 20] and NB-IoT’s CE level, will also affect the PLR. With a higher SF value or CE level, the maximum distance between EDs (UEs) and GW (eNB) increases. Therefore, the P LR also increases with distance [36]. On the other hand, a broader coverage area corresponds to a higher network load, which in turn increases the collision probability [6]. In addition, the traffic generation rate g of each device and the density of devices d also determine the network load. The collision can happen in both the join and data transmission phase in the LoRaWAN [6, 35, 46] by using the same SF at the same time in the specific channel. But for NB-IoT, the packet loss caused by collision only occurs in the random-access phase. By increasing the network load, allocating the limited network resources would be the main issue in the NB-IoT. The resource allocation time (service time) may be too long in the data transmission phase, also resulting in packet loss [8]. It has to be noticed that the number of retransmissions can also be increased by the unavailability of the

3 Pervasive LPWAN Connectivity Through LEO Satellites

99

network [2]. This is the case, for instance, of a satellite LoRa gateway: the device may try to deliver several times the message to a network that it is not available.

Then, the time elapsed from the generation of the data frame to its correct delivery (through a variable number of retransmissions) is the Latency of the network. It can be described as L = f (MAC, tp , m) ˜

.

(3.4)

Without considering retransmissions, the different modes of the MAC protocol, such as EDT mode for NB-IoT and Class B for LoRa, have different message exchange strategies, thus giving various network latencies. Furthermore, differences in the distance between the device and the GW (eNB) result in different propagation times .tp [38], which are usually negligible for terrestrial networks (but considerable for satellite networks). In fact, in the case of retransmissions caused by packet loss, an extra delay will be added to the network, which depends on the average number of retransmission .m. ˜ P LR directly determines the expected number of retransmissions required to transmit a packet successfully, and M provides an upper limit for this number. So the average number of retransmission is m ˜ = f (P LR, M).

.

(3.5)

Obviously, the parameters that affect the PLR also affect the latency, such as the number of connected devices, CE level [4, 5], SF [6, 46], low SNR [37], etc. As introduced in the previous part, when the PLR is high, a better way to keep the network reliability is to increase the maximum number of retransmissions. But as the maximum number of retransmissions increases, the network latency also increases [34], so a trade-off strategy is needed based on the specific application requirements.

The Throughput is the rate of successful packet delivery. The value of throughput is impacted by the traffic generated by each device, the network density, and PLR, as shown in Eq. 3.6. Obviously, the network with more density will have more generated traffic that also increases the PLR. Note that the ideal throughput is the generated traffic when P LR is equal to 0. T = f (g, d, P LR)

.

(3.6)

100

Z. Zhou et al.

For LoRa, several factors such as Inter-SF and Intra-SF [36] impact the throughput by generating collisions due to orthogonality issues of the SFs. These factors will reduce the throughput especially in networks with high node density, or co-existing with other networks, or with large distance between the EDs and the GW [9]. In this situation, an higher value of g will imply less throughput by increasing more ToA and collision probability. Same for NB-IoT, the model of network throughput can be built on the basis of PLR analysis [21]. The parameters such as the number of UEs and traffic generation rate [37] are also critical factors that affect the throughput. On the other hand, as the generated traffic increases, the system throughput will increase, but the probability of collision will also increase, which has a negative impact on the system throughput [49]. Therefore, an optimum scheduling technique can reach the maximum available throughput by efficiently allocating the network resources [6].

The Energy efficiency describes the number of transmission bits obtained when the system consumes a unit of energy and presents the utilization efficiency of energy by the system [11]. Thus, the energy efficiency can be described as EE =

.

T gs , = N ×E E

(3.7)

where .gs is the rate of successful transmissions for each device. In other words, its value is equal to the network throughput T divided by the total number of devices N in the network. Also the average energy consumption E depends on several parameters

E = f (P H Y, MAC, m). ˜

.

(3.8)

Like other KPIs, the number of retransmissions caused by high PLR directly impacts the energy consumption rate, which requires extra energy to transmit fewer packets per unit of time [37]. For NB-IoT, with the different CE levels based on link quality, battery lifetime can be from 3 years to 23 years [4]. In the LoRaWAN, the energy consumption is different based on the SF selection [38]. The lifetime of an ED battery will be less than two years for the transmission interval of 60 s with .SF = 7, while it would be about 3 months for .SF = 12 [42]. The main goal of the NB-IoT EDT mode is to simplify the transmission process, reducing energy consumption. The model proposed in [7] focused on the energy consumption of the UE, when working in EDT mode. The results show a significant improvement in the performance. In the LoRaWAN, different classes have different energy consumption behavior: Class A as the efficient, Class C as the thirsty, and Class B as the middle energy consumer. Also, other variants were proposed in literature. For instance,

3 Pervasive LPWAN Connectivity Through LEO Satellites

101

Class S was introduced in [14] to improved the performance of the Class B in throughput and respectively energy efficiency by wisely enlarging the slots of Class B. Based on Class S, TREMA [15] presented a scheduling technique to leverage from its energy efficiency and higher throughput.

•

! Attention

Clearly, the best performance cannot be achieved for all the KPIs at the same time. Therefore, a trade-off must be considered based on the needs of the specific application. When considering a satellite LPWAN, the KPIs are affected by the several challenges introduced by the LEO satellite. In what follows, the challenges and their impact on the KPIs are discussed.

3.4 Satellite LPWAN: Opportunities and Challenges Satellite technology is emerging as a key enabler to transform IoT connectivity and allows global IoT coverage in beyond 5G systems [24, 41, 44]. By integrating satellites with long-range low power network technology, it is possible to deliver seamless connectivity, extended to air, sea [51], and other remote, difficult accessible areas. Besides extended coverage, the combination of satellites and LPWAN also gives the opportunity of increasing reliability and network capacity. In fact, satellites may be the only available communication medium when terrestrial networks are not available or not operational anymore (e.g., after a natural disaster). Over the last years, IoT by satellite became more and more affordable, available, and accessible, thanks to the launch of several low-cost miniaturized Low Earth Orbit (LEO) satellites (CubeSats) [3]. Those LEO satellites are the most appealing ones for IoT applications due to the shorter delay that they introduce (.40 ms) compared to Geostationary Earth Orbit (GEO) satellites (.500 ms). However, their intrinsic orbital properties imply limited visibility time (around 2 minutes per visit). This issue can be overcome by using large constellations of LEO satellites, able to provide almost continuous coverage, and it will be further solved in future systems with relay networks from LEO to GEO satellites and inter-satellite links (ISL). The foreseen scenario is illustrated in Fig. 3.12. Clearly, connecting IoT devices directly to LEO satellites opens many new opportunities. Besides that, there exist many challenges to overcome for allowing the smooth integration and interoperability of satellites and LPWAN terrestrial networks [13, 27]. This section overviews the challenges, while the following one will discuss their impact on the KPIs introduced in Sect. 3.3. LEO satellites have large relative velocities to the IoT device on the ground, which results in a significant Doppler effect. For a LEO-600 km satellite, the maximum Doppler effect is up to .±48 kHz [19], which is much larger than the bandwidth of one NB-IoT sub-carrier, equal to only 15 kHz. Moreover, the large

102

Z. Zhou et al.

Fig. 3.12 Satellites on different orbits

distance between the IoT device on the ground and the LEO satellites (500– 2000 km) introduces a higher propagation delay. In NB-IoT networks, UE and eNB must be synchronized in time and frequency. To this aim, several messages are exchanged between the UE and eNB (at least four in EDT mode) before the actual data transmission. Complete the synchronization and resource allocation phase within the limited visibility time of the satellite is a big challenge for NB-IoT. Due to the Doppler effect and long propagation delay, NB-IoT could easily fail to accomplish the message transmission. While LoRa does not request synchronization between the ED and the gateway prior to the data transmission, the Doppler effect still impacts the LoRa PHY protocol since CSS signals are extremely sensitive to time and frequency offsets. In [22], the authors demonstrated that SF 12 is more immune against the Doppler effect when EDs communicate with satellite gateways at a height above 500 km. Recently, a modification of the LoRa PHY, namely the differential CSS (DCSS) was proposed in [10]. DCSS allows demodulating the signals without the need of performing a complete frequency synchronization and by tolerating some timing synchronization errors, such as those introduced by the Doppler shift, variable in time. Long transmission distance, significantly attenuated electromagnetic waves, and high transmission loss are among the remarkable features of satellite communication. They all together determine the link budget, which impacts the energy consumption of the ground equipment, as well the KPIs of the entire system. For NB-IoT, lower spectral efficiency will affect the transmission of resource allocation information. It follows that the UE cannot transmit uplink data on time, which will result in decreased throughput and increased delay [19, 33]. Link budget from LoRa ground sensor to satellite gateway has been computed empirically in literature [25], confirming the feasibility of the communication. Both LoRa PHY with SF 12

3 Pervasive LPWAN Connectivity Through LEO Satellites

103

and LR-FHSS protocol allow increasing network capacity and collision robustness against link budget constraints [12]. As distance increases, ground devices must consume more power than what is needed in terrestrial systems to send or receive messages. This translates into a shorter battery lifetime for the NB-IoT UEs [33]. The same applies to LoRa EDs. In [26], the authors evaluated the performance of a satellite LoRaWAN using Iridium Satellites: they proved that EDs with a battery of 2400 mAh could operate .∼1 year, transmitting every 100 minutes. To increase the battery lifetime, the transmission rate should be decreased, which translates in reduced throughput. A large constellation of LEO satellites with inter-satellite-links (as illustrated in Fig. 3.12) can provide full and continuous coverage to IoT devices on the heart. Such seamless connectivity comes with increased cost and complexity of the network. A more feasible solution consists of discontinuous communication with a small constellation of few LEO satellites [50]. In such a scenario with intermittent connectivity, to save energy the IoT devices must wake up and transmit only when the satellite is available. Following the NB-IoT specifications, the synchronization signal must be received before the data transmission. In Rel. 17, 3GPP proposed the use of the Global Navigation Satellite System (GNSS) signal for the UE to compute the satellites and their own position. This method can pre-compensate for the Doppler effect, the frequency and time offset caused by the long distance. Those advantages come at the price of high energy consumption. Another solution proposed in literature [18] makes use of the synchronization signal transmitted in each NB-IoT downlink radio frame to inform on time the ground UEs about the arrival time of the satellite. Even though LoRa, unlike NB-IoT, does not request any synchronization prior to the data transmission, the EDs must be aware of the satellite passes to avoid wasting energy in unsuccessful transmissions. To this aim, the EDs must have access to the Two-Line Element (TLE) data of the satellite (see Fig. 3.13). The TLE provides a set of algebraic information, i.e., the satellite orbital elements, which allow predicting the satellite trajectory over time. Due to deviations from its initial orbit, the TLE data must be updated periodically. Current satellite LoRaWAN solutions available on the market make use of the TLE data.10 Due to the considerable number of EDs that could be in the satellite coverage (i.e., within the satellite footprint), the knowledge of the satellite passes is not enough to ensure good network performance. In fact, the probability of collision, already high in LoRaWAN terrestrial networks [6], could only get worst in such a hybrid scenario. It follows the need of adopting scheduling techniques [1] to avoid collisions. In addition, bulk data transmission [53] could be used in combination with TDMA approaches to ensure efficient use of the limited satellite resources (2– 3 times visibility per day, for approximately 2 minutes.). The unavailability of the satellite does not affect only the access network. The communication between the satellite and the network server can be discontinuous too. To ensure end-to-end communication over the entire network, and avoid packet

10 Lacuna

Space: https://lacuna.space/.

104

Z. Zhou et al.

Fig. 3.13 LEO satellite coverage, while moving along its orbit. The knowledge of the satellite TLE allows the EDs to transmit when they are in the coverage range of the satellite (i.e., within the satellite footprint)

drops, the satellite gateway or satellite eNB must have the ability to store the messages and forward them when passing through the ground satellite gateway. The lack of connectivity between the satellite and the LNS can also hamper the exchange of LoRa confirmed uplink messages. Even in the case of correct reception of the packet at the LNS, in absence of ACK (not forwarded at all by the gateway because not available, either not transmitted on time, within the receiving windows), the ED would retry the transmission. This results in the wasting of resources: ED’s energy, channel resources with contention, and possible collision with other concurrent transmissions. Overall, it translates to deterioration of the network performance in terms of reliability, throughput, and energy efficiency. Tips Discontinuous communication can also cause network authentication problems. In a NB-IoT network, the network authentication is unfeasible when the UE and the ground base station are not in the same satellite coverage at the same time. Discontinuous communication makes the handshake between the UE and the core network impossible, which poses a challenge to the reliability of the satellite IoT. Like NB-IoT, the LoRaWAN OTAA join procedure would fail when EDs and LNS are not at the same time under the coverage of the satellite gateway [2]. Moreover, stable connectivity is needed to support downlink multicast traffic. Prior to the multicast data exchange, several uplink and downlink unicast messages must be exchanged between the EDs and the LNS (multicast session set-up). Intermittent links would cause the expiration of multicast session timeouts and would thus prevent the multicast transmission.

3 Pervasive LPWAN Connectivity Through LEO Satellites

105

3.5 Qualitative Performance Analysis of Satellite LPWAN In Sect. 3.3, some KPIs for the performance evaluation of terrestrial LPWAN networks were analyzed. However, when integrating LPWAN with LEO satellites, the challenges presented in Sect. 3.4 must be taken into account to model and estimate the KPIs of the combined network. In this section, the analysis presented is referred to the availability of a single satellite equipped either with a LoRa GW or a NB-IoT eNB. This represents the worst case scenario. Instead, LEO constellations will be considered in future works to feature the scalability of such network architecture. First, it has to be noticed that the reliability of the satellite LPWAN network would be highly affected by the LEO satellite and its visibility time. In fact, a major source of packet losses is caused by the frequent unavailability of the LoRa GW (eNB). Let .aS be the satellite availability. Then, the reliability of the satellite LPWAN .Rs is Rs = R × aS .

.

(3.9)

Clearly, .Rs as R is mainly a function of the PLR. The latter can still be formulated as in Eq. 3.3. Thus, it is dependent by PHY and MAC parameters, traffic generation rate per node, and node density. Thanks to its large footprint, the LEO satellite can provide wide coverage, resulting in a large number of IoT devices being in the satellite visibility at the same time. The higher value of the node density increases the P LR, and thus deteriorates the reliability. When considering a constellation of LEO satellites, offering continuous coverage, it results .aS → 1, and thus, .Rs → R. The Latency of the network, as expressed in Eq. 3.4, is affected by the MAC schemes, together with the propagation time, and the average number of retransmissions. More in details, the Latency is the combination of different delays, due to the initial synchronization, the following data processing and propagation, and finally the data delivery to the application sever over the satellite backhaul. In a simplified manner, the Latency .Ls can be formulated as: Ls = tsync + m × (tpr + tp ) + tsb

.

(3.10)

with m representing the total number of packet exchanged, including retransmissions. A device takes .tpr to generate a packet, which will propagate for .tp to be received by the gateway. Ground-to-satellite links are featured by a larger propagation delay .tp than that of terrestrial networks. Besides, such a delay is not fixed and its duration varies according to satellite movements. Meanwhile, the packet takes .tsb to be delivered from the satellite gateway till the remote sever. In case of a LEO satellite constellation, .tsb includes the ISL link delay. The network latency increases according to growing numbers of ISL. For LoRa unconfirmed messages, Eq. 3.10 is simplified, with .m = 1 and .tsync = 0. For NB-IoT, the synchronization delay is a relevant component of the satellite

106

Z. Zhou et al.

network latency. Moreover, m varies according to the different NB-IoT optimization modes (UP, CP, EDT). In case of higher PLR, the value of m will increase, resulting in higher latency. Being the confirmed messages acknowledged directly by the eNB, no additional delay is introduced by the satellite backhaul. As the reliability, also the Throughput is affected by the satellite availability time and large coverage range. So it can be described by Eq. 3.11. Unavailability of the satellite causes more packet losses and therefore less throughput. Similarly, having many devices (with higher density d) in the coverage range of the satellite translates in higher PLR, due to data packet collision in LoRa, and congestion during NB-IoT synchronization. As consequence of increased PLR, the throughput of the satellite LPWAN decreases. Ts = T × aS

.

(3.11)

The communication with a satellite gateway strongly impacts the energy consumption of the IoT device on the ground. The long distance between the device and the satellite asks for more power consumption, both in transmission and .ET X , and reception mode .ERX . Instead, the energy required for processing the message, .Epr remains the same as in fully terrestrial networks. Thus, the energy consumption can be described as Etotal = Esync + m1 × (Epr + ET X ) + m2 × (Epr + ERX ),

.

(3.12)

where .m1 and .m2 represent the number of uplink and downlink packets, respectively. For unconfirmed LoRa message, Eq. 3.12 is simplified, by considering .m1 = 1, .m2 = 0 and .Esync = 0. In case of LoRa confirmed messages, then .m1 = m2 and .m1 represent the number of retransmissions, .m − 1. In a NB-IoT network, the value of .m1 and .m2 change based on the different optimization method adopted. Moreover, the energy spent during the synchronization phase .Esync represents a relevant component of the whole energy consumption of the IoT device. As mentioned in the previous section, one LEO satellite suffers from long unavailability times during a specific time period. Such behaviour makes satellite LPWAN not fit the applications that require higher reliability (like mission-critical, Tactile Internet, etc.). Since the satellite has a broader coverage area, more devices will try to connect to the satellite at the same time, and the probability of collision will be greatly increased. As a result, applications requiring high throughput cannot be satisfied. Therefore, the network size (i.e., the number of served devices) should be reduced, to increase the network throughput. Finally, satellites impose the network to have longer delays and thus longer latency comparing to the terrestrial networks. This makes them not a good fit for ultra low latency applications. While the goal of any network is to support higher scalability, then increasing the number of LEO satellites and providing a full coverage will help supporting the applications that need higher reliability and throughput.

3 Pervasive LPWAN Connectivity Through LEO Satellites

107

3.6 Conclusion and Future Work NB-IoT and LoRaWAN are among the LPWAN technologies that have fostered a widespread deployment of IoT networks, thanks to their low power, low cost and long distance communications. These features have recently been explored for ground-to-satellite communications, enabling a truly pervasive and ubiquitous IoT availability. Such a network architecture is clearly expected to trigger the growth of novel IoT applications unimaginable before. Indeed, the success of the future satellite IoT will come from its ability to meet the needs of specific use cases. Timely, this chapter pictures a methodological approach finalized to the correct choice of the LPWAN technology and the best communication pattern fitting the needs of any satellite IoT application. To do that, reliability, latency, throughput, and energy efficiency have been identified as KPIs to be used for comparing different protocols. Importantly, their inner dependency on configurable setting, e.g., the maximum number of retransmissions in contention-based medium access schemes, has also been properly investigated. Such an analysis will be leveraged in future research works to design both novel medium access schemes, and efficient algorithms able to autonomously adapt the communication protocol to time-varying traffic conditions and to grant a sufficient level of quality of service. In addition, such an analysis will be extended to tackle the availability of LEO satellite constellations, thus targeting highly available and scalable LPWANs backhauled by LEO satellites. Acknowledgments This work was supported by the IRT Saint Exupéry project satELLite IOT (ELLIOT), the ANR LabEx CIMI (grant ANR-11-LABX-0040) within the French State Programme “Investissements d’Avenir,” the Project STICAMSUD 21-STIC-12, and the Design of LoRaWAN protocol optimisation over SATellite Connection for precision agriculture applications (LORSAT) Project, through the National Research Fund Luxembourg (FNR), under Grant CORE/C19/IS/13705191.

References 1. Afhamisis, M., Palattella, M.R.: SALSA: a scheduling algorithm for LoRa to LEO satellites. IEEE Access 10, 11608–11615 (2022). https://doi.org/10.1109/ACCESS.2022.3146021 2. Afhamisis, M., Barillaro, S., Palattella, M.: A testbed for Lorawan Satellite Backhaul: design principles and validation. In: ICC 2021 - IEEE International Conference on Communications. IEEE (2022) 3. Akyildiz, I.F., Kak, A.: The Internet of Space Things, CubeSats: a ubiquitous cyber physical system for the connected world. Comput. Netw. 150, 134–149 (2019). https://doi.org/10.1016/ j.comnet.2018.12.017 4. Andres-Maldonado, P., Lauridsen, M., Ameigeiras, P., Lopez-Soler, J.M.: Analytical modeling and experimental validation of NB-IoT device energy consumption. IEEE Internet Things J. 6(3), 5691–5701 (2019). https://doi.org/10.1109/JIOT.2019.2904802 5. Azari, A., Stefanovi´c, v., Popovski, P., Cavdar, C.: On the latency-energy performance of NBIoT systems in providing wide-area IoT connectivity. IEEE Trans. Green Commun. Netw. 4(1), 57–68 (2020). https://doi.org/10.1109/TGCN.2019.2948591

108

Z. Zhou et al.

6. Bankov, D., Khorov, E., Lyakhov, A.: LoRaWAN modeling and MCS allocation to satisfy heterogeneous QoS requirements. Sensors 19(19) (2019). https://doi.org/10.3390/s19194204 7. Barbau, R., Deslandes, V., Jakllari, G., Beylot, A.: An analytical model for evaluating the interplay between capacity and energy efficiency in NB-IoT. In: 2021 International Conference on Computer Communications and Networks (ICCCN), pp. 1–9 (2021). https://doi.org/10. 1109/ICCCN52240.2021.9522178 8. Barbau, R., Deslandes, V., Jakllari, G., Tronc, J., Beylot, A.: An analytical model for assessing the performance of NB-IoT. In: ICC 2021 - IEEE International Conference on Communications, pp. 1–6 (2021). https://doi.org/10.1109/ICC42927.2021.9500950 9. Beltramelli, L., Mahmood, A., Gidlund, M., Österberg, P., Jennehag, U.: Interference modelling in a multi-cell LoRa system. In: 2018 14th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), pp. 1–8 (2018). https://doi. org/10.1109/WiMOB.2018.8589100 10. Ben Temim, M.A., Ferré, G., Tajan, R.: A new LoRa-like transceiver suited for LEO satellite communications. Sensors 22(5) (2022). https://doi.org/10.3390/s22051830 11. Björnson, E., Larsson, E.G.: How energy-efficient can a wireless communication system become? In: 2018 52nd Asilomar Conference on Signals, Systems, and Computers, pp. 1252– 1256 (2018). https://doi.org/10.1109/ACSSC.2018.8645227 12. Boquet, G., Tuset-Peiró, P., Adelantado, F., Watteyne, T., Vilajosana, X.: LR-FHSS: overview and performance analysis. IEEE Commun. Mag. 59(3), 30–36 (2021). https://doi.org/10.1109/ MCOM.001.2000627 13. Centenaro, M., Costa, C., Granelli, F., Sacchi, C., Vangelista, L.: A survey on technologies, standards and open challenges in satellite IoT. IEEE Commun. Surv. Tutorials 23(3), 1693– 1720 (2021). https://doi.org/10.1109/COMST.2021.3078433 14. Chasserat, L., Accettura, N., Berthou, P.: Short: achieving energy efficiency in dense LoRaWANs through TDMA. In: 2020 IEEE 21st International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM), pp. 26–29 (2020). https://doi.org/ 10.1109/WoWMoM49955.2020.00019 15. Chasserat, L., Accettura, N., Prabhu, B., Berthou, P.: TREMA: a traffic-aware energy efficient MAC protocol to adapt the LoRaWAN capacity. In: 2021 International Conference on Computer Communications and Networks (ICCCN), pp. 1–6 (2021). https://doi.org/10.1109/ ICCCN52240.2021.9522147 16. Chaudhari, B.S., Zennaro, M., Borkar, S.: LPWAN technologies: emerging application characteristics, requirements, and design considerations. Future Internet 12(3) (2020). https://doi. org/10.3390/fi12030046 17. Chen, Y., Sambo, Y.A., Onireti, O., Imran, M.A.: A survey on LPWAN-5G integration: main challenges and potential solutions. IEEE Access 10, 32132–32149 (2022). https://doi.org/10. 1109/ACCESS.2022.3160193 18. Chougrani, H., Kisseleff, S., Martins, W.A., Chatzinotas, S.: NB-IoT random access for nonterrestrial networks: preamble detection and uplink synchronization. IEEE Internet Things J., pp. 1–1 (2021). https://doi.org/10.1109/JIOT.2021.3123376 19. Conti, M., Andrenacci, S., Maturo, N., Chatzinotas, S., Vanelli-Coralli, A.: Doppler impact analysis for NB-IoT and satellite systems integration. In: ICC 2020–2020 IEEE International Conference on Communications (ICC), pp. 1–7 (2020). https://doi.org/10.1109/ICC40277. 2020.9149140 20. Croce, D., Gucciardo, M., Mangione, S., Santaromita, G., Tinnirello, I.: Impact of LoRa imperfect orthogonality: analysis of link-level performance. IEEE Commun. Lett. 22(4), 796– 799 (2018). https://doi.org/10.1109/LCOMM.2018.2797057 21. Cruz, R., Coelho, A., Campos, R., Ricardo, M.: A theoretical model for planning NBIoT networks. In: 2019 International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), pp. 1–4 (2019). https://doi.org/10.1109/WiMOB. 2019.8923389

3 Pervasive LPWAN Connectivity Through LEO Satellites

109

22. Doroshkin, A.A., Zadorozhny, A.M., Kus, O.N., Prokopyev, V.Y., Prokopyev, Y.M.: Experimental study of LoRa modulation immunity to doppler effect in CubeSat radio communications. IEEE Access 7, 75721–75731 (2019). https://doi.org/10.1109/ACCESS.2019.2919274 23. ETSI (European Telecommunications Standards Institute): System Reference document (SRdoc); Technical characteristics for Low Power Wide Area Networks Chirp Spread Spectrum (LPWAN-CSS) operating in the UHF spectrum below 1 GHz. Tech. Rep. TR 103 526 V1.1.1, Washington, DC, USA (2018 [Online]). https://www.etsi.org/ 24. Fang, X., Feng, W., Wei, T., Chen, Y., Ge, N., Wang, C.X.: 5G Embraces satellites for 6G ubiquitous IoT: basic models for integrated satellite terrestrial networks. IEEE Internet Things J. 8(18), 14399–14417 (2021). https://doi.org/10.1109/JIOT.2021.3068596 25. Fernandez, L., Ruiz-De-Azua, J.A., Calveras, A., Camps, A.: Assessing LoRa for satelliteto-earth communications considering the impact of ionospheric scintillation. IEEE Access 8, 165570–165582 (2020). https://doi.org/10.1109/ACCESS.2020.3022433 26. Gomez, C., Darroudi, S.M., Naranjo, H., Paradells, J.: On the energy performance of iridium satellite IoT technology. Sensors 21(21) (2021). https://doi.org/10.3390/s21217235 27. Guidotti, A., Vanelli-Coralli, A., Conti, M., Andrenacci, S., Chatzinotas, S., Maturo, N., Evans, B., Awoseyila, A., Ugolini, A., Foggi, T., Gaudio, L., Alagha, N., Cioni, S.: Architectures and key technical challenges for 5g systems incorporating satellites. IEEE Trans. Veh. Technol. 68(3), 2624–2639 (2019). https://doi.org/10.1109/TVT.2019.2895263 28. Guo, Y., Zhang, D.: Research on the reliability of MAC protocols for multi-radio sensor networks. In: 2010 First International Conference on Pervasive Computing, Signal Processing and Applications, pp. 410–413 (2010). https://doi.org/10.1109/PCSPA.2010.105 29. Harwahyu, R., Cheng, R.G., Liu, D.H., Sari, R.F.: Fair configuration scheme for random access in NB-IoT with multiple coverage enhancement levels. IEEE Trans. Mob. Comput. 20(4), 1408–1419 (2021). https://doi.org/10.1109/TMC.2019.2962422 30. Hoglund, A., Van, D.P., Tirronen, T., Liberg, O., Sui, Y., Yavuz, E.A.: 3GPP release 15 early data transmission. IEEE Commun. Stand. Mag. 2(2), 90–96 (2018). https://doi.org/10.1109/ MCOMSTD.2018.1800002 31. Jiao, J., Wu, S., Lu, R., Zhang, Q.: Massive access in space-based internet of things: challenges, opportunities, and future directions. IEEE Wirel. Commun. 28(5), 118–125 (2021). https://doi. org/10.1109/MWC.001.2000456 32. Knight, M., Seeber, B.: Decoding LoRa: realizing a modern LPWAN with SDR. In: Proceedings of the GNU Radio Conference, vol. 1(1) (2016) 33. Kodheli, O., Maturo, N., Andrenacci, S., Chatzinotas, S., Zimmer, F.: Link budget analysis for satellite-based narrowband IoT systems. In: Ad-Hoc, Mobile, and Wireless Networks, pp. 259–271. Springer International Publishing (2019) 34. Li, H., Chen, G., Wang, Y., Gao, Y., Dong, W.: Accurate performance modeling of uplink transmission in NB-IoT. In: 2018 IEEE 24th International Conference on Parallel and Distributed Systems (ICPADS), pp. 910–917 (2018). https://doi.org/10.1109/PADSW.2018. 8644571 35. Mahmood, A., Sisinni, E., Guntupalli, L., Rondón, R., Hassan, S.A., Gidlund, M.: Scalability analysis of a LoRa network under imperfect orthogonality. IEEE Trans. Ind. Inform. 15(3), 1425–1436 (2019). https://doi.org/10.1109/TII.2018.2864681 36. Markkula, J., Mikhaylov, K., Haapola, J.: Simulating LoRaWAN: on importance of inter spreading factor interference and collision effect. In: IEEE International Conference on Communications (ICC), pp. 1–7 (2019). https://doi.org/10.1109/ICC.2019.8761055 37. Migabo, E., Djouani, K., Kurien, A.: A modelling approach for the narrowband IoT (NBIoT) physical (PHY) layer performance. In: IECON - 44th Annual Conference of the IEEE Industrial Electronics Society, pp. 5207–5214 (2018). https://doi.org/10.1109/IECON.2018. 8591281 38. Nurgaliyev, M., Saymbetov, A., Yashchyshyn, Y., Kuttybay, N., Tukymbekov, D.: Prediction of energy consumption for LoRa based wireless sensors network. Wirel. Netw. 26(5), 3507–3520 (2020). https://doi.org/10.1007/s11276-020-02276-5

110

Z. Zhou et al.

39. Oliveira, R., Guardalben, L., Sargento, S.: Long range communications in urban and rural environments. In: IEEE Symposium on Computers and Communications (ISCC), pp. 810–817 (2017). https://doi.org/10.1109/ISCC.2017.8024627 40. Palattella, M.R., Accettura, N.: Enabling Internet of everything everywhere: LPWAN with satellite Backhaul. In: Global Information Infrastructure and Networking Symposium (GIIS), pp. 1–5 (2018). https://doi.org/10.1109/GIIS.2018.8635663 41. Palattella, M.R., O’Sullivan, J., Pradas, D., McDonnell, K., Rodriguez, I., Karagiannis, G.: 5G Smart connectivity platform for ubiquitous and automated innovative services. In: IEEE 32nd Annual International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC), pp. 1582–1588 (2021). https://doi.org/10.1109/PIMRC50174.2021.9569463 42. Philip, M.S., Singh, P.: Energy consumption evaluation of LoRa sensor nodes in wireless sensor network. In: Advanced Communication Technologies and Signal Processing (ACTS), pp. 1–4 (2021). https://doi.org/10.1109/ACTS53447.2021.9708341 43. Polonelli, T., Brunelli, D., Marzocchi, A., Benini, L.: Slotted ALOHA on LoRaWAN-design, analysis, and deployment. Sensors 19(4), 838 (2019). https://doi.org/10.3390/s19040838 44. Qu, Z., Zhang, G., Cao, H., Xie, J.: LEO satellite constellation for Internet of Things. IEEE Access 5, 18391–18401 (2017). https://doi.org/10.1109/ACCESS.2017.2735988 45. Sigfox. Available online: https://www.sigfox.com/en. Accessed 1 May 2022 46. Sørensen, R.B., Kim, D.M., Nielsen, J.J., Popovski, P.: Analysis of latency and MAC-layer performance for class A LoRaWAN. IEEE Wirel. Commun. Lett. 6(5), 566–569 (2017). https:// doi.org/10.1109/LWC.2017.2716932 47. Soret, B., Mogensen, P., Pedersen, K.I., Aguayo-Torres, M.C.: Fundamental tradeoffs among reliability, latency and throughput in cellular networks. In: IEEE Globecom Workshops (GC Wkshps), pp. 1391–1396 (2014). https://doi.org/10.1109/GLOCOMW.2014.7063628 48. Standards for the IoT. Available online:https://www.3gpp.org/news-events/1805-iot_r14. Accessed 2 Dec 2016 49. Sun, Y., Tong, F., Zhang, Z., He, S.: Throughput modeling and analysis of random access in narrowband Internet of Things. IEEE Internet Things J. 5(3), 1485–1493 (2018). https://doi. org/10.1109/JIOT.2017.2782318 50. Tondo, F.A., Montejo-Sánchez, S., Pellenz, M.E., Céspedes, S., Souza, R.D.: Direct-to-satellite IoT slotted aloha systems with multiple satellites and unequal erasure probabilities. Sensors 21(21) (2021). https://doi.org/10.3390/s21217099 51. Wei, T., Feng, W., Chen, Y., Wang, C.X., Ge, N., Lu, J.: Hybrid satellite-terrestrial communication networks for the maritime internet of things: key technologies, opportunities, and challenges. IEEE Internet Things J. 8(11), 8910–8934 (2021). https://doi.org/10.1109/JIOT. 2021.3056091 52. What Is LoRa˝o?. Available online: https://www.semtech.com/lora/what-is-lora. Accessed 1 Feb 2022 53. Zorbas, D., Caillouet, C., Abdelfadeel Hassan, K., Pesch, D.: Optimal data collection time in LoRa networks–a time-slotted approach. Sensors 21(4) (2021). https://doi.org/10.3390/ s21041193

Chapter 4

Energy Saving as a Security Threat in LPWAN and Internet of Things Emilie Bout, Antoine Gallais, Valeria Loscrí, and Anna Maria Vegni

4.1 Introduction Nowadays, the use of Internet of Things (IoT) devices in several application areas is constantly increasing, while at the same time requiring a high speed range, a low cost of deployment, and low power consumption to save battery life. Together with IoT technologies such as ZigBee, IEEE 802.15.4, Bluetooth Low Energy (BLE), Time-Synchronized Channel Hopping (TSCH), and 6LowPAN, other types of technologies, supporting long range applications, have been conceived, such as LoRaWAN, Sigfox, Narrow Band-IoT (NB-IoT) and IEEE 802.11ah [25]. All of these protocols attempt to meet a common need, that is to limit the energy consumption of IoT devices. To solve this problem, different paradigms have been implemented within the LPWAN protocols. If the IEEE 802.15.4 standard has been the reference technology for low power consumption, the Power Saving Mechanisms (PSM) implemented in the IEEE 802.11b standard allows to achieve interesting reductions in energy consumption, making it a competitor for the IEEE 802.15.4. In this list, BLE must be mentioned as low energy technology. Anyway, all these previous standards represent solutions

E. Bout · V. Loscrí Inria Lille-Nord Europe, Villeneuved’Ascq, France e-mail: [email protected]; [email protected] A. Gallais Univ. Polytechnique Hauts-de-France, LAMIH, CNRS, UMR 8201, INSA Hauts-de-France, Valenciennes, France e-mail: [email protected] A. M. Vegni () Industrial, Electronics and Mechanical Engineering Department (DIIEM), Roma Tre University, Rome, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 I. Butun, I. F. Akyildiz (eds.), Low-Power Wide-Area Networks: Opportunities, Challenges, Risks and Threats, https://doi.org/10.1007/978-3-031-32935-7_4

111

112

E. Bout et al.

suitable for short range communications. More recently, technologies as LoRa, Sigfox and IEEE 802.11ah have been introduced for supporting long range applications. It is worthwhile and interesting to notice how all these technologies are suitable for IoT applications, and even though they are characterized in different ways, the common denominator is represented by the energy consumption reduction.

•

> Important

In most IoT/LPWAN wireless communications, the time spent by the node in the least consuming state is maximised, in order to minimize the energy consumption. In order to reduce the energy consumption, the IoT/LPWAN protocols try, by different strategies, to maximize the time spent in the least energy consuming mode i.e., the sleep state. However, this mechanism can turn into a new security vulnerability, as many attacks, such as jamming or replay attacks, aim to drain the battery of the IoT devices [1, 16, 33]. This forces IoT devices to stay in the most consuming states, such as transmitting or listening state. At the same time, this mechanism can also help attackers to predict the optimal time of theirs attack, as well as save their own energy [6, 28].

In order to be as general as possible, we consider the more complex case, where four different modes are established, and each state has a different power consumption. Therefore, the total energy consumption of an IoT device is given by the sum of power multiplied by the time spent in each state. An interesting reading on the different energy consumption estimation for different wireless communication technologies is provided in [20]. Interestingly, an important conclusion of the analysis dealt in that work, is the time spent in the sleep state is not negligible in terms of energy consumption impact, and also the energy consumption model could be improved with the introduction of new states and non-instantaneous transitions. In particular, this latter observation leads us to a deep analysis of these different states that can be exploited to create effective attacks against IoT systems. In parallel, a new subcategory of attacks has emerged, energy depletion attacks, which aim to completely deplete the energy of an illegally functioning device. Their goal is to produce different behaviors that would increase transmission or listening time, which are the two most consuming cases for the victim point of view.

In this chapter, we aim to deal with the issue of energy consumption in IoT/LPWAN as a threat feature [30]. Specifically, we demonstrate that the solutions adopted by the low energy based technologies for IoT can generate new flaws, but that it can also be used by an attacker to limit the own energy consumption.

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

113

We will present a developed framework, adapting to several LPWAN protocols and show that it can be easily modified for adapting to other LPWAN protocols. It is based on four operating states, i.e., transmitting, receiving, sleep, and idles states. This framework is based on the Markov chains theory, and allows to represent the interaction between the “attacker” and the “victim”. Basically, the effectiveness of an attack depends essentially on the state in which both the transmitter and the receiver are at the same time; as an instance, during a jamming attack, the attacker must be in transmission mode and so the victim. This framework aims to optimize the effectiveness of attacks, while minimizing the impact of the cost in terms of energy consumption for the offender point of view. We will show that, when used for jamming attacks, this framework manages to corrupt more than 20% of packets against 5% for a basic jamming attack, while considerably draining the transmitters battery. Furthermore, energy consumption for the attacker is reduced by two, as compared to a classic jamming attack. This chapter is organized as follows. In Sect. 4.2, we first present different paradigms used by IoT/LPWAN protocols to save energy. In Sect. 4.3, we present the different types of attack aiming to drain the energy of their victim. In Sect. 4.4, we describe how an energy-saving paradigm can be the source for new threats but can also be employed by an attacker to save energy. The assessment of the proposed approach is detailed in Sect. 4.5. Finally, we provide a discussion of the chapter results in Sect. 4.6 and conclusions are drawn at the end of this chapter in Sect. 4.7.

4.2 Energy Consumption in IoT/LPWAN 4.2.1 Energy Constraints in IoT Devices The growing use of wireless connected devices and their applications has led to the emergence of a new need i.e., the creation of communication protocols with low energy consumption, low cost, and large transmission ranges. Indeed, most of these devices operate on a limited power source (e.g., batteries), which can act either as the only method of power supply or as a backup source. Additionally, due to their use case (e.g., agriculture), recharging or exchanging the batteries of these devices can be a complex task. In order to support the different types of applications, i.e. short-range and long-range, a new subclass of communication protocols, called Low Power Wide Area Network (LPWAN), has emerged to satisfy the such characteristics. Moreover, several works have been carried out in the literature on the evaluation of energy consumption on different types of wireless networks, and one of the deductions is that communication is one of the most energy-consuming points [13, 15]. Indeed, the transmission and reception of data are the most consuming tasks in wireless communication. This is why many techniques have been proposed in the

114

E. Bout et al.

literature to avoid certain behaviors that would increase the transmission of data, such as: • Over-emitting: The production and transmission of additional and excessive packets leads to an additional unnecessary energy expenditure; • Overhearing: As for the first point, the reception of additional and useless data leads to an over-consumption of energy; • Collision: When two nodes send packets at the same time, the packets become corrupted and illegible. Consequently, the packets are lost and this leads in most cases to a re-transmission, and then to an energy consumption; • Idle listening: This is when a node stays in listening mode on a channel when no activity has taken place for a while.

4.2.2 Different Paradigms for Saving Energy in LPWAN Networks In this subsection, we provide a classification of the different mechanisms implemented in LPWAN to avoid supplementary energy consumption. We classify these paradigms into four main classes, i.e., (1) Radio Optimization, (2) Sleep/Wake-up Control, (3) Network Techniques, and (4) Data Reduction, as shown in Fig. 4.1. For each of them, we will give an overview of the main existing techniques.

Fig. 4.1 Overview of different paradigms to save energy in IoT/LPWAN protocols

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

4.2.2.1

115

Radio Optimization

The first class takes into account all the techniques concerning the allocation of the resources of the physical and data link layers. The first method is the Transmission Power Control, whose goal is to find the compromise between the transmission power and the energy consumed. Indeed, the greater the transmission power, the more energy the node will consume. However, the quality of the connection depends on the power of transmission, which itself depends on several parameters, such as the distance from the transmitter and the receiver and the type of obstacles present in the environment. In [12], a method based on calculation is presented to control the transmission power and improve network operation by minimizing contention and decreasing the amount of energy required for communication. In addition, controlling the transmission power also reduces the consequences of interference and is in some cases a response to jamming attacks. In order to avoid collisions, the second technique that has been implemented is the management of access to the communication medium i.e., MAC Protocol. Several protocols established on the Mac layer have been created to share a network channel. One of these oldest protocols is the ALOHA protocol, which today has several variants. In the first version, the logic implemented is really basic and consists for each node to send a packet as soon as it is available. If a collision occurs, the transmitted packets are destroyed and the transmitter waits a random time before retransmitting. The ALOHA protocol with slots was established a few years later and is a license to considerably reduce the number of collisions. In this new version, the channel is divided into several slots of discrete-time intervals. Each slot has a duration and data frames are allowed to get transmitted only at the beginning of each time slot. In case of collision, the retransmission is done after a number of random slots. Since then, many improvements have been made to this protocol as reported in [27] where the authors created an online and adaptive version of ALOHA for LPWAN protocols. Indeed, Unslotted ALOHA protocol has been adopted as a channel access mechanism in Sigfox and LoRa protocols. Furthermore, data size impacts energy consumption for Sigfox and LoRa. The higher the data size, the higher is the energy consumed by the nodes. Since Sigfox and LoRa nodes can only handle small size data packets, there is a fragmentation phase implying an increase in overhead and consequently in the energy consumption. Another factor impacting the energy consumption is the high power used to reach long ranges, this is exacerbated when the transmission period is longer.

4.2.2.2

Sleep/Wake-Up Control

In most LPWAN usage, devices send data at specific times such as following an event or at regular time intervals. Therefore, the nodes do not perform any particular action between receiving or sending data, and remain active unnecessarily. This is

116

E. Bout et al.

why two additional modes have been included in the operation of a wireless node i.e., (1) the idle and (2) the sleep states. However, in order to avoid wasting energy, a real need for effective sleep/wake techniques has emerged in the last decade. The first method called duty-cycle is based on the idea that the radio transceiver must be turned off if it has no more data to send and/or receive. The most known duty-cycling method is the scheduled duty cycle where the time is divided into cycles and transmission takes place only during the active time. However, this method implies that the node must receive or transmit data regularly. In certain contexts, transmissions or receptions only take place during specific events, consequently nodes switch to reception or transmission mode unnecessarily. In order to solve this problem, another approach has emerged. This new method is based on the idea that the node can be woken up when necessary (e.g., during a transmission or a reception). Although this method allows in theory to considerably reduce energy consumption, it brings with it a new issue, which is node synchronization. New more elaborated duty-cycle methods have been created in recent years, as in [26] where the authors established a new Optimal Policy Derivation for Transmission Duty-Cycle Constrained in Sigfox and LoRa networks. The goal is to find a new policy to maximize the number of reported events, which are prioritized by their importance, while complying with the ISM regulations. As a consequence, in order to limit unnecessary idle-listening and overhearing issues, wake-up radio approaches have been created over the past decades to replace the duty-cycling method. Here, the goal is to have a Wake-up Radio receiver (WuRx) that allows nodes to wake up at the request by an interrogated low-power signal i.e., Wake-up Call (WuC). Upon receipt of this signal, the node turns on its main radio board and begins transmitting at its maximum transmit power. As with the duty-cycle group, several strategies were explored for several IoT/LPWAN protocols. In [22], a first wake-up receiver dedicated to the NB-IoT protocol has been designed and the authors demonstrated the advantages of using a WuRx to reduce the power consumption of the NB-IoT radio.

4.2.2.3

Network Techniques

On the network layer, several methods have also been conceived to avoid certain energy-intensive behavior such as collisions or overhearing. Among these, clustering methods are often mentioned in the literature. One of the oldest clustering protocols aiming to optimize the energy consumption of network nodes is the LEACH protocol. In this hierarchical routing protocol, the network is divided in several clusters and some nodes are chosen as special nodes based on certain criteria. These special nodes, called cluster heads (CHs), collect and compress the information received from neighbor nodes, and transmit the compressed information to other node or base station. This protocol aims to increase the lifetime of nodes by rotating the CHs node of the cluster using a random number. Since its creation, a multitude of versions have been created, some more appropriate to the needs of IoT/LPWAN.

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

117

The topology of a network is also a parameter that affects the energy consumption of the nodes. The work in [4] proves that multi-hop networks compared to single-hop ones considerably increase the lifetime of an LPWAN network. Indeed, Sigfox or LoRaWAN are based on star topology networks, where the stations transmit directly to the gateway. However, if the stations are far from the gateway, it consumes a lot of energy. Therefore, in [4] the Distance-Ring Exponential Stations Generator (DRESG) framework has been introduced, by establishing optimal routing connections in terms of energy efficiency, with the aim to balance the consumption between all the stations in the network. In [5], the authors pushed their research further by developing a multi-hop communication strategy based on reinforcement learning. They experiment this solution on a real test-bed and show that multi-hop topologies based on this logic achieve significant power savings over the default single-hop approach.

4.2.2.4

Data Reduction

Finally, the data reduction solutions can limit the over-emitting feature. Basic methods aim to reduce the amount of exchanged data. Several data reduction procedures have been extensively studied in NB-IoT networks. A comparison between the basic methods to reduce data in NB-IoT i.e., the control plane (CP) and the user plane (UP), is carried out in [3]. These methods based on an encapsulation system make possible to considerably reduce energy consumption. In recent years, methods based on machine learning (ML) algorithms have emerged to reduce the amount of data to be sent by deleting useful data or calculating the necessary compression rate. In [7], the authors included in LoRaWAN devices a pre-trained neural network and computed the trade-off between compression ratio and accuracy of the compression algorithm. They demonstrated the effectiveness of this method in term of energy consumption.

4.3 Attacks in IoT/LPWAN Networks 4.3.1 Energy Depletion Attacks Over the past decade, a new subclass of attacks called Energy Depletion Attacks (EDAs) has emerged [21]. This new kind of attack leads to a Denial of Services (DOS) and aims to completely drain a device’s energy with unexpected/illegal operations. The rationale is that by forcing a victim to perform additional energyintensive computing tasks, the node wastes its energy and can quickly be put out of service. Additionally, EDAs have significant consequences in a real life due to the increasing deployment of IoT/LPWAN protocols in critical infrastructure. For

118

E. Bout et al.

example, in a health scenarios, devices are designed to make simple computation or applications, and most of these devices are interconnected sensors to monitor specific data, such as glucose levels or heart rate [8]. This information is collected in real time in order to raise an alert and notify its user when a problem occurs. However, if an attack draining a device’s energy takes place before the measurement is sent, the information will never be reported in real time and the alert will not occur. Therefore, this type of attack applied to a medical context can have serious consequences, such as the death of a person.

Tips In industries, this type of attack can have effects on the profitability of the company. Indeed, in most cases, devices interconnected with the LPWAN protocols in the companies are used to monitor a production chain or the status of a machine [34]. Consequently, if a device is taken out of service, the information it provides will never be processed, leading to confusion in the decision-making procedures. The false information concluded by the decision-making process will generate an overload of work for the company (e.g., replacement of components) and this will have repercussions on the financial situation.

To cause additional energy consumption, the attacker typically generally an energy cost overhead at the software or firmware level, by forcing the victim to perform additional actions.Indeed, if a communication protocol includes the power saving mode, the attacker can force a node to stay in the more energy consumption mode. Energy consumption is one of the main criteria of the evaluation of IoT/LPWAN protocol, and several experimental measurements that compare energy/power consumption could be found in the literature. In [17], the authors reported the power consumption of different states present in power saving mode, and concluded that for different communication protocols the transmission and receiving mode are the most power consuming ones. Therefore if an attacker forces a node to stay in one of these two modes, the victim’s life-time will be significantly reduced. We report these values in Table 4.1. Table 4.1 Energy consumption for each state for different LPWAN protocols Power consumption Transmit (range from 7 to 20 dBm) Receive Sleep

LoRa .[18, 125]

11 mA .1 μA

ZigBee mA

.[85, 500]

65 mA .55 μA

Sigfox mA

.[22, 54]

N/A .1.5 μA

mA

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

119

Fig. 4.2 Different energy depletion attacks

4.3.2 Classification of EDAs Attacks Energy Depletion Attacks are a sub-group of attacks, targeting the battery of the victim. We have categorized some EDA attacks presented in the literature, as summarized in Fig. 4.2 according to the targeted network layer. However, it is possible to combine information provided in multiple network layers to create more advanced attacks. In addition, for each type of attack, an overview of the different exploitable protocols is given, as well as the targeted vulnerability.

4.3.2.1

EDAs on Physical Layer

The first attack present on the physical layer in the EDAs attack group is the jamming attacks. The main objective of a jammer is deliberate interference on a legitimate channel to occupy it or corrupt the signal transmitted on the latter. For the first case, by occupying the transmission channel the attacker forces the victim to postpone its transmission and stay active during this time. Indeed, most of the LPWAN protocols are based on Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) mechanism and a legitimate node cannot transmit a packet if the channel has not been unoccupied for a certain time. For example, in the IEEE .802.11 protocol, if the channel is sensed idle for at least the duration of an Interframe Space (DIFS), a node can access to the medium. Conversely, if the medium is busy, the transmitter must wait for the duration of a DIFS before beginning its transmission. Several strategies of jamming attacks are presented in the literature, constant and deceptive jamming attacks represent the first strategy and aim to occupy the channel. Indeed, the goal of jamming attack is to constantly jams a channel as explained

120

E. Bout et al.

in [18]. In this paper, the authors showed that a jamming attack on a 6LoWPAN protocol increases power consumption of the victim by .20%. In the second strategy, the attacker aspires to corrupt the maximum packet in order to cause additional retransmissions. Reactive jamming is one of the strategies known to create such effects. The objective of this strategy is to jam the channel only when a communication is present. Indeed in [23], the authors implemented a new reactive jamming attack on LoRaWAN Network. Based on the Channel Activity Detection (CAD) implemented in LoRa network for detecting the preamble of packets, the attacker predicts the payload of the packets to jam it. Thus, for 100 transmissions, the method used causes a failure to receive 98 packets, resulting in a large number of retransmissions and therefore an expansion of energy consumption. Several strategies of reactive jamming attack exist in the literature, most of these solutions try to optimize the efficiency of this attack, while minimizing the necessary computational resources. This type of attack therefore has consequences on the battery of these victims since a jammer can force a node to perform additional actions, such as staying unnecessarily active or retransmitting information.

4.3.2.2

EDAs on Data Link Layer

•

! Attention

Another strategy to reduce the energy of a victim is flooding attacks. This type of attack targeting the mac layer of a network aims to flood the victim with additional information to process, thus creating a legitimate frame that can be exploited by its victim. In general, the frames created for this type of attack are management frames (e.g., beacons packets) that do not require any particular encryption or information about its sender. For example, in 6LoWPAN Network, DODAG Information Solicitation (DIS) messages are sent by a node to join the network and ask information about its neighborhood. The neighboring node responds at this request with a DIS message that contains the routing information.

During the development of the 6LoWPAN network, no specification concerning the delay between two DIS messages was designed. Therefore, a malicious node can send DIS packets to neighboring nodes at regular time intervals to create an information overload to process. This type of attack is called DIS Flooding attack and is applicable for 6LoWPAN network [29]. However, this logic remains the same for the different types of LPWAN protocol, which use management packets (e.g., in the WIFI protocol we find the beacons flooding attack). This type of attack leads to an increase in packet processing which in turn conducts to an augmentation in power consumption of the victim.

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

121

In [10], authors developed a new attack, called gosth attack for the ZigBee protocol. This type of attack is based on flooding attack and tries to suspend the availability of the service of the node. The authors showed that this type of attack leads to increased energy expenditure by the victim. Indeed, they evaluated the energy consumption of the victim when it undergoes this type of attack by taking into account several cryptology algorithms making it possible to encrypt the packets. They conclude that a victim’s battery can be reduced from several years (i.e., 400 days) to a few months (i.e., 100 days) when a security level is low and to a few days (i.e., 50 days) when the cryptology level is higher (e.g., AES-CCM-128).

4.3.2.3

EDAs on Network Layer

Unlike the attacks we have just seen in the last two subcategories, most attacks applied on the network layer require the attacker to be inside the network. The first type of attack in this layer with consequences on energy is the selective forwarding attack. Also known as a gray hole attack, it usually takes place in multi-hop networks and aims to intentionally drop legitimate packets. Indeed, in a multi-hop network, a malicious node placed in the middle of the route has the possibility of deleting the packet that it was supposed to deliver to its neighbor. During a gray hole attack, the attacker does not reject all the packets but selects the type of packet to reduce the probability of being detected and then increasing its impact. Indeed, if this selection strategy is sufficiently developed, this type of attack can have a significant effect on the number of retransmissions and therefore on the energy consumption of the victim. For example, in Ad-hoc On-Demand Distance Vector (AODV) protocol, when a node needs to send a packets it broadcasts a Route Request (RREQ) message to discover the possible paths to the destination. The neighboring nodes can send back a Route Reply (RREP) message if they know the route to the destination. Otherwise, the message is re-broadcasted to another set of neighbors. At the end of this process, the sender is aware of the shortest path to reach the destination, i.e. the path with the fewest number of hops. In this case, if the attacker is present in the shortest path and target the RREQ packets, the request will never reach the destination node and the chosen path will not be the optimal path. Therefore, sending a packet will take more hops and therefore more transmissions were then necessary. This action will therefore impact the lifetime of the network. In [24], the authors focused on data packets and show that for a rejection rate of .50% of packets, the nodes of the network lose .40% of energy due to the increase in the number of retransmissions that it generates. Indeed, when an attack of this type takes place, the receiver node remains in the reception state longer than normal as it waits for data. It is after the maximum reception time defined in the protocol that the latter reacts and transmits the information that it has never received any data. Accordingly, a new retransmission is initiated.

122

E. Bout et al.

Replay and Injection attacks are also present in this category. They represent a network-layer based attack in which a transmission is maliciously repeated or injected by an attacker. For a replay attack, an attacker positioned between a sender and a receiver intercepts a packet and re-transmits it at some moment. Attacks by injection have more or less the same logic, where the attacker injects packets that it has created before according to a specific pattern in the network. Depending on the strategies used, this type of attack can have repercussions on energy consumption. In [32], the authors explained how to implement a replay attack in LoRaWAN protocol and proved that the latter causes a Denial of Service. Indeed, this type of protocol is based on exchange of specific packet. As an instance, in LoRaWan v1.0.2 two keys are needed to transmit a frame to the device of the network at the application in the server. Consequently, with the Activation by Personalization mechanism (ABP) a static key is preprogrammed at the device. Moreover, to avoid replay attacks, this protocol admits two frames counter, named FCntUp and FcntDown for up-link and down-link messages, respectively. However, to keep a synchronization between the uplink and downlink messages, a limit value (MaxFcntGap) corresponding to the number of difference packets authorized between the received and stored messages. Consequently, if the FCntUp number is larger than MaxFcntGap value, the following packets will be ignored by the server. In the ABP mechanism, after a JoinReq-JoinAccept message exchange the frames counter is reset to 0. If an attacker sniffs and stores an uplink messages with a FCntUp 70 for example, it will replay this message after a reset of the ABP mechanism. Consequently, all messages sent with a counter value smaller than 70 will be ignored. These packets are in some cases unprocessed and generate an overload of energy consumption.

4.3.2.4

EDAs on Application Layer

The last category of the EDAs groups all the attack present in the application layer. Independent of transmission logic, these types of attacks can be executed on any type of communication protocol. These are essentially background programs that will lead to an overload of energy consumption, such as Worms or Trojan attacks. Indeed, if the operating system is present on the devices, an attacker can inject a malicious code and execute a specific action in background. The device will then perform more tasks than necessary and consume more energy. Moreover, when a device is a sensor, it is also possible to play on its own environment in order to activate a supplementary call to an API. In order to give an example, if a thermostat is configured to send data only when the temperature exceeds a certain threshold, it is possible to play on its environments so that the threshold is constantly reached. The sensor will perform additional processing and thus will reduce its lifetime.

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

123

4.4 An Example of Energy Depletion Attack In this section, we show how the duty-cycle paradigm allows designing a framework to conduct attacks in the context of IoT, based on the IEEE .802.11 standard. This work has been demonstrated in [9] and the details of the framework are not reported in this chapter. The interest on this framework is based on the rationale that several wireless communication protocols are based on different phases i.e., Transmitting, Receiving, and Idle. In [20], the authors presented a detailed experimental evaluation of the energy consumption of different technologies of IoT and LPWAN, based on the different states of the nodes. Their analysis supports our conclusion, that attacks depleting the energy in such a kind of systems are with very high impact. In particular, although the protocols are conceived in a way to reduce the energy consumption and make it possible to respond to an important issue, which is the conservation of energy, it is responsible for new exploitable attack vectors. Moreover, we also demonstrate that this mechanism that leads to new threats also improves the performance of an attacker. By using the duty-cycle paradigm, the nodes of a network follow a very specific transmission pattern. Specifically, a node alternates between four operating modes which are: • Transmitting (.Tx ): The node emits one or more packets during a specific time; • Receiving (.Rx ): The device is listening and receives the packets or evaluates the performance of the network (e.g., the occupation of the channel); • Idle (I ): The node is inactive, and does not receive or transmit information. This mode consumes less energy than the previous two; • Sleep (S): The communicating object switches to this state to reduce power consumption. The amount of energy consumed associated with this state is often considered to be zero. In parallel, many attacks rely on the interception of a packet at a precise moment in order to visualize the information it contains or to modify it. Therefore assuming that a network employs the duty-cycle paradigm, an attacker can easily predict its transmission period and performs an attack at the same time. In addition, the attacker can also rely on this cycle to reduce his own energy consumption during an attack. Indeed, by knowing its transmission time—and thus its attack time—, the attacker can go into a sleep state when it is going to be inactive. As mentioned earlier, the success of an attack depends essentially on the interaction with its victim. This is the case for several EDA attacks such as jamming or replay attack. Indeed, a reactive jamming attack that aims to corrupt packets can only be successful if the attacker transmits a signal at the same time as a transmission. Based on previous works [14, 19], we developed a new framework for the creation of attack. In these papers, the authors designed a new neighbor discovery process based on the alternating/switching states present in duty-cycle of the wireless interface. With the same logic, we derive a similar framework that allows to meet one of the two main objectives for an attacker, which are:

124

E. Bout et al.

Fig. 4.3 System flow of attacks based on this new framework

• To minimize the energy spent by the attacker to reach a certain probability of the attack’s success that the attacker has defined as a threshold; • With a certain energy limitation cost, to maximize the attack’s probability of success.

4.4.1 Framework Overview Before proceeding to the mathematical analysis of the process of the framework, we first give an overview of its usage in Fig. 4.3. The first step in the framework flow is to find the communication protocol used. Indeed, this framework depends on the duty-cycle paradigm and therefore on the communication protocol employed. The attacker is equipped of several network interfaces corresponding to several communication protocols and switches between them until it finds the communication protocol. Once the communication protocol is discovered, the attacker must determine which type of attack he expects to launch with the framework. This is an attack based on the interaction between an attacker and its victim. Thus, the attacker has the choice between a basic attack, such as an

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

125

eavesdropping attack that consists of listening and recording a transmission, or a more elaborated attack such as a jamming or replay attack. Finally, after selecting the attack, the framework user must specify the objective it wishes to accomplish. It has the choice between maximizing the effectiveness of his attack by specifying the maximum energy cost he desires to spend or, on the contrary, minimizing his energy expenditure by specifying his attack success. Owing to the information provided during these first three steps, the framework is then able to calculate the percentage of time that the attack must spend in each state. This stage is the fourth phase in the framework process. The final action aims to perform the chosen attack by taking into account the obtained values during the previous step. In order to provide an example, let an attacker perform a eavesdropping attack with a .70% probability of success. During the first step the framework finds that the targeted protocol is a Bluetooth protocol. Consequently, the attack can continue and the attacker chooses as parameter in the second step e.g., an eavesdropping attack, and in the third step it aims to maximize the probability of success to .70%. The framework will compute the different probabilities of each state, such as .PRx = 0.6%, .PI = 0.01%, .PS = 0.35%, .PT x = 0.04%. Therefore, according to the duty-cycle scheme, the attacker can alternate between each state depending on their values. Here, for each cycle the attacker stays in listening phase for .0.6% of time before switching to sleep mode for .0.35%.

4.5 Validation Analysis In this section we evaluate our framework with two types of attacks i.e., one more basic an eavesdropping attack, and one more elaborated a reactive jamming attack.

4.5.1 Experimental Environment We implemented this framework in a Raspberry Pi 4 equipped with a Alfa AWUS036h and Realtek RTL8187L device including the wireless chip ath9k. The main advantage of this equipment is that it is open source, so we were able to access the firmware and driver to directly change the parameters of the MAC layer. Moreover the duty-cycle paradigms is present in this type of equipment, and the energy consumption for each state is indicated in [11]. We summarize this information in Table 4.2. The network victim is composed of one transmitter and one receiver equipped with the same wireless network to avoid side effect during our measurements. However, the framework can be executed in an heterogeneous network. Indeed, the main prerequisite for executing an attack with this framework is the knowledge of

126 Table 4.2 Power consumption [W] for .2.4 GHz operation

E. Bout et al. Operating mode Sleep Idle Tx Rx

P [W] 0.001 0.30 0.67 0.34

Fig. 4.4 Test-bed implementation of a legitimate network composed of one transmitter, one receiver and one access point (green squares). The attacker (red square) provides an eavesdropping attack, and one more elaborated a reactive jamming attack

the targeted communication protocol. So, as long as the network nodes communicate with the same communication protocol, the success of the attack is not impacted. The transmitter and the receiver are connected via an Access Point as shown in Fig. 4.4. The distance between these elements remains fixed during all the experiments, and it is fixed at 1 m between each element. As in a real environment, the size of the packets is not identical, we send all along our experiments packets of random size. This size varies between 50 bytes and 1400 bytes to simulate small packets such as ACK packets or larger packets such as DATA packets. Moreover, to evaluate the impact of different type of attack, the two legitimates nodes use the TCP/IP protocol to record the number of transmission failures. The duration of each experiment below is equal to 4 minutes. After 30 seconds of experimentation, the attacker begins to operate for a duration of 2 minutes.

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

127

Table 4.3 Energy consumption [J] for different type of eavesdropping attacks Type of attack Eavesdropping Eavesdropping + framework

Tx [J] 0 .0.0201

Rx [J] .40.8

20

Idle [J] 0 .0.0588

Sleep [J] 0 .0.00012

Energy consumption total [J] .40.8 .20.07

4.5.2 Eavesdropping Attack At first, we evaluate our framework on a simple passive attack, which is an eavesdropping attack. The first objective of this attack as much as data as possible by a victim in order to deduce private information. This type of attack is considered energy-intensive because the attacker must stay permanently in listening mode, which is the second most consuming mode on a network interface. However, for the attack to be successful, the attacker must be in listening mode only when the transmitter sends a message. Consequently, based on the framework, the attacker can measure its temporal probability of being in each state in order to maximize the attack’s success, while minimizing the energy cost. In this case, we have chosen as a parameter to maximize energy consumption without exceeding a cost of .0.5. Consequently, with a cost equal to .0.5, the framework calculates an attack success probability of .76% with the values .PT x = 0.0025, .PRx = 0.49, .PS = 0.049 and .PI = 0.01. As the framework tries to find a compromise between the energy spent by the attacker and its efficiency, we first measure the energy consumption of the latter. Table 4.3 summarizes the energy consumption linked to each state for a classic eavesdropping attack and an eavesdropping attack carried out with our framework. We can notice that the smart attack consumes two times less energy than the basic eavesdropping attack. Indeed, the energy consumption for the eavesdropping attack is .40.8 J against .20.07 J for the attack generated with the framework. In order to calculate the effectiveness of the attack according to its energy expended, we use the metric Attacker Energy Efficiency (AEE) developed in [2]. This metrics corresponds to the ratio of the effectiveness of the attack to the total power consumption spent by the attacker. In the case of a eavesdropping attack, the effectiveness can be calculated by the number of successfully recorded packets of the total number of packets sent. Basic eavesdropping attacks log all packets broadcast on the network, which corresponds to 200 packets. Thereby, this type of attack is .100% effective. The new attack listens on average 176 packets for an attack of the same duration. Consequently, the AEE for the basic eavesdropping attack is equivalent to .1.22 and for the attack generated with the framework is .4.26. Thus the assisted attack with the framework is .3.49 times more interesting in terms of energy consumption and efficiency.

128

E. Bout et al.

4.5.3 Jamming Attack In the previous section, we demonstrated the performance of the framework used during a passive attack. Now, we employ it to perform an active attack i.e., a reactive jamming attack. The goal of jamming attack is to voluntary interference with a transmitted signal on a communication medium. One of the simplest strategies aims to permanently emit a signal on the targeted channel, this type of attack is called constant jamming attack. However, with this type of strategy the attacker consumes a lot of energy and is easily identifiable. The reactive attack aims to address these weaknesses by jamming a channel only when a communication is present. In this case, the attacker is constantly listening and switches to transmission mode when he deduces that a packet is in transition. We tested our framework using this type of attack with the same goals and parameters employed in previous section. Hence, the attacker measure its temporal probability of being in each state in order to maximize the attack’s success while minimizing the energy cost. With the same energy cost, fixed at .0.5, the framework computed the following probabilities i.e., .PT x = 0.005, .PRx = 0.74, .PS = 0.25 and .PI = 0.01. Table 4.4 demonstrates the energy consumption for different types of jamming attacks i.e., constant, reactive, and jamming attack, within our framework. For the constant attack, the energy consumption only depends of one state i.e., the transmission node. Consequently, in these experiments for 2 minutes of the attack, constant attack consumes .80.4 J. The energy of reactive attack essentially depends on the number of the transmission. Receive state, however, is the second most energy consuming mode therefore this type of attack consumes .51.85 J for 2 minutes. By alternating our attacker in the 4 states for the same duration, our attack consumes .2.06 J less than the constant attack and .1.32 J less than the reactive attack, i.e. 39 J. Our evaluate the effectiveness of each type of attack with the Packet Error Rate (PER) on the receiver side. The PER metric corresponds to the number of packets received with error divided by the total number of packets received. As shown in Table 4.5, the jamming attack coupled with our framework achieves a higher packet

Table 4.4 Energy consumption [J] for different type of jamming attacks Type of attack Constant jamming attack Reactive jamming attack Jamming + framework

Tx [J] Rx [J] 80.4 0 22.4383 29.4134 16.2 23.31

Idle [J] 0 0 0.003

Sleep [J] 0 0 0.288

Energy consumption total [J] 80.4 51.85 39

Table 4.5 Packet error rate (%) for each type of attack Type Constant jamming attack Reactive jamming attack Framework with jamming attack

Time simulation (seconds) 50 100 0 0 .8.5 .7.5 15 .17.5

150 0 .9.5 19

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

129

error rate. The constant jamming attack has a PER equivalent to zero throughout the experiments. This is because the constant attack continuously occupies the target channel. After 4 seconds of the start of the attack, the two legitimate ones on the network lose connection with the access point because no beacon can be exchanged to maintain a connection. As a result, no packets are transmitted and the PER is zero. At the end of the attack, the PER for the reactive attack is around .9.5% and the jamming attack based on our framework is around .20%. The difference is because when the victim transmits a short packet, the reactive attack cannot corrupt that packet up. Indeed the reactive attack is only effective if it satisfies the following formula: ttr < tdt + tj am ,

.

(4.1)

where .ttr corresponds to the entire time of the transmission of the legitimate frame. Moreover the logic of this type of attack implies that the attacker must be in a listening state in order to detect the victim frame, this corresponds to the detection time i.e., .tdt . Once the frame has been spotted, the attacker switches to transmission mode to inject a dummy frame in order to create a collision i.e., the attack phase .tj am . Consequently, if the transmission time is smaller than the reaction and attack time, the packet is not corrupted. As the .ttr depends to the size of the packet, when the latter is small, the attacker is more likely to occupy the channel than to corrupt it. However, our framework predicts the transmission phase, so our attacker manages to be more in phase with a transmission than the reactive attack. In terms of efficiency against energy consumed, constant attack has a negligible rate of 0. The AEE metric for the reactive jamming attack equals .0.14 against .0.51 for the generic jamming attack with our framework. Consequently, the jamming attack coupled with our framework is .3.64 times more efficient if we compare the energy spent and the impacts obtained.

4.5.4 Detailed Assessment of Energy Consumption

The main purpose of this framework is to save the maximum of energy of the attacker. In the literature, a new attack area is emerging, i.e. the green attack. Indeed, the question of security is not new, designing attacks is an essential point to discover new threats. However, designing attacks that consume a lot of energy may be unrealistic in most cases. This is why studies on “green attacks” are starting to appear [2, 31]. As most of this work focuses on creating low-energy jamming attacks, we compare this work with our framework paired with a jamming attack.

130

E. Bout et al.

Fig. 4.5 Energy budgets for different type of jamming strategies

In Fig. 4.5, we report the number of successful attacks as a function of energy budget for different strategies of jamming attack. LearnJam Attack was created in [32] whose purpose is to alternate between two phases i.e., (1) the learning phase and (2) the attacking phase. During the learning phase, the jammer remains listening to the communication present between two nodes and records the time instances of incoming pulse. Then, with this information and the available energy budget, the attacker calculates its active period (attack phase) with an optimization problem. Thus, the attacker can alternate its mode of operation (i.e., sleeping or listening) according to the calculated active period. The point of view adopted in [2] is the optimization of the parameters of a jamming attack such as the optimal listening rate required and the optimal transmission power. The authors decompose this optimization problem into three sub-problems and obtain the jointly global-solution by using outcomes of these latter. As shown in Fig. 4.5, a jamming attack coupled with our framework achieves more successful attacks than other strategies for the same energy budget. Indeed, an attacker with 200 J of energy can successfully jam a network with 3200 times with the LearnJam jammer, 3076 times with the Join Method and 3636 times for our method. The number of successful attacks is linear with the energy budget for our framework. However, for the LearnJam attack, the higher the energy budget, the more listening time will be allocated to the attacker. However, during this period the attacker does not jam the channel so it loses efficiency and can sometimes be in listening mode unnecessarily.

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

131

Table 4.6 Battery life for an IEEE .802.11 sensor device, for different attacks Number of packets/day Battery capacity [J] Expected device life time [Years] Number of re-transmission/day Extra power consumption [J] Real device life time [Years]

Reactive jamming 204 .133, 200 (.10,000 mAh) 4 26 .11.375 .3.62

Jamming + framework 204 .133,200 (.10,000 mAh) 4 48 21 .3.31

The second goal of this framework is to perform attacks belonging to the EDA category. We evaluate the effect of a jamming attack coupled to our framework taking into account as a parameter the battery life of our victim. We suppose that the sensor has the same behavior that the transmitter of the test-bed, hence it sends 204 packets per day. The device has an energy budget of .133, 200 J, which corresponds to 4 years of life time. For computational reasons, our legitimate nodes also have a Realtek RTL8187L device, so the energy consumption for each state is the same as the attacker. In this situation, the constant attack is not considered because it is easily detected with a basic defense system. Indeed, as it was mentioned above, the victim nodes loose communication between them the alert is therefore immediately.

In Table 4.6, we report the victim’s energy consumption under different types of jamming attacks. Reactive Jamming attack perform leads to an average of 26 re-transmission per day and our framework 48. Consequently, the life-time of the victim is reduced to .0.38 years with a reactive jamming attack and .0.69 years with our framework.

4.6 Discussion In this chapter, we introduced energy-saving approaches, which are largely proposed in IoT/LPWAN and can lead to new threat, since the specific state of a node can be effectively exploited for creating efficient attacks. More in details, we considered a security framework, proposed and demonstrated for WiFi systems, with two types of attack and prove that this attack can “predict” the moment of the attack and then increases the offender’s performance. Moreover, the employment of this framework considerably reduces the energy expenditure of the attacker. This factor is not negligible, especially in the IoT network, where the attacker can be also an IoT device. It has been shown how the framework works with a classical passive attack i.e., an eavesdropping attack. Consuming little energy to obtain maximum

132

E. Bout et al.

information can be useful when the attack relies on this information to carry out a more elaborate attack (such as an attack based on ML algorithms). In the case of defense, this model can also be useful to obtain datasets for detection methods based on numerous data. Second, we considered the framework on an active attack i.e., a jamming attack. We have shown its efficiency, .20% against .9.5% for reactive in terms of corrupted packets. Also, for the same duration of time, the jamming attack performed with our framework consumes .12.85 J less than the reactive attack. However, we tested our framework with a jamming attack, but the latter can be coupled with the majority of attacks belonging to the EDA group. Indeed, the effectiveness of most attacks such as replay or injection attacks are based on an interaction between the attacker and the victim. Indeed, in the case of the replay attack, the transmitter must be in the transmission node at the same time as the receiver is in reception mode. It is then possible to slightly pattern the framework to optimize the transmission time of the attack so that the latter is carried out in the same slot as when the receiver is listening. Finally, the employed flaw is based on the duty-cycle method, therefore all IoT/LPWAN communication protocols using this paradigm are vulnerable to it, and for protocols that use simplified duty-cycle, the framework can be easily adapted to.

4.7 Conclusions In this chapter, we focused on energy constraints of IoT/LPWAN systems as a potential source of vulnerability when the energy is addressed in the communication protocols. In particular, we have presented a framework capable of modeling the interaction between an attacker and its victim in the context of WiFi networks, by showing that based on the intrinsic nature of the framework itself, it can be easily adapted to other technologies. Simultaneously, this framework employs the different operating modes provided by the power saving mechanism to reduce the power consumption of the attacker.

Overview In this chapter, we have combined the framework with an eavesdropping and jamming attacks and demonstrate the impacts of the latter in a real testbed. We prove that the duty-cycle mechanism designed to reduce the energy consumption of the LPWAN network can be seen as a threat and causes the opposite effect. Indeed, we this type of attack the life time of a node can be reduced to .17.25%.

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

133

References 1. Adefemi Alimi, K.O., et al.: A survey on the security of low power wide area networks: threats, challenges, and potential solutions. Sensors (Basel, Switzerland) 20 (2020). https://doi.org/10. 3390/s20205800 2. Ahuja, B., Mishra, D., Bose, R.: Optimal green hybrid attacks in secure IoT. IEEE Wirel. Commun. Lett. 9(4), 457–460 (2020). https://doi.org/10.1109/LWC.2019.2958910 3. Andres-Maldonado, P., Ameigeiras, P., Prados-Garzon, J., Navarro-Ortiz, J., Lopez-Soler, J.M.: Narrowband IoT data transmission procedures for massive machine-type communications. IEEE Netw. 31(6), 8–15 (2017). https://doi.org/10.1109/MNET.2017.1700081 4. Barrachina-Muñoz, S., Bellalta, B., Adame, T., Bel, A.: Multi-hop communication in the uplink for LPWANS. Comput. Netw. 123, 153–168 (2017). https://doi.org/10.1016/j.comnet.2017. 05.020. https://www.sciencedirect.com/science/article/pii/S1389128617302207 5. Barrachina-Muñoz, S., Adame, T., Bel, A., Bellalta, B.: Towards energy efficient LPWANS through learning-based multi-hop routing. In: 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), pp. 644–649 (2019). https://doi.org/10.1109/WF-IoT.2019.8767193 6. Basu, D., Gu, T., Mohapatra, P.: Security issues of low power wide area networks in the context of LoRa networks. ArXiv abs/2006.16554 (2020) 7. Bernard, A., Dridi, A., Marot, M., Afifi, H., Balakrichenan, S.: Embedding ML algorithms onto LPWAN sensors for compressed communications. In: 2021 IEEE 32nd Annual International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC), pp. 1539–1545 (2021). https://doi.org/10.1109/PIMRC50174.2021.9569714 8. Bhuiyan, M.N., Rahman, M.M., Billah, M.M., Saha, D.: Internet of things (IoT): A review of its enabling technologies in healthcare applications, standards protocols, security, and market opportunities. IEEE Internet Things J. 8(13), 10474–10498 (2021). https://doi.org/10.1109/ JIOT.2021.3062630 9. Bout, E., Loscri, V., Gallais, A.: Harpagon: an energy management framework for attacks in IoT networks. IEEE Internet Things J., 1 (2022). https://doi.org/10.1109/JIOT.2022.3172849 10. Cao, X., Shila, D.M., Cheng, Y., Yang, Z., Zhou, Y., Chen, J.: Ghost-in-zigbee: Energy depletion attack on zigbee-based wireless networks. IEEE Internet Things J. 3(5), 816–829 (2016). https://doi.org/10.1109/JIOT.2016.2516102 11. Communications, A.: Single-chip 2x2 MIMO MAC/BB/Radio with PCI express interface for 802.11n 2.4 and 5 GHz WLANS. https://datasheetspdf.com/datasheet/AR9280.html 12. Correia, L.H.A., Macedo, D.F., Silva, D.A.C., dos Santos, A.L., Loureiro, A.A.F., Nogueira, J.M.S.: Transmission power control in MAC protocols for wireless sensor networks. In: Proceedings of the 8th ACM International Symposium on Modeling, Analysis and Simulation of Wireless and Mobile Systems, MSWiM ’05, pp. 282–289. Association for Computing Machinery, New York, NY (2005). https://doi.org/10.1145/1089444.1089494 13. Feeney, L., Nilsson, M.: Investigating the energy consumption of a wireless network interface in an ad hoc networking environment. In: Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213), vol. 3, pp. 1548–1557 (2001). https://doi. org/10.1109/INFCOM.2001.916651 14. Galluccio, L., Morabito, G., Palazzo, S.: Analytical evaluation of a tradeoff between energy efficiency and responsiveness of neighbor discovery in self-organizing ad hoc networks. IEEE J. Sel. Areas Commun. 22(7), 1167–1182 (2004). https://doi.org/10.1109/JSAC.2004.829336 15. Hernandez, D.M., Peralta, G., Manero, L., Gomez, R., Bilbao, J., Zubia, C.: Energy and coverage study of LPWAN schemes for industry 4.0. In: 2017 IEEE International Workshop of Electronics, Control, Measurement, Signals and their Application to Mechatronics (ECMSM), pp. 1–6 (2017). https://doi.org/10.1109/ECMSM.2017.7945893 16. Huang, C.Y., Lin, C.W., Cheng, R.G., Yang, S.J., Sheu, S.T.: Experimental evaluation of jamming threat in LoRaWAN. In: 2019 IEEE 89th Vehicular Technology Conference (VTC2019-Spring), pp. 1–6 (2019). https://doi.org/10.1109/VTCSpring.2019.8746374

134

E. Bout et al.

17. Kartakis, S., Choudhary, B.D., Gluhak, A.D., Lambrinos, L., McCann, J.A.: Demystifying Low-power Wide-area Communications for City IoT Applications. Association for Computing Machinery, New York, NY (2016). https://doi.org/10.1145/2980159.2980162 18. López, N., Azurdia-Meza, C., Valencia, C., Montejo-Sánchez, S.: On the performance of 6loWPAN using TSCH/Orchestra mode against a jamming attack. In: 2019 IEEE CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies (CHILECON), pp. 1–5 (2019). https://doi.org/10.1109/CHILECON47746.2019.8988035 19. Loscri, V.: An analytical evaluation of a tradeoff between power efficiency and scheduling updating responsiveness in a TDMA paradigm. In: The Fourth International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness & Workshops, QSHINE ’07. Association for Computing Machinery, New York, NY (2007). https://doi.org/ 10.1145/1577222.1577269 20. Morin, A., Maman, M., Guizzetti, R., Duda, A.: Comparison of the device lifetime in wireless networks for the Internet of Things. IEEE Access 5, 7097–7114 (2017). https://doi.org/10. 1109/ACCESS.2017.2688279 21. Nguyen, V.L., Lin, P.C., Hwang, R.H.: Energy depletion attacks in low power wireless networks. IEEE Access 7, 51915–51932 (2019). https://doi.org/10.1109/ACCESS.2019. 2911424 22. Odelberg, T.J., Im, J., Wentzloff, D.D.: A 2.1mW -109dBm NB-IoT wake-up receiver. In: 2021 IEEE Radio Frequency Integrated Circuits Symposium (RFIC), pp. 235–238 (2021). https:// doi.org/10.1109/RFIC51843.2021.9490494 23. Perkovi´c, T., Rudeš, H., Damjanovi´c, S., Naki´c, A.: Low-cost implementation of reactive jammer on LoRaWAN network. Electronics 10(7) (2021). https://doi.org/10.3390/ electronics10070864. https://www.mdpi.com/2079-9292/10/7/864 24. Pu, C., Lim, S., Jung, B., Chae, J.: Eyes: mitigating forwarding misbehavior in energy harvesting motivated networks. Comput. Commun. 124, 17–30 (2018). https:// doi.org/10.1016/j.comcom.2018.04.007. https://www.sciencedirect.com/science/article/pii/ S0140366416306661 25. Raza, U., Kulkarni, P., Sooriyabandara, M.: Low power wide area networks: an overview. IEEE Commun. Surv. Tutorials 19(2), 855–873 (2017). https://doi.org/10.1109/COMST.2017. 2652320 26. Sandoval, R.M., Garcia-Sanchez, A.J., Garcia-Haro, J., Chen, T.M.: Optimal policy derivation for transmission duty-cycle constrained LPWAN. IEEE Internet Things J. 5(4), 3114–3125 (2018). https://doi.org/10.1109/JIOT.2018.2833289 27. Seo, J.B., Jung, B.C., Jin, H.: Modeling and online adaptation of ALOHA for low-power widearea networks (LPWANS). IEEE Internet Things J. 8(20), 15608–15619 (2021). https://doi. org/10.1109/JIOT.2021.3073237 28. Torres, N., Pinto, P., Lopes, S.: Security vulnerabilities in LPWANS: an attack vector analysis for the iot ecosystem. Appl. Sci. 11 (2021). https://doi.org/10.3390/app11073176 29. Verma, A., Ranga, V.: Mitigation of DIS flooding attacks in RPL-based 6LoWPAN networks. Trans. Emerg. Telecommun. Technol. 31(2), e3802 (2020). https://doi.org/10.1002/ett.3802. https://onlinelibrary.wiley.com/doi/abs/10.1002/ett.3802. E3802 ett.3802 30. Yakin, N., Zhitkov, M., Chernikov, A., Pepelyaev, P.: Security threats and service degradation detection in LoRaWAN networks. In: 2021 Ural Symposium on Biomedical Engineering, Radioelectronics and Information Technology (USBEREIT), pp. 0455–0458 (2021). https:// doi.org/10.1109/USBEREIT51232.2021.9455123 31. Yang, Z., Cheng, P., Chen, J.: LearJam: an energy-efficient learning-based jamming attack against low-duty-cycle networks. In: 2014 IEEE 11th International Conference on Mobile Ad Hoc and Sensor Systems, pp. 354–362 (2014). https://doi.org/10.1109/MASS.2014.17 32. Yang, X., Karampatzakis, E., Doerr, C., Kuipers, F.: Security vulnerabilities in LoRaWAN. In: 2018 IEEE/ACM Third International Conference on Internet-of-Things Design and Implementation (IoTDI), pp. 129–140 (2018). https://doi.org/10.1109/IoTDI.2018.00022

4 Energy Saving as a Security Threat in LPWAN and Internet of Things

135

33. Zaraket, C., Papageorgas, P., Aillerie, M., Agavanakis, K., Salame, C.: Cyber security vulnerabilities of smart metering based on LPWAN wireless communication technologies. In: Paper Presented at TMREES20, Technologies and Materials for Renewable Energy, Environment and Sustainability, Jun 2020, Athens, Greece (2020) 34. Zikria, Y.B., Kim, S.W., Hahm, O., Afzal, M.K., Aalsalem, M.Y.: Internet of things (IoT) operating systems management: opportunities, challenges, and solution. Sensors 19(8) (2019). https://doi.org/10.3390/s19081793. https://www.mdpi.com/1424-8220/19/8/1793

Part III

Cyber Security Aspects and Applications of LPWANs

Chapter 5

Analysis of LPWAN: Cyber-Security Vulnerabilities and Privacy Issues in LoRaWAN, Sigfox, and NB-IoT Junaid Qadir, José Eduardo Urrea Cabus, Ismail Butun, Robert Lagerström, Paolo Gastaldo, and Daniele D. Caviglia

5.1 Introduction The development of communication technologies, which led to the formulation of concepts like the Internet of Things (IoT) and the Internet of Everything (IoE), has substantially contributed to the establishment of upgraded living standards for humanity and the environments in which they live [2, 31]. Moreover, IoT technology is also helping to improve people’s living standards in a wide range of ways, including but not restricted to day-to-day smart applications for everyday life, health care, and security, among other things [2, 27, 31, 68]. In the IoT ecosystem, a wide variety of communication systems and connectivity standards have been implemented [20–22, 33–35]. The restricted communication range of popular short-range protocols, such as IEEE 802.15.1 and IEEE 802.15.4, has been widely publicised as a severe restriction. This is especially true when considering the fact that many critical industrial IoT applications require substantial communication range [2, 27, 31, 58]. On the other hand, cellular networks, which allow higher degree of connectivity across a variety of platforms, have been widely deployed in a variety of capacities as alternatives [57, 58]. However, key limitations include both the expense and the complexity [2, 27, 31, 58]. Communication technologies that are considered to be conventional, such as cellular and wireless fidelity (WiFi), are of the utmost importance in day-to-day activities. However, in certain

J. Qadir () · P. Gastaldo · D. D. Caviglia Department of Electrical, Electronic and Telecommunications Engineering and Naval Architecture (DITEN), University of Genoa, Genoa, Italy e-mail: [email protected]; [email protected]; [email protected] J. E. U. Cabus · I. Butun · R. Lagerström Division of Network and Systems Engineering, School of Electrical Engineering and Computer Science, KTH Royal Institute of Technology, Stockholm, Sweden e-mail: [email protected]; [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 I. Butun, I. F. Akyildiz (eds.), Low-Power Wide-Area Networks: Opportunities, Challenges, Risks and Threats, https://doi.org/10.1007/978-3-031-32935-7_5

139

140

J. Qadir et al.

cases, it is vital to avoid using such technologies because they are not appropriate [31, 33, 57]. For instance, the implementation of cellular communication technology is notoriously expensive and much above the scope of what is feasible for amateur use [21, 32, 58]. Additionally, it uses up a large portion of the energy provided by the devices with which it interacts in order to function. On the other hand, in order to use Wi-Fi, a user must ensure that they are in an area that is covered by the network’s signal to use the service. As such, there has been a significant decline in the usage of Wi-Fi technology in applications that require support across longer distances [19, 57].

Low-power wide area network, more commonly referred to as LPWAN, is yet another communication technology that has lately come to the forefront as a potentially viable alternative to the IoT connectivity standards that are now in existence. Additionally, it is becoming one of the most disruptive technologies of the modern era by attracting the focus and an incredible amount of attention from researchers and engineers working in the industry [2, 51, 58, 59, 68].

In the realm of IoT technologies, LPWAN networks are among the networks that are growing at the fastest rate. They are quickly becoming the most widely implemented communication standards due to their many advantageous characteristics, which include but are not limited to efficient long-distance communication and lower power demand [51]. In addition, they have the capability to support a variety of end devices, low energy consumption (battery lifespan), the ability to adapt to licensed and unlicensed spectrum, and the majority of the standards make use of a simplified star network topology [2, 32, 58]. Each LPWAN standard has its own set of particular operational characteristics, which enables it to be used in a diverse variety of occupational and operational conditions. For instance, LPWAN technology’s seamless packet interchange has a variety of potential applications, including smart homes and cities; smart metering; livestock; and agricultural monitoring [20, 21]. LPWAN is also useful for several applications, including the tracking of assets, surveillance, detection, and monitoring of patient’s health [58]. A variety of networking methods have been categorised under the umbrella name LPWAN. Moreover, current research suggests that Long-Range Wide Area Network (LoRaWAN) [66], Narrow-Band IoT (NB-IoT) [45], and Sigfox [37], are the top three (due to the number of deployed units) LPWAN solutions available in the market. It should be emphasised that the cost requirements for establishing such technology is relatively minimal, and that there is no additional effort required other than the deployment of the node, gateway, network, and application server, as depicted in Fig. 5.1. In addition to the usual deployment of IoT networks on the ground, the LoRaWAN technology is also able to support satellite links. With this approach, end devices in IoT installations can communicate directly with satellites, simplifying networking architecture, particularly in territories with very poor networking

5 Analysis of LPWAN: Cyber-Security Vulnerabilities and Privacy Issues in. . .

141

Fig. 5.1 Application examples and network architecture of LPWAN based on LoRaWAN

infrastructure. First examples of this kind of services recently appeared on the market1.,2.,3 [72]. The LoRaWAN and Sigfox have gained popularity in the market as they operate on an unlicensed spectrum named Industrial, Scientific, and Medical (ISM) band [45]. Unlike these two competitors, the NB-IoT makes use of licensed spectrum likewise mobile technologies (2–5G) as it is a cellular-IoT standard. As a result of the widespread availability of the hardware required to implement such technologies on the market, numerous nations have expressed their approval of the usage of these technologies. In spite of the numerous benefits they offer, LPWAN technologies continue to be challenging to use due to the fact that enthusiasm might result in cyber-security vulnerabilities [18, 22, 27, 35]. Overcoming the cybersecurity vulnerabilities and privacy concerns inherent in such technologies is a necessary step in achieving widespread adoption in the IoT domain [6, 21, 35]. Many privacy and security concerns have prevented widespread adoption of LPWAN technologies, despite their many benefits. Because of the diversity, rapid spread, and accessibility of the devices that make up an LPWAN, the network’s susceptibility to attack has grown exponentially [35, 68]. It is possible that one of the primary reasons for the security flaws and exploitable threats posed by LPWANs is the fact that, the majority of the time, simple protocols are used for bootstrapping, encryption, and data protection. This is because LPWANs are designed to have low cost and low energy demand tags. Several cyberattacks and intrusive threats, such as replay attacks, eavesdropping, denial of service (DoS) attacks, and others, have been

1 www.upcity.com/experts/lorawan-and-satellites-making-iot-truly-global/. 2 https://www.lonestartracking.com/lorawan-satellite-gateway/. 3 https://satsearch.co/suppliers/cshark.

142

J. Qadir et al.

substantial obstacles in the way of the successful adoption of LPWAN [2, 18, 20]. Consequently, there is an immediate requirement for the presentation of efficient and effective security solutions capable of identifying and mitigating LPWAN attacks and vulnerabilities. This chapter presents a comprehensive overview of the most latest studies that highlight the security feature of LPWANs, with a particular emphasis on analysing the important cybersecurity architectural framework and technical elements of LPWAN. Furthermore, it aims to introduce the most recent IoT-related technologies and their distinctive properties. In addition, it will cast a brief shadow on the cybersecurity risks and privacy concerns associated with LPWAN technology, as well as their countermeasures. In conclusion, it will give a comprehensive comparison of all these technologies, which may aid in discovering their concealed assets. Highlighting the comparison is of utmost importance for the researchers to select the best LPWAN candidate according to the desired application.

5.2 Comparison of LPWAN Technologies In most cases, LPWAN is utilised for long-range coverage in situations where other technologies have been shown to be ineffective, as well as for power consumption reduction solutions. It provides a data rate that ranges from 250 bps to 50 kbps per channel [71]. Despite the many positive advantages they offer and the promising development that is anticipated for them, LPWANs continue to confront substantial security issues in the implementation and integration of current standards, continuous security efforts, etc., which call for further research into LPWANs. At the moment, the primary focus of the majority of security measures and research is on cryptographic algorithms and issues pertaining to key management. Despite the progress that has been made, technical challenges such as intrusions continue to be a problem for networks. As a result, new security risks appear on a daily basis. As a consequence of this, it is absolutely necessary to put in place security measures that can promptly identify compromised devices and then remove those devices from use. In response to the growing concerns surrounding the security vulnerabilities of LPWAN and the IoT, a number of survey studies have offered extensive descriptions of the issues presented by LPWAN as well as mitigating strategies. In this part, we take a look at some of the most recent researches that have been published in the field. The technology known as LPWAN is rapidly gaining ground as one of the most well-known and widely implemented connectivity standards for the IoT. As a consequence of this, the authors of [2] present a number of different security approaches that have been proposed in recent research and compare the benefits and drawbacks of these approaches to the methods that are currently utilised to counteract serious threats to LPWAN security and privacy. Moreover, LPWAN technologies face a significant obstacle in the form of security and privacy flaws. This is due to the fact that unauthorised users can compromise an entire network

5 Analysis of LPWAN: Cyber-Security Vulnerabilities and Privacy Issues in. . .

143

by taking advantage of vulnerabilities in the numerous layers and infrastructures that are involved in these networks. If a cyberattack succeeds in compromising a system, it could have serious implications for people’s physical security and their ability to connect with other people. As a result, in [71], the authors look at the communication needs, talk about the AMI’s framework design, and analyse the security flaws of various short-range wireless solutions, with a special focus on LoRa/LoRaWAN technologies, and demonstrate how their integration will impact the smart meters in order to determine the security protocols used by each existing protocols of the encryption algorithm, key exchange process, and authentication system, by discussing the security flaws, difficulties, and threats. Additionally, in [67], the authors reviewed the most pertinent state-of-the-art works that discuss this subject and analysed a review of the threat vectors concerning generic IoT applications, provided the evolution of the security significant issues LPWANs. According to the findings of the systematic review, LoRaWAN and NB-IoT are the LPWAN technologies that have each been studied and used more extensively than others.

Research on LPWAN-related work led to the identification and presentation of pertinent vulnerabilities, threats, attack types, and potential defences. The goal of this research was to identify methods to defend against, lessen, or even completely eliminate these security flaws. Six attack vectors were also found, and they were connected to the security vulnerabilities that the state-of-theart review addressed. Moreover, the authors of [63] look into how IoT and 5G’s convergence will create innovative solutions for the implementation of improved sensing, controlling, and interactive systems as well as the creation of novel technologies and services across a range of industries.

There are significant concerns regarding specific security issues that must be resolved in order to successfully integrate LPWAN systems within 5G architectures due to the communication and control limitations of both IoT devices and the most cutting-edge IoT transmission technologies, LPWAN. Also, they examine the key security aspects of LPWANs, with a particular emphasis on network access, and compare them to the standards and practises for 5G security. The author discussed about potential cyberattacks and the security flaw in the LoRaWAN network’s cyber defence in [17]. Furthermore, they offer a comprehensive evaluation and analysis of the research that suggests countermeasures for the integration of 5G-LPWAN. Their analysis shows that there are significant efforts being made by academia, business, and Standards Developing Organizations (SDOs) to bring the IoT and 5G worlds together as desired. Additionally, they instruct about how to locate these dangers and risks using their free and open-source software. Several Proof-of-Concept (PoC) attacks against LoRaWAN (packet forging), Sigfox (replay with DoS), and NB-IoT (attack using malicious UE) were described

144

J. Qadir et al.

in [22], which confirm the possibility of vulnerabilities in both commercial-off-theshelf (COTS) hardware and software. LPWAN technologies are fully enriched with diverse and emerging features. Therefore, choosing the right one for a specific task is quite a challenging task. This section brings ease while highlighting the comparison in depth of architecture and technical analysis of LoRaWAN, Sigfox, and NB-IoT, respectively.

5.2.1 LoRaWAN LoRaWAN, recently introduced by LoRa alliance, is a communication protocol. According to data from the LoRa Alliance, the number of countries with active LoRaWAN deployments has grown to 142, and there are 121 network operators in 58 countries [17]. There were no cellular LPWAN alternatives for IoT initiatives, and cellular innovations were either costly to adopt or did not fit specific usecases, hence LoRaWAN evolved as one of the key, most prominent non-cellular LPWAN alternative approaches [10]. As a new technology, LoRaWAN already has a wide variety of significant deployments in progress and use-cases that have been implemented successfully all over the world [10, 17]. Moreover, the LoRaWAN architecture is made up of end devices, a gateway, a network server, and an application server. Together, these components allow devices to communicate with the gateway directly over the LoRa physical layer (wireless) and LoRaWAN, while the gateway communicates with the network server over either the TCP/IP or UDP/IP protocol, according to how it is used. A “down-link” is the flow of data from the server to the devices, and a “up-link” is the flow of data the other way around [70]. Working as a MAC layer along with physical layer (LoRa), it finds variety of applications with extremely low power consumption. LoRaWAN provides good quality of service, and securely exchange data between end device and gateway. Architecture The LoRaWAN network consists of lots of end devices, several gateways, network servers (serving, forwarding, and homing), join server, and application server as illustrated in Fig. 5.2. Different types of sensors could be installed on the end devices depending on the application. When the end devices detect a packet, they broadcast it to the gateways. Up-link transmission refers to the broadcasting of packets from end devices to gateways. Down-link refers to the process of receiving packets from the gateway on end devices. Gateways are capable of receiving packets from all end devices within a network’s range. And operates as a relay which transmits all messages to the network server received from the end devices. The network server, often known as the brain of LoRaWAN, is in charge of all end device and gateway functions. End devices and gateways communicate via radio frequency, whereas gateways and network servers use Transmission Control Protocol/Internet Protocol, also known as TCP/IP. Unlike conventional wireless networks LoRaWAN makes use of star topology that significantly increases network capacity, reduces complexity, and consumes less amount of energy from the battery.

5 Analysis of LPWAN: Cyber-Security Vulnerabilities and Privacy Issues in. . .

End-Devices

Gateways

145

Join Server

Temperature

Humidity

Application Server Smoke

Network Server LoRa RF TCP/ICP SSL Fig. 5.2 Architectural view of a typical LoRaWAN network

Technical Analysis The chirp spread spectrum (CSS) modulation technology is used in LoRaWAN communication, which enables the network to communicate across great distances (up to 20 km). Because of the spreading factor (SF), long-distance communication is possible. The higher the SF, the greater the communication range, but at the expense of increased energy consumption and lower data throughput. LoRa operates on licensed-free bands, therefore the duty cycle for communication is limited to 1% in Europe. The maximum payload size is 243 bytes, with transmission rates ranging from 300 bytes per second to 50 kbps depending on bandwidth and SF. LoRaWAN technology provides an opportunity for an adaptive data rate (ADR) scheme between gateway and end devices. The ADR scheme improves the network lifetime by selecting robust channels during packet advancement from the end device to the gateway. LoRaWAN devices are divided into three categories: class A, class B, and class C. All end devices support class A, often known as the default class. End devices use an ALOHA-style protocol, with two down-link windows available at the same time as one up-link transmission. This technique allows an end device that requires bi-directional communication to do so. The class A operation is considered the lowest power-consuming method in which the end device is able to follow sleeping mode after defining its application. Downlink communication from the server is only required when the end device sends an up-link transmission. Class B allows more receiving windows at the scheduled time in addition to initiated windows of class A. Class B devices receive a periodic beacon in order to synchronize with the gateway. The programmable latency (up to 128 s) finds different applications with trade-offs to the power consumption. The additional consumption of power in class B is still valid for applications that depend on batteries. Class C devices offer the lowest latency with the price of high energy consumption. The devices in the class C operating method open their receiving windows continuously. Therefore, the network server can communicate end devices with no latency as they always open the receiving windows. Due to the high-power consumption in this class (up to .∼50 mW), the devices are suggested to operate on continuous power instead of batteries in different applications [66].

146

J. Qadir et al.

5.2.2 Sigfox Because it is such an important subject for research, the concept of the IoT is one that is constantly evolving. This development is made possible by willingness to give common, low-tech objects around us connectivity capabilities. In 2009 in France, a company with the intention of developing a global network that is only committed to the IoT technology was established as Sigfox. Nowadays, it is one of the most well-known LPWAN communication technologies and security protocols available [24, 26, 38, 50]. Regarding the IoT notion, which has recently evolved into a defining aspect of the business models of network operators, Sigfox employs a novel approach. Sigfox networks already serve 1.3 billion people across 72 countries [25]. Applications that only require a limited amount of data transfer can make use of this technology, which is based on UNB (Ultra Narrow-Band) technology. Additionally, Sigfox deploys its own base stations in numerous countries using unlicensed sub-GHz ISM frequencies (e.g., 868 MHz in Europe, 915 MHz in North America, and 922–923 MHz in Japan and South Korea) [25, 50]. For base stations utilising BPSK modulation, the transmission bandwidth is approximately 100 bps (e.g., 100 Hz bandwidth), while it is 600 bps (e.g., 600 Hz bandwidth) for the ETSI and FCC regions, respectively [38]. Due to increasing interest from businesses, academia, and organisations that establish standards, Sigfox has emerged as one of the primary LPWAN technologies. By using ultra narrow-bands in the subGHz spectrum, Sigfox utilises the frequency band efficiently and has very low noise levels, resulting in very low power requirements, great receiver sensitivity, and affordable modulation schemes [24, 26, 38, 50]. Additionally, Sigfox was developed to provide bidirectional communication after initially just supporting uplink transmission. Today, Sigfox connects millions of devices and has a global reach. Architecture The Sigfox network architecture is quite similar to the LoRaWAN network architecture. The network is made of four different types of key components i.e. objects, base stations, cloud, and application server, as illustrated in Fig. 5.3. The objects make use of radio frequency (RF) while forwarding the packets to the base stations. The base stations are transparent and responsible for receiving the packets from the object and forward to the cloud, and vice versa. Base stations talk with cloud using IP secure connection. The MQTT protocol is used by the Sigfox cloud to communicate with the application server. Similar to LoRaWAN, the objects in the Sigfox network are deployed in the star topology where each object is physically connected to the central node, such as the base station. The star topology significantly improves the network’s lifetime as the objects that participated in the network directly communicate with the base station instead of other objects. This mechanism ensures low energy consumption of the deployed objects. Technical Analysis Sigfox base stations are deployed and operate in various countries using unlicensed sub-GHz ISM bands (i.e. 868 MHz in EU region, 433 MHz in Asia, and 915 MHz in America). In this technology, the end devices transmit the packets using differential binary phase shift keying (D-BPSK) modulation technique

5 Analysis of LPWAN: Cyber-Security Vulnerabilities and Privacy Issues in. . .

147

Fig. 5.3 Network architecture of Sigfox

within 100 Hz ultra narrow-band. Employing an ultra narrow-band in sub-GHz ISM band enables opportunity in Sigfox technology, in which the end objects consume very low power during packets advancement to the base station. Also, ultra narrowband provides higher receiver sensitivity with maximum allowed data rate about 100 bps.The maximum allowable volume of the data an object sends using Sigfox network is 12 bytes. Sigfox was designed to deliver just up-link messages at first, but it was later updated to send bidirectional messages. The down-link message receives when the up-link transmission takes place. The maximum payload size for down-link is allowed up to 8 bytes. The number of up-link messages per day is limited to 140, whereas the number of down-link messages per day is limited to four. As mentioned above that Sigfox operates on unlicensed bands therefore the duty cycle restriction is set to 1% in EU regions. The end objects in the Sigfox network can last up to 10 years with no disruption in power. It has covered over 6 million square kilometers across 75 countries, according to the Sigfox story. Furthermore, the number of IoT devices registered with Sigfox has surpassed 19 million, with 76.2 million messages delivered every day.

5.2.3 NB-IoT There are currently a rising number of real-world IoT applications in a wide variety of business sectors. Because each prospective application has its own unique set of requirements and concerns, it is necessary to make use of a variety of different technologies. These newly emerging markets and technological advancements are the primary focus of LPWAN technology. LPWAN refers to a collection of several technologies that work together to make long-distance communication less expensive and more efficient. Applications of IoT that require transmitting only small amounts of data across a considerable distance can make excellent use of this technology. A new IoT technology called Narrow-band IoT (NB-IoT) was developed by 3rd generation partnership project (3GPP) as part of Release 13 and was first commercialized in 2016. It can be considered a new air interface

148

J. Qadir et al.

even though it is a part of the LTE standard. Many LTE functions, such as handover, measures to assess the spectral efficiency, available bandwidth, and dual connectivity, are removed in favour of simplicity in order to lower device prices and improve energy use [65]. NB-IoT is a radio technology that enables communication for wide range of cellular devices and services. It focuses particularly on indoor coverage with high density connectivity by keeping in view the power and cost consumption. In [60], the authors provided an initial framework for NB-IoT and discussed its intended use cases as well as analysis of battery performance, sensitivity, efficiency, and range. To avoid interference with current LTE networks, NB-IoT is anticipated to use a design based on those networks’ capabilities. However, NB-IoT is a brand new narrow-band IoT system developed by expanding upon LTE’s already established capabilities. It can operate independently as a dedicated carrier, in-band inside the filled bandwidth of a wide-band LTE carrier, or in the defender of an existing LTE carrier, giving it a lot of flexibility in deployment [3]. Moreover, the authors in [48] conducted an empirical investigation of the limits of NB-IoT system, analysing key aspects from the perspective of the end user, including energy usage, dependability, and latency. When compared to other LPWAN benchmark technologies like LoRa, the authors concluded that its energy efficiency is on par with or even higher than theirs, and it also has the additional advantage of guaranteed delivery. Architecture NB-IoT technology resulted from concrete exploiting the radio spectrum in pre-existing cellular infrastructure. Cellular or long-term evolution (LTE) technologies, for example, were modified to develop NB-IoT technology by removing the full-duplex capability and channel quality measurement. Modifications like these were made to lower the cost of gadgets and extend the battery life. The network architecture of the NB-IoT is illustrated in Fig. 5.4 that consists of end user, base station, core network, cloud platform, and industry centre. NB-IoT is considered a pioneering network because of its versatile connectivity. It might be expanded to any location where a cellular network is accessible. This diverse expansion has made NB-IoT an ideal candidate for IoT development.

Fig. 5.4 Network architecture of NB-IoT

5 Analysis of LPWAN: Cyber-Security Vulnerabilities and Privacy Issues in. . .

149

Technical Analysis NB-IoT, as the name implies, is a variant of IoT that uses a narrow-band of frequencies. It has been designed to operate on narrow spectrum such as 180 kHz or 200 kHz. NB-IoT employs orthogonal frequency-division multiple access (OFDMA) for down-link communication and single-carrier FDMA (SC-FDMA) scheme for up-link transmission. It has a maximum up-link packet transmission rate of 250 kbps and a down-link packet transfer rate of 20 kbps with an average latency of 1.6–10 s. NB-IoT provides three different kind of operation modes such as; stand alone operation, guard-band operation and in-band operation. Stand alone operation is specified just to make sure the usage of a single or multiple pre-existing GSM service. Guard-band operation takes advantage of unused resource blocks, whereas in-band operation makes use of carrier resources in LTE system. NB-IoT provides a good quality of services (QoS) and has a capability of over 100K devices.

5.2.4 Summarized Comparison of LPWAN Technologies Numerous research works on the IoT and LPWAN have been published in various academic journals. Nonetheless, there has been a relatively modest amount of research work done on the evaluation of LPWAN security and the defences against attacks. The vast majority of the research works that were published on LPWAN security focused primarily on conducting an analysis of the dangers and weaknesses posed by LPWAN technologies, with relatively little emphasis placed on the development of potential countermeasures to those dangers. LoRaWAN communication protocol provides adaptive data rate which means the end nodes use high data rate when located close to a gateway; however, the Sigfox and the NB-IoT technologies do not facilitate this feature. The comparison of all these technologies is given in Table 5.1. Moreover, a selected representation of these are graphically4 represented in Fig. 5.5 for enabling technology comparison on technical aspects, and Fig. 5.6 for comparison on security aspects. According to the security comparison in Table 5.1 and Fig. 5.6, one can observe these: • NB-IoT and LoRaWAN technologies have high-level security implementations when compared to the Sigfox, • The Sigfox communication technology has optional authentication and encryption system (meaning that the preference is left to the user choice), hence confidentiality and therefore overall security of the network is left as an optional choice. 4 The following is a definition of the scale that can be used for the interpretation that are shown in Figs. 5.5 and 5.6: There is a high capability associated with the scale of 3, a medium capability with the scale of 2, and a low capability with the scale of 1.

Table 5.1 Comparison of LPWAN technologies Feature/LPWAN technology Adaptive date rate Battery lifetime-2000 mAh Coexistence Data Rate Frequency Additional gateway requirement Scalability (per cell)a Interference immunity Link Budget Licensedb Max. msgs/day (down-/up-link) Maximum output power Modulation Mobility/localization Power efficiency Packet payload length Rx bandwidth Standardization Time latencyc Security aspects/technology Data confidentiality Authentication and encryption Security Integrity Protection Availabilityh

LoRaWAN

Sigfox

NB-IoT

Yes 120 months Yes 300–50K bps 868/915/433 MHz ISM Yes 50K Very high 154 dB No 696/10 20 dBm CSS Yes Very high 243 Bytes 125–500 kHz LoRa-Alliance 2–10 s

No 120 months No 100–600 bps 862/928 MHz ISM Yes 50K Low 154 dB No 140/4 20 dBm BPSK Limited mobility Very high 12/8 Bytes 100 Hz Sigfox and ETSI 1–30 s

No