LoRaWAN® Security
What you need to know for confident IoT deployments — how LoRaWAN protects your data, where the limits lie, and why implementation quality makes the difference.
AES-128
Military-grade encryption
End-to-End
Application encryption
NIST
Certified algorithms
How LoRaWAN Protects Your Data
Security is built into the LoRaWAN specification by design — it is not an option or an additional layer. Here is how it works in practice.
A Dual Independent Encryption Layer
📟 Device
→
📡 Gateway
→
🖥 Network
Server
Server
→
☁️ Application
Server
Server
🔑 NwkSKey
Network Session Key — covers integrity and authentication at network level. The network operator can access this layer.
🗝 AppSKey
Application Session Key — end-to-end encryption from device to Application Server (AES-128). No intermediate party can read this data.
LoRaWAN goes further than many cellular networks: on some 2G/3G networks, data is encrypted over the radio interface but travels in plaintext through the core network. With LoRaWAN, your business data remains completely unreadable to any intermediate party — including the gateway and the network server itself.
Integrity & Anti-Replay
- Each frame carries an incremental counter (Frame Counter)
- A MIC (Message Integrity Code) is calculated using AES-CMAC
- Any duplicated or altered frame is automatically rejected
- Full protection against replay attacks
AES-128 Encryption
- NIST standard, approved for government and military use
- CTR mode for application payload encryption
- Same algorithm used in bank cards and passports
- Reviewed by the global cryptographic community
Mutual Authentication
- Each device holds a unique AppKey (128 bits)
- OTAA verifies the identity of both device AND network
- An unauthorized device cannot join the network
- No single point of compromise possible
Security Architecture
OTAA — How Devices Join Securely
During the network join process, the device and the network mutually prove their identity using a shared secret key (AppKey). Two independent session keys are then derived for ongoing communications.
🔑 OTAA — Over-the-Air Activation
The OTAA procedure ensures that every device connecting to the network is genuinely authorized. Neither the gateway nor the network server can read application data — only the Application Server holds the AppSKey.
NwkSKey
Network Session Key — ensures integrity and authenticity of every frame at network level. Accessible by the network operator for routing and deduplication. Does not expose application data.
AppSKey
Application Session Key — encrypts application data end-to-end from device to Application Server using AES-128. Completely invisible to the network operator and any intermediate relay.
Key principle: The network operator only has access to the NwkSKey. Your business data remains completely unreadable to any intermediate party — including the gateway and the network server itself. Source: LoRa Alliance™
LoRaWAN vs Wired Solution
Comparing radio and wired solely on the "security" dimension is an oversimplification. Here is an objective analysis of both approaches — with the real risks of each solution.
| Criterion | 📡 LoRaWAN (radio) | 🔌 Wired Solution |
|---|---|---|
| Data Encryption | ✓ Native AES-128 end-to-end by design | ~ Variable — often proprietary or non-certified IoT standard |
| Device Authentication | ✓ Standardized mutual OTAA authentication | ~ Variable — often physical authentication only |
| Physical Interception | ! Radio broadcast — signal receivable at distance (but encrypted) | ! Physical access to the cable = data in plaintext (e.g. RS485) |
| Tamper Resistance | ✓ Data encrypted even if signal is captured | ! Gateway in an accessible location can be targeted |
| Attack Surface | ✓ Buried cables are difficult to cut discreetly | ~ Limited to physical network and direct access points |
| Key Updates | ✓ Re-keying via OTAA without physical intervention | ! Often requires on-site technician intervention |
| Compliance / Standards | ✓ LoRa Alliance® open and certifiable specification | ~ Depends on protocol (Modbus RTU: none natively) |
⚠ Common misconception to debunk: "Wired is safer because it cannot be intercepted remotely." In reality, physical access to an unencrypted RS485 cable allows reading all data without any specialized tools. Security is a property of the protocol, not the medium.
Best Practices
Secure Deployment Checklist
LoRaWAN is secure by design — but like any technology, real-world security also depends on the quality of the implementation. Here are the criteria to verify before and during deployment.
-
Use OTAA — never ABP in productionOver-the-Air Activation ensures mutual authentication and unique session keys. ABP (Activation By Personalization) bypasses this critical security step.
-
Unique keys per device — never duplicate AppKeysEach device must have its own unique AppKey. Sharing keys between devices creates a single point of compromise for the entire fleet.
-
Store keys in a hardware Secure Element (SE)Keys should be stored in tamper-resistant hardware, not in software or plain flash memory accessible from the application layer.
-
Preserve frame counters in non-volatile memoryFrame counters must survive power cycles. A counter reset to zero allows replay attacks on the network.
-
Isolate network keys (NwkKey) from application keys (AppKey)Separation of duties between network and application layer ensures that a network operator cannot access business data.
-
Use LoRaWAN Certified™ laboratory-tested devicesCertified devices have been validated for protocol compliance and security implementation correctness by the LoRa Alliance®.
-
Secure backend interfaces with HTTPS / VPNThe path from the Network Server to your application must also be secured — not just the radio link.
-
Avoid ABP configuration with a fixed counter reset to zeroIf ABP must be used in a specific context, ensure the frame counter is never reset — otherwise the device becomes vulnerable to replay attacks.
-
Do not reuse nonces (one-time numbers) during JoinEach Join Request must use a unique DevNonce. Reusing nonces can compromise the integrity of the session key derivation process.
Standards & Certifications
LoRaWAN's security framework is built on internationally recognized standards, making it suitable for regulated industries including healthcare, critical infrastructure, and industrial automation.
🔐 AES-128 (NIST FIPS-197)
Internationally standardized symmetric encryption algorithm, validated for government and critical industrial use. The same standard protects classified US government communications.
✅ LoRaWAN Certified™
Certification program by the LoRa Alliance® guaranteeing device compliance with the LoRaWAN specification and the correctness of its security implementation — tested in accredited laboratories.
🏭 IEC 62443 (reference)
International standard for the security of industrial automation and control systems. LoRaWAN aligns with this framework for OT/IoT deployments in manufacturing and critical infrastructure environments.
🇪🇺 EU Cybersecurity Act
LoRaWAN deployments can be designed compliant-by-design with the EU Cybersecurity Act framework — particularly relevant for smart building and industrial IoT projects within the European Union.
In Summary — LoRaWAN is a secure and proven technology.
- Security is native, not optional
- Two independent AES-128 layers
- Mandatory mutual authentication
- True end-to-end encryption
- Open, auditable, certifiable standard
- Continuously updated by LoRa Alliance® against new threats
Security is not a property of the medium — it is a property of the protocol.
LoRaWAN protects your data, with or without a cable. Rigorous implementation makes the difference.
LoRaWAN protects your data, with or without a cable. Rigorous implementation makes the difference.
Your Partner
Why Choose VISE Smart Building?
Your trusted partner for secure, LoRaWAN®-powered Smart Building solutions in Europe — from device provisioning to full BMS integration.
Full end-to-end security design — from device provisioning to cloud application layer
EU Cybersecurity Act aligned deployments — compliant by design for European projects
Specialists in Smart Building & industrial IoT applications across multiple sectors
LoRaWAN® certified infrastructure: sensors, gateways, and network servers
Secure device provisioning and key management services for your entire device fleet
End-to-end AES-128 encryption with zero compromises on data confidentiality
Ready to secure your Smart Building?
Contact us for a consultation on LoRaWAN® security architecture for your building or industrial facility. Our team will design a deployment compliant with your operational and regulatory requirements.
Request a Consultation →Sources: LoRa Alliance® Security Whitepaper · LoRa Alliance® Technical Committee
Let’s Stay in Touch
CONTACT-US
- Have ideas or questions?
- Reach out using the contact form, or send us a message any time.