LoRaWAN & Sub-GHz Attacks

LoRaWAN provides long-range low-bitrate communication for IoT — common in smart cities, asset tracking, and industrial telemetry. Outside LoRaWAN, the 433 / 868 / 915 MHz ISM bands host garage doors, doorbells, smart plugs, weather stations, and TPMS — most with weak or no crypto.

Quick Workflow

1. Identify the band + modulation (LoRa CSS vs. simple OOK/FSK)
2. Capture transmissions with appropriate hardware (HackRF / RTL-SDR / Flipper Zero)
3. For LoRaWAN: capture join + uplinks; analyze key derivation
4. For proprietary sub-GHz: demodulate, identify packet format, replay or craft

Hardware