Jamming of LoRa PHY and Countermeasure

Ningning Hou, Xianjin Xia, Yuanqing Zheng

The Hong Kong Polytechnic University, Hong Kong, China
ningning.hou@connect.polyu.hk, {xianjin.xia, yqzheng}@polyu.edu.hk

Abstract—LoRaWAN forms a one-hop star topology where design is resilient to a certain type of jamming attacks and
LoRa nodes send data via one-hop up-link transmission to a LoRa intentional interference.
gateway. If the LoRa gateway can be jammed by attackers, the By conducting deep analysis, however, we notice that if
LoRa gateway may not be able to receive any data from any nodes
in the network. Our empirical study shows that although LoRa the jamming chirps are well-aligned with LoRa chirps, LoRa
physical layer (PHY) is robust and resilient by design, it is still gateways cannot extract the LoRa chirps from jamming chirps
vulnerable to synchronized jamming chirps. Potential protection any more. As such, a malicious attacker can send synchronized
solutions (e.g., collision recovery, parallel decoding) may fail chirps at high power to jam LoRa chirps, which leads to
to extract LoRa packets if an attacker transmits synchronized dramatic performance degradation of LoRa communication.
jamming chirps at high power. To protect the LoRa PHY from
such attacks, we propose a new protection method that can We note that existing collision recovery solutions (e.g., FTrack
separate LoRa chirps from jamming chirps by leveraging their [12], mLoRa [14]) cannot resolve collisions caused by syn-
difference in the received signal strength in power domain. We chronized jamming chirps, since the LoRa chirps and the
note that the new protection solution is orthogonal to existing jamming chirps are aligned and thus cannot be separated in the
solutions which leverage the chirp misalignment in time domain time domain. Frequency domain collision recovery solutions
or the frequency disparity in frequency domain. We conduct
experiments with COTS LoRa nodes and software defined radios. (e.g., Choir [13]) cannot help either since attackers can send
The results show that synchronized jamming chirps at high power the jamming chirps at the same frequency of LoRa chirps.
can jam all previous solutions, while our protection solution can To further enhance the LoRa PHY against synchronized
effectively protect LoRa gateways from the jamming attacks. jamming chirps, we propose a new protection method that
separates LoRa chirps from jamming chirps by leveraging their
I. I NTRODUCTION difference in signal strength. We note that the new protection
Low-power wide-area networks such as LoRaWAN are method is orthogonal to existing solutions which leverage
emerging technologies that enable long-range low-power wire- timing information (e.g., chirp boundary misalignment) or
less communication for battery-powered sensor nodes [1]–[4]. frequency information (e.g., frequency disparity). As such, our
A LoRa node is expected to transmit LoRa packets with the protection method can be integrated with existing collision
communication range upto 10 km using AA batteries for ten recovery solutions and complement each other.
years and enables innovative applications [5]–[7] (e.g., smart We implement our protection method and conduct exper-
electricity metering, smart homes, supply chain, and health iments with COTS LoRa nodes as well as software defined
care). radios. The experiment results show that well-synchronized
LoRa adopts chirp spread spectrum (CSS) modulation in jamming chirps at high transmission power can jam all
physical layer (PHY), which is known to be resilient and previous solutions with very high success rates, while our
robust to interference and noise. Benefiting from the long protection method can effectively protect LoRa gateways from
communication range, LoRaWAN forms a one-hop star topol- all known LoRa jamming attacks including synchronized
ogy, where a large number of LoRa nodes can send packets jamming chirps.
via one-hop up-link transmissions to a LoRa gateway, which The key contributions of this paper can be summarized as
greatly simplifies the network protocol design and facilitates follows.
data collection. In such a star topology, however, if a LoRa • We investigate the vulnerability of current LoRaWAN
gateway is jammed by malicious attackers, the LoRa gateway physical layer under jamming attacks. We expose the
may not be able to receive LoRa packets from any nodes in the risk of LoRa gateways under the attack of synchronized
network, leading to single point of failure. Neighbor gateways jamming chirps, which could lead to single point of
could help receive the packets in this case, but those gateways failure in LoRaWAN.
can also be under jamming attacks. • We propose a new collision recovery method as a coun-
We note that wireless jamming has been extensively studied termeasure against the attack of synchronized jamming
in literature [8] and LoRa jamming has also been attract- chirps by leveraging the difference in signal strength of
ing attention in both academia and industry recently. Some jamming chirps and LoRa chirps.
previous works [9]–[11] have demonstrated that it is indeed • We conduct comprehensive experiments with COTS
possible to jam LoRa nodes to some extent by emitting various LoRa nodes as well as software defined radios un-
jamming signals, while other measurement studies [1], [12], der various experiment settings. The experiment results
[13] show that LoRa nodes are inherently resilient and robust demonstrate the effectiveness of our protection method
to interference and can even support parallel transmissions against jamming attacks.
by resolving collisions. To better understand the LoRa de-
modulation under jamming attacks, we conduct experiments II. BACKGROUND AND S YSTEM M ODEL
with COTS LoRa nodes and software defined radios. Our
empirical study indicates that jamming attacks (e.g., random A. LoRa PHY: Chirp Spread Spectrum
interference and jamming chirps) may not necessarily affect LoRa adopts Chirp Spread Spectrum (CSS) modulation
packet receptions at LoRa gateways, meaning that LoRa by in physical layer. In CSS, a chirp signal sweeps through
 6\QF 3+<
3UHDPEOH 6)' 3D\ORDG
:RUG +HDGHU

Gateway
way

Fig. 1. LoRa packet structure. Node

Overhear
ear
5; Jammer
DQWHQQD
Detect EDVHFKLUSV"
Pre-Lock
6)'"
Lock on
6\PERO Decode Fig. 3. Attack model.
3+<VDPSOHV preamble HGJH payload
1R 1R
performs Fast Fourier Transform (FFT) on the multiplication
Fig. 2. Locking process at LoRa receiver.
results. After that, the LoRa receiver searches for the spike
in the FFT bins (which indicates the initial frequency) and
and wraps around a predefined bandwidth with the instant thereby demodulate symbol. The demodulation process is as
frequency increasing (up-chirp) or decreasing (down-chirp) follows
linearly at a constant rate over time. LoRa uses different S(t, fsym ) · C −1 (t) = ej2πfsym t (2)
initial frequencies of chirps to modulate symbols. An up-chirp The FFT of ej2πfsym t produces one spike in the FFT bins,
with the initial frequency of f0 = −BW/2 is named base indicating the initial frequency of fsym [12].
chirp. LoRa uses N different initial frequencies to represent
SF = log2 N bits. Such a procedure can be represented as D. System Model and Assumptions
follows. Fig. 3 illustrates the jamming model, which consists of
k
S(t, fsym ) = ej2π( 2 t+f0 )t · ej2πfsym t = C(t) · ej2πfsym t (1) a LoRa node (which sends LoRa packets), a LoRa gate-
way (which receives LoRa packets), and a malicious jammer
where fsym denotes the initial frequency of the up-chirp (i.e., (which aims to jam the LoRa communication).
k
encoded symbol). C(t) = ej2π( 2 t+f0 )t represents the raw We assume that the LoRa gateway is equipped with software
chirp signal (termed base chirp); f0 and k denote the initial defined radio (SDR) to measure physical layer samples for
frequency and increasing rate of the chirp, respectively. collision recovery. We note that LoRa gateway can use low-
cost receive-only SDR (e.g., RTL-SDR dongle) since it only
B. LoRa Packet Structure needs to receive rather than transmit radio signals. For the
Fig. 1 shows the PHY samples of a LoRa packet collected downlink from the LoRa gateway to the LoRa node, the
with software defined radios (SDR). A LoRa packet starts gateway can use COTS LoRa modules for transmission.
wtih several identical up-chirps as preamble and 2 sync word We assume that the jammer is equipped with software
symbols followed by 2.25 start frame delimiter (SFD) as defined radio (e.g., USRP N210) for sniffing incoming LoRa
illustrated in the figure. In explicit header mode, physical packets and generating jamming radio signals accordingly. The
header and payload follow the SFD in a LoRa packet. LoRa jamming radio can be random Gaussian noise or LoRa signals.
packets can have a varied number of preamble (e.g., >4 up- In LoRaWAN, LoRa nodes typically adopt low duty cycle
chirps), but sync word and SFD are mandatory. On receiving mode (e.g., 1% duty cycle). As such, if a jammer constantly
incoming LoRa signals, a LoRa receiver first detects the emits jamming signals at high transmission power, the jammer
preamble and then detects the SFD to determine the starting can be easily detected and located. Therefore, we consider a
point of physical header and payload. jammer that adopts reactive jamming where the jammer stays
quiet when the channel is idle, and starts emitting jamming
C. LoRa Packet Detection and Demodulation signals when it detects on-going LoRa communication to
LoRa packet reception process involves several key steps as selectively jam the LoRa communication. The objective of the
illustrated in Fig. 2. First, the LoRa receiver detects the arrivals jammer is to jam the communication between LoRa nodes and
of LoRa packets by detecting the preamble consisting of more a LoRa gateway. We assume that the jammer aims to jam a
than 4 up-chirps. The preamble detection can be performed by specific gateway rather than all gateways in a network.
correlating the received PHY samples with an up-chirp gener- On the other hand, we want to design and implement
ated locally at the LoRa receiver [15]. More than 4 consecutive countermeasure to protect the communication by enhancing
spikes in correlation results indicate the arrival of one LoRa the LoRa gateway against the jammer. Ideally, the counter-
packet. One may also detect the preamble by tracking the measure should not require any modification to the LoRa node
continuity of frequency after multiplying the incoming PHY to support a large number of already deployed COTS LoRa
samples with down-chirps [12]. After successful preamble nodes.
detection indicating the arrival of a LoRa packet, the LoRa
receiver needs to accurately detect the SFD so as to determine III. E MPIRICAL S TUDY OF L O R A JAMMING
the chirp boundaries of PHY header and payload. To this end, LoRa jamming has been attracting wide attention due to the
the LoRa receiver multiples the incoming PHY samples with potential risk of single point failure under jamming attacks.
an up-chirp and monitor continuous frequency for 2.25 chirp Previous works [9]–[11] have demonstrated that it is indeed
duration to determine the chirp boundary of the first chirp possible to jam LoRa nodes to some extent by emitting various
in PHY header and payload. After successfully locking on the jamming signals, while other measurement studies [1], [12],
chirp boundaries, the LoRa receiver can demodulate the chirps [13] show that LoRa nodes are inherently resilient and robust
and decode incoming packets. to interference and can even support parallel transmissions by
To demodulate a received chirp within a demodulation resolving collisions. In the following, we conduct empirical
window, the LoRa receiver first multiplies the received signal study to evaluate the impact of a variety of prior jamming
with the conjugate of the base chirp denoted as C −1 (t) and attacks to the LoRa communication.
 1

Packet Reception Rate

40 /R5DVLJQDO
0.8 -DPPLQJQRLVH

0.6
30

|FFT|
0.4 20

0.2 10

0 0
-8 -6 -4 -2 0 2 1 64 128 192 256
SINR(dB) FFT bin #
(a) (b) (c)
Fig. 4. Jamming with Gaussian noise. (a) Packet Reception Rate of LoRa node under different SINR. (b) Spectrum of LoRa base chirps under Gaussian
noise attack. (c) FFT after dechirp operation of chirp in red box in (b).

A. Prior Jamming Attacks and Empirical Study

PRR of legitimate packet

1 Loc1 #1-4 Sync&SFD

PRR of Jamming packet

1
Loc2 #5-8 Hdr&PayL

1) Jamming LoRa with Gaussian Noise: Gaussian noise 0.8 0.8

has been commonly used to jam wireless communication 0.6 0.6

systems. In the following, we test if LoRa communication 0.4 0.4

can be jammed using Gaussian noise and evaluate the impact 0.2
Loc1 #1-4 Sync&SFD
0.2
Loc2 #5-8 Hdr&PayL
of Gaussian noise to LoRa communication. To this end, we 0 0

use a software defined radio to emit Gaussian noise in the -10 -5 0

SINR (dB)
5 10 -10 -5
SINR (dB)
0 5 10

same frequency band as the LoRa communication. We vary the

(a) (b)
transmission power of the Gaussian noise jammer and measure
the packet reception rate (PRR) under different Signal-to- Fig. 5. Jamming packets collide with different parts of LoRa packets
Interference-plus-Noise Ratio (SINR). In the experiment, we under different SINRs: (a) Packet Reception Rate of legitimate packets and
(b) Packet Reception Rate of jamming packets.
keep the transmission power of LoRa node unchanged and
both the LoRa node and the LoRa gateway remain static. as illustrated in Fig. 1. In this experiment, both legitimate
As shown in Fig. 4(a), we can observe that LoRa node can transmitter and jammer are configured to use the same SF
achieve almost 100% PRR even when SINR is −2 dB and and bandwidth. We note that if they adopt different parameter
it can still achieve almost 80% PRR when SINR decreases settings, as LoRa gateways support parallel transmissions of
to −4 dB. Intuitively, 0 dB means that the signal strength LoRa packets with different parameter settings, legitimate
of LoRa node is comparable with the interference and noise, packets can be received by gateways [1]. After setting the
while a negative SINR means that the received LoRa signal at same parameters (e.g., spreading factor, bandwidth, central
the gateway is even weaker than the interference and noise. frequency), we vary the transmission power of the jammer and
The reason why LoRa can still receive packets even with evaluate the impact of jamming chirps under different SINR.
negative SINR is that LoRa adopts CSS modulation, which is As we described in Section II-C, LoRa demodulation pro-
inherently robust to interference and noise. Fig. 4(b) plots the cess involves several key steps including preamble detection,
spectrum of LoRa chirps (preamble part) under the Gaussian frame alignment, and chirp demodulation in demodulation
noise attack. In Fig. 4(b), we see that the LoRa chirps are windows. As such, we consider the following four scenarios
totally submerged by the Gaussian noise. Fortunately, if we where jamming chirps collide with the different parts of LoRa
apply the demodulation operation (i.e., multiplying with down- packets: 1) collision with the first four base chirps; 2) collision
chirp and FFT), we can still see a spike in the FFT bins with the last four base chirps; 3) collision with sync word
corresponding to the correct initial frequency as shown in and SFD; and 4) collision with PHY header and payload.
Fig. 4(c). That is because after the de-chirp operation, the Fig. 5 shows the experiment results, from which we have the
power of Gaussian noise will still be distributed to all FFT following key observations.
bins, while the LoRa chirp will concentrate into one FFT bin First, to jam LoRa signal with COTS LoRa node, the power
corresponding to the initial frequency of the up-chirp. of jamming packets need to be orders of magnitude higher
As a matter of fact, the LoRa node can adopt a more conser- than that of legitimate LoRa packets (e.g., SINR ≤ −3 dB).
vative parameter setting (e.g., spreading factor, bandwidth) to If the received signal strength is comparable with the jamming
further enhance its robustness against interference and noise. signal (e.g., SINR ≥ 0 dB), the legitimate packets can still be
If the jammer emits Gaussian noise at higher transmission received correctly with high PRR (e.g., ≥ 96.5%).
power, it may cause performance degradation but the jammer Second, the LoRa receiver is not likely to receive the late
can be detected due to the high transmission power, which coming jamming packets. That is because the LoRa receiver is
is restricted by regulation. This experiment demonstrates that more likely to detect and lock on the preamble and SFD of the
unlike other wireless technologies, LoRa PHY is inherently legitimate packets that arrive earlier than the jamming packets.
robust to Gaussian noise to some extent in practice. Yet, we do observe the capture effect where jamming packets
2) Jamming LoRa with Chirps: Recent work [9] proposes colliding at the first four base chirps of legitimate packet
to jam LoRa nodes with LoRa packets and cause collisions to with strong signal strength are selected and demodulated (e.g.,
legitimate LoRa communication. The prior work sets the max- SINR ≤ −3 dB).
imum transmission power of jammer, while legitimate LoRa Third, the impact of collision at PHY header and payload
node may transmit at a lower transmission power to reduce seems weaker than the collision at the preamble. Referring to
power consumption. We evaluate the impact of jamming chirps Fig. 6, let us see how the collision at the PHY header and
to LoRa chirps in the collisions. The jamming LoRa packet payload part would influence the demodulation of legitimate
is in the same packet structure as the legitimate LoRa packet chirps in demodulation windows. Suppose the legitimate chirp
 ① (e.g., emitting jamming chirps with the same fractional part
/HJLWLPDWHFKLUSV
of initial frequency), those collision recovery schemes cannot
-DPPLQJFKLUSV
separate the legitimate chirps from jamming chirps.
② ③
0LVDOLJQPHQW
In summary, prior collision recovery methods cannot sep-
'HFKLUS arate legitimate LoRa chirps from jamming chirps if the
9HU\FORVH
jamming chirps are aligned with the legitimate chirps in the

_))7_
_))7_

time domain and the frequency domain. In this case, if the

power of a jamming chirp is higher than that of a legitimate
② ① ③ )UHT ② ① ③ )UHT chirp, LoRa receivers will demodulate jamming chirps within
0LVDOLJQPHQW! 0LVDOLJQPHQW demodulation windows rather than legitimate chirps.
Fig. 6. Demodulation example: Chirps misaligned with demodulation
window will have part of its power split out. IV. D EFEATING P RIOR C OUNTERMEASURES WITH
S YNCHRONIZED JAMMING C HIRPS
()
1 collides with jamming chirps ( 2 and )
3 as illustrated in As we described in Section III-B, in order to attack a
the figure. In the demodulation of PHY header and payload, a legitimate LoRa node, an attacker needs to emit jamming
LoRa receiver multiplies the PHY samples in the demodulation chirps that satisfy the following three conditions. Otherwise,
window with a down-chirp, and performs the FFT on the prior countermeasures can protect the legitimate LoRa node
multiplication result. Due to the collision of jamming chirps by separating legitimate chirps from jamming chirps.
in the demodulation window, the FFT operation will generate
three spikes as illustrated in the figure. Because the jamming A. Necessary Conditions of Jamming against Prior Counter-
chirps are misaligned with the legitimate chirp, the power measures
of jamming chirps will be divided into two demodulation C-1: Jamming chirps should be well-aligned with legitimate
windows and their corresponding spikes would be lower than LoRa chirps in time domain. Prior collision recovery and
that of legitimate one. As such, we see that LoRa nodes parallel decoding methods (e.g., FTrack [12], mLoRa [14])
can tolerate collisions at PHY header and payload with jam- separate LoRa collisions in time domain. As such, if jamming
ming chirps with comparable or even slightly stronger signal chirps are not aligned with legitimate chirps, the jamming
strength. However, if the jamming chirps and the legitimate chirps can be separated in the time domain.
chirps are well aligned (e.g., < 10% misalignment), the spikes C-2: Jamming chirps should mimic legitimate LoRa chirps
of jamming chirps within the demodulation windows could in frequency domain (e.g., central frequency). Frequency do-
become higher than those of legitimate chirps. In this case, main collision recovery schemes (e.g., Choir [13]) separate
the legitimate nodes will be jammed, since the LoRa receiver LoRa collisions by leveraging the frequency differences of
demodulates the jamming chirps but not the legitimate chirps. colliding nodes. To jam a LoRa node protected by the fre-
quency domain collision recovery schemes, a jammer needs
B. Prior Collision Recovery Methods as Countermeasures to synchronize the jamming chirps in frequency domain with
We can draw strength from the recent advances in LoRa the LoRa node.
collision recovery and parallel transmissions to protect LoRa C-3: Jamming chirps should have a higher power than
communication against jamming attacks. For example, recent legitimate LoRa chirps at a LoRa receiver. If the power of
works show that some LoRa collisions can be resolved by a jamming chirp is weaker than that of a legitimate chirp, the
separating the LoRa chirps of different LoRa nodes in the time LoRa receiver can correctly detect the initial frequency of the
domain [12], [13], [16]–[18] and in the frequency domain [13]. legitimate chirp.
For example, LoRa collision recovery schemes (e.g., FTrack We note C2 (i.e., frequency condition) and C3 (i.e., power
[12], mLoRa [14]) can resolve the collisions of multiple LoRa condition) are relatively easy to satisfy. For example, a jammer
nodes as long as their chirp boundaries are misaligned in can measure the frequency of a legitimate preamble and extract
the time domain. FTrack [12] detects the continuity of chirps the fractional part of frequency. After that, the jammer can
within a demodulation window to recover collisions. Referring emit jamming chirps with the same fractional part, which
to Fig. 6, we see the frequency of legitimate chirp continuously can defeat the frequency domain collision recovery scheme
increases while the frequency of jamming chirps are not (e.g., Choir [13]). To increase the power of jamming chirps
continuous within the demodulation window due to the chirp at receiver, a jammer can increase the transmission power and
boundary misalignment. If the jamming chirps and legitimate get closer to the LoRa receiver.
chirps are well-aligned in the time domain, the FFT spikes of However, C1 (i.e., timing condition) can be a bit challenging
jamming chirps and legitimate chirps will be very close to each to satisfy because of signal processing delay caused by soft-
other. In this case, if the jamming chirps are slightly stronger ware defined radios, different communication distance between
than legitimate chirps, those collision recovery schemes cannot the LoRa node and the LoRa receiver, etc. As such, jamming
resolve the collisions. chirps may not be well-aligned with legitimate chirps in the
Frequency domain collision recovery schemes (e.g., Choir time domain. In this case, the power of jamming chirps will be
[13]) separate LoRa collisions by leveraging the frequency divided into two adjacent demodulation windows. Moreover,
differences of colliding nodes due to their hardware imper- the time domain collision recovery schemes can separate the
fection. For example, Choir [13] notices that the fractional legitimate chirps from the misaligned jamming chirps.
part of initial frequencies of different LoRa nodes are unique,
which can be used as physical layer fingerprints. As such, B. Jamming with Synchronized Chirps
Choir can group different chirps according to fractional parts We illustrate the basic jamming workflow as shown in
and thereby separate colliding LoRa chirps. If the frequency Fig. 7. A LoRa jammer hears LoRa packets over the air. Upon
of jamming chirps are synchronized with the legitimate chirps detecting a valid LoRa preamble, it will attempt to lock on
 5; Jammer
7;
DQWHQQD DQWHQQD %:
Detect Extract sync. Decode -DPPLQJ" Emit jamming
3+<VDPSOHV packet information header chirps

127MDPPLQJRU'21(MDPPLQJ CFO
%:
Fig. 7. The general workflow of LoRa jammer. Δt Δt
(a) (b)
the packet by extracting synchronization information. After
Fig. 8. CFO affects edge detection: (a)Detected edge vs. real edge of base
that, it can identify and interpret the packet header like a up-chirp in preamble. (b)Extracted SFD down-chirp with edge offset Δt.
normal receiver. If the packet is transmitted by a targeted
node, the jammer will emit synchronized chirps to jam the the resulting FFT peak indicates the value of Δfcf o . We
legitimate packet. Specifically, to launch an effective jamming use Δfcf o to compute the corresponding chirp edge offset
with well-synchronized chirps, the jammer needs to take all 2SF
Δt = BW 2 Δfcf o , which is finally used to infer the correct
time/frequency offsets (i.e., jamming conditions) into account chirp edge from detected edges.
and carefully compensate them before sending jamming chirps As we may detect incorrect chirp boundaries from the
in real time. We present the key steps to generate synchronized received preamble due to CFO, one may wonder how to extract
chirp jamming in the following. the correct preamble chirp and SFD chirp for CFO estimation.
1) Accounting for propagation delay: Basically, the emitted As a matter of fact, we can first perform correlation detection
jamming chirps are required to closely align with the chirps on the received preamble to coarsely detect the boundary
of a legitimate packet when received at a gateway. The timing of chirps with a time offset, as illustrated by red
communication distance between jammer and gateway and dashed lines in Fig. 8. We use the coarsely detected timing
the corresponding propagation delay affects the arrival time to identify SFD chirps. We note that the extracted preamble
of jamming chirps at the gateway. We notice that as LoRa base-chirp and SFD down-chirp have the same offset (i.e.,
typically adopts narrow bandwidths (i.e., ≤ 500 kHz), the Δt) with their real edge timing, as illustrated in Fig. 8. As a
sampling interval of LoRa receiver is relatively large (e.g., > result, the extracted chirps in Eq. (5) for CFO estimation
2 μs). The signals arrived within 2 μs (which corresponds to are actually Rpre (t − Δt) and Rsf d (t − Δt), rather than
a communication distance of 600 m) are aligned to the same the ideal Rpre (t) and Rsf d (t). As the edge time offset (Δt)
PHY sample. In practice, the jammer can emit jamming chirps translate into frequency offset Δfedge for the up-chirp and
within 600 m away from the gateway to mitigate the influence an opposite frequency −Δfedge for the down-chirp, we have
of propagation delay. Rpre (t − Δt) · Rsf d (t − Δt) = Rpre (t) · Rsf d (t). In summary,
2) Compensating carrier frequency offset (CFO): When the above CFO estimation method (i.e., Eq .(5)) still holds
jammer hears the preamble of a legitimate packet, it detects with the time offset in preamble and SFD detection.
chirp boundaries from the preamble and aligns jamming chirps 3) Compensating hardware and software delay: The jam-
to legitimate chirps. Intuitively, the jammer can detect chirp mer also needs to process received signal and react in real
edges by correlating the received preamble that is composed time. It imposes a strict constraint on the processing latency
of successive base chirps with a locally generated base- (termed jamming delay). We use a software defined radio (i.e.,
chirp. However, the detected edges may not correspond to the USRP N210) as hardware and use the open-source GNU Radio
correct chirp edges due to carrier frequency offset between (GR) as software to perform jamming on-line. In particular,
the legitimate node and the jammer. As a result, the frequency we list the main contributors of jamming delay as follows.
offset translates into corresponding time offset for chirp signals
• Data transfer: The delay of data transfers between dif-
[12], [16]. To be specific, let Δfcf o denote the CFO. The
received preamble chirps can be represented as ferent components, e.g., from USRP Rx buffer to data
processing blocks as well as from blocks to USRP Tx
Rpre (t) = h · e−jΔfcf o t · C(t) (3) when emitting jamming chirps.
• Scheduling: The latency of OS (i.e., operating system)
where C(t) denotes the base up-chirp of preamble transmitted and GR scheduling.
by the legitimate node, and h is the channel between the • Signal processing: The latency of signal processing in-
node and the jammer. If we directly correlate Rpre (t) with cluding preamble detection, packet decoding, synchro-
a local base chirp C(t), the detected chirp edge would be nization of jamming chirps, etc.
2SF
Δt = BW 2 Δfcf o away from the real edge, as illustrated in We note that as signal processing is generally performed on
Fig. 8(a). According to our measurements, this edge offset Δt PCs with powerful CPUs, the processing latency is relatively
can be as large as ten samples in practice. As such, a jammer short (e.g., tens of μs on our Intel i5 PC). In comparison,
must compensate the timing offset caused by CFO and align the air time of LoRa packet is of 2 ∼ 3 orders of magnitude
jamming chirps to correct edges. longer. For instance, the transmission time of a typical LoRa
Firstly, a jammer needs to estimate CFO from the received chirp with SF = 8, BW = 250 kHz is about 1 ms (i.e.,
signal. We exploit the SFD that comes after preamble (see 100× longer than signal processing). Theoretically, this would
Fig. 1) for CFO estimation. In particular, a received SFD leave a sufficient amount of time for a jammer to finish signal
chirp can be represented as: processing and generate jamming chirps in real time.
Rsf d (t) = h · e−jΔfcf o t · C −1 (t) (4) On the other hand, we empirically observed that the GR
scheduling and data transfers exhibit time uncertainty in
By multiplying Eq. (3) with Eq. (4), we obtain practice. The latency varies randomly from 100 μs to 10, 000
Rpre (t) · Rsf d (t) = h2 · e−j2Δfcf o t (5) μs in our measurements. We configure the GR scheduler
with a Single-Thread-Scheduler mode (i.e., STS) to reduce
We perform FFT (Fast Fourier Transform) on Eq. (5) and the processing latency and time variation. We also configure
 150
'HPRG:LQ 'HPRGXODWLRQUHVXOW
-DPPLQJFKLUS
100
3RZHU

|FFT|
50 /HJLWLPDWHFKLUS

0
))7ELQ 1 64 128 192 256
(a) (b) FFT bin#

(a) (b)
3RZHU
Fig. 10. Jamming power is higher than the power of legitimate packet:
(a)Received signal power of jamming chirp vs. legitimate chirp. (b)FFT
magnitude of demodulated jamming chirp vs. legitimate chirp.
))7ELQ
(c) (d) with the window, as illustrated in Fig. 9(c) and (d). As such, a
Fig. 9. Jamming without synchronization: (a-b) Non-identical jamming
chirps and demodulation result vs. (c-d) Identical jamming chirps and the jammer can emit the same consecutive chirps to defeat existing
demodulation result. When consecutive jamming chirps are identical, the countermeasures without synchronizing to legitimate chirps.
samples from adjacent chirps form a complete chirp in the demodulation However, COTS LoRa radio interleaves the payload data
window which well-aligns with legitimate chirp. to avoid successive identical symbols in the PHY layer.
While we can observe two consecutive chirps with the same
the buffer size of inter-block data transfer to fit the size of initial frequency in practice, we seldom observe more than
LoRa chirps. As a result, the end-to-end jamming latency three identical symbols appearing successively in the payload
becomes rather stable (e.g., 500 μs in our setting), which can of packets transmitted by COTS LoRa nodes. As such, a
be measured and compensated before sending jamming chirps. jammer can emit two consecutive chirps with the same initial
In order to align a jamming chirp with a legitimate chirp, the frequency as jamming chirps.
jammer needs to infer which sample is currently transmitting We note that the consecutive chirp pattern still differs from
in the air (i.e., the front wave of legitimate packet). To this the random chirp pattern of a normal packet payload. Existing
end, the jammer continuously receives samples of legitimate time domain collision recovery schemes can be adapted to
packet using USRP, which buffers the received samples and discern a consecutive jamming attack by detecting chirp’s
reports them when the buffer is full. In practice, the number consecutive patterns. As a result, the consecutive jamming
of reported samples in every buffer and the corresponding approach may not be as effective as the synchronized jamming
timestamp can vary due to the uncertainly in GR scheduling. approach against existing countermeasures. Note that there
To address this problem, the jammer can estimate the current can be other variations of jamming methods. For example,
transmitting sample in the air with the latest received buffer a jammer can transmit consecutive SFD chirps to interfere the
size and its timestamp. By further counting in the processing locking process at a receiver. Similar to identical consecutive
latency, the jammer can determine the time compensation for chirps, this method can be easily detected though.
precise alignment of jamming chirps with legitimate chirps.
V. C OUNTERMEASURE
C. Jamming with identical Consecutive Chirps In the previous section, we reveal that current LoRaWAN
The synchronized jamming approach satisfies all conditions suffers the risk of synchronized jamming attacks. In this sec-
listed in Section IV-A. A jammer can properly choose jamming tion, we present a new countermeasure to protect LoRaWAN
chirps to mimic the payload of a legitimate packet, and employ against synchronized jamming attacks.
synchronized jamming to defeat the existing collision recovery Recall from the jamming conditions in Section IV-A (i.e.,
strategies. However, the synchronized jamming approach re- C-3), in order to successfully jam a LoRa packet, it requires
quires careful calibration and strict timing requirement to align the power of a jamming chirp to be higher than the power of
jamming chirps with legitimate chirps. In the following, we a legitimate chirp in a demodulation window, as illustrated
demonstrate that it is possible to jam in a lightweight manner in Fig. 10(a). Essentially, we can expect a discrepancy of
without strict synchronization (e.g., delay compensation). FFT magnitude between the jamming chirp and the legitimate
If we perform jamming without synchronization, the emitted chirp after demodulation, as shown in Fig. 10(b). This mo-
jamming chirps are likely to misalign with chirps of legitimate tivates us to differentiate a legitimate chirp from a jamming
packet. Suppose a gateway uses a time domain collision chirp by checking their received signal strength in power do-
recovery scheme to protect legitimate packets from jamming main, which complement the conventional collision recovery
attacks. Let us consider a demodulation window that is aligned schemes examining time and frequency domain.
with a legitimate chirp but not jamming chirps. As illustrated The received signal strength (i.e., RSS) of LoRa packet can
in Fig. 9(a), since the demodulation window spans across be affected by many factors (e.g., transmit power, communi-
two adjacent jamming chirps, jamming signals within this cation distance, receiver gain, etc.), but most of those factors
demodulation window would experience a sudden change in are generally invariant during the transmission of a packet. For
frequency at chirp boundary. As a result, after demodulation, instance, the transmit power of a LoRa node can be adapted
there will be two FFT spikes at different FFT bins (Fig. 9(b)). for each packet transmission, but will remain the same during
However, if the two adjacent jamming chirps are the same, the packet transmission. Besides, in our target scenarios, LoRa
their frequency would experience no sudden change at the nodes generally remain stationary or move at a low speed.
jamming chirp boundary (see Fig. 9(c)). As a result, both More importantly, since the LoRa PHY (i.e., CSS) does not
the jamming chirp and the legitimate chirp exhibit frequency modulate the amplitude of LoRa chirps, the power level of
continuity within the demodulation window, meaning that the LoRa chirps from the same packet would remain pretty stable
power of consecutive jamming chirps will concentrate in the and share high similarity. In addition, as a selective jammer
demodulation window, as if one jamming chirp is well-aligned starts jamming after interpreting the header of a legitimate
 P
packet, it leaves the packet preamble intact. As such, a receiver
(i.e., gateway) can measure the RSS from the preamble of a -DPPHU
/HJLWLPDWH7[

legitimate packet and use the measured RSS to help extract *DWHZD\

legitimate chirps from jamming chirps.

P
Finally, we present a RSS-based LoRa decoder as a coun-
termeasure to the synchronized jamming attack. The decoding
process generally works as follows. A receiver first detects
the preamble of LoRa packet. In addition to extracting symbol
timing (i.e., chirp edges) from preamble as in a standard LoRa (a) Indoor experiment map.
9
decoder, we also measure the RSS of preamble chirps. We
then employ the same method of a standard decoder to locate Jammer

100m
Legitimate Tx
and demodulate symbol chirps in the payload. In each de-

205m
Gateway

modulation window, we can obtain the interleaved FFT results

of demodulated legitimate and jamming chirps, as shown in
Fig. 10(b). Different from a standard decoder that selects the
highest FFT peak as demodulation result, we pick the FFT
peak with a magnitude that can best match the RSS measured
from preamble as the demodulation result of legitimate chirp. 210m
We iteratively apply this method to demodulate all legitimate
chirps and feed demodulated symbols into a standard decoder
to produce the payload data of legitimate packet. (b) Outdoor experiment map.
We note that if the RSS of jamming chirps and the RSS
of legitimate chirps are very close, our RSS-based protection Fig. 11. Experiment layout.
method alone cannot separate the legitimate chirps from the
jamming chirps. In practice, it can be very challenging for
a jammer to tune the transmission power of jamming chirps is used to evaluate the impact of jamming attack; and 2)
so that the RSS of jamming chirps can be received by Protege: The victim protected by our countermeasure against
a LoRa gateway at the similar RSS of legitimate chirps. jamming, which is used to demonstrate the effectiveness of
Note that there is no feedback to the jammer from either our countermeasure.
the legitimate LoRa node or the LoRa gateway. Besides, in We use the following metrics to evaluate the performance. 1)
case of transmission failure because of jamming attack, a PRR: Packet Reception Rate (PRR) is the ratio of correctly
LoRa node would retransmit at different transmission power. received packets over the transmitted legitimate packets. 2)
Since our RSS-based protection method is orthogonal to the SER: Symbol Error Rate (SER) is the ratio of incorrectly
existing collision recovery methods which leverage the time demodulated symbols; and 3) Throughput: It quantifies the
and frequency domain information, those existing methods can successfully received bits per unit time. We also compare
be used in parallel to enhance protection method. our countermeasure with FTrack [12] and Choir [13] against
jamming attack.
VI. I MPLEMENTATION AND E VALUATION
A. Implementation and Setup B. Basic Performance
We implement the jamming attack and corresponding coun- 1) Impact of Jamming Attack: In this experiment, the
termeasure in real-world. We conduct experiment and evalua- legitimate transmitter sends LoRa packets every 2 seconds.
tion in both indoor and outdoor environment. Specifically, as The payload length of each packet is set to 30 with the lowest
shown in Fig. 11, the indoor test bed spans 14×6 m2 and it is a transmission power of (5 dBm) in indoor environment. We
typical office room with rich multipaths. The outdoor test bed keep the three players (i.e., in Fig. 11(a)) static and vary the
spans 210 × 100 m2 and it is an urban outdoor environment transmission power of jammer from 5 dBm to 30 dBm. In
with many skyscrapers. We use a COTS LoRa node (i.e., each scenario, we conduct over 120 measurements.
LoRa shield, which consist of HopeRF’s RFM96W transceiver Fig. 12 shows the victim’s PPR and throughput under
module embedded with the Semtech SX1276 chip) as the jamming with different transmission power. We observe that
legitimate transmitter and put it at different places (blue dots when the jamming power is relatively small (5 ∼ 10 dBm),
in Fig. 11(a) and Fig. 11(b)). A low-cost receive-only RTL- the PRR of Victim is almost 100%, meaning that the jamming
SDR dongle (i.e., yellow dot) is used as the LoRa gateway attack has no impact on the LoRa communication due to its
to record the PHY samples. We implement the jamming low jamming power. With further increase of jamming power
process on a USRP N210 to work as a jammer (i.e., red (15 dBm), victim’s PRR begins to decrease rapidly. When
dot). For performance evaluation, we develop the standard jamming power is 20 dBm or higher, the PRR decreases
LoRa demodulator and our own countermeasure in MATLAB and almost all packets will be jammed by the attacker. Ac-
to process PHY samples received by RTL-SDR dongle. All cordingly, the throughput of victim drops drastically when
devices work at 915 M Hz band. If not specified, we configure the jamming power is 20 ∼ 30 dBm. This result reveals
the spreading factor, code rate, and bandwidth of the LoRa that the LoRa communication is vulnerable to synchronized
chirp signal to 8, 4/8, and 250 KHz, respectively. jamming attack with a relatively high transmission power and
To evaluate the impact of jamming attack and the effective- the performance of LoRa communication can be substantially
ness of our countermeasure, we implement the following two affected.
schemes: 1) Victim: Legitimate LoRa communication (uses 2) Performance of Countermeasure: In this experiment, we
standard LoRa demodulation) under jamming attack, which evaluate the performance of countermeasure. We use the same
 1 70 1 70
Packet Reception Rate Victim FTrack Victim FTrack
Choir Protege 60 Choir Protege
60

Symbol Error Rate

0.8

Throughput (bit/s)
Throughput (bit/s)
0.8
50 50
0.6 0.6 40
40
30 0.4 30
0.4
20 20
0.2 0.2
10 10

0 0 0 0
5 10 15 20 25 30 Low Medium High Low Medium High
5 10 15 20 25 30
Transmit power of Jammer(dBm) Transmit power of Jammer(dBm) SINR SINR

(a) (b) (a) (b)

Fig. 12. Jammer performance with different transmission power. Victim’s Fig. 14. Performance comparison of Victim, Choir, FTrack, and Protege
(a) PPR and (b) Throughput. under different SINRs: (a) Symbol Error Rate (SER) and (b) Throughput.
1 70 1 1
Packet Reception Rate

60

Symbol Error Rate

Symbol Error Rate

0.8
Throughput (bit/s)

0.8 0.8
Victim Victim
50
Protege Protege
0.6 40 0.6 0.6

0.4 30 0.4 0.4

20
0.2 0.2 0.2
10
0 0 0 0
5 10 15 20 25 30 5 10 15 20 25 30 7 8 9 10 11 125k 250k 500k
Transmit power of Jammer(dBm) Transmit power of Jammer(dBm) Spreading Factor (SF) Band Width (BW)

(a) (b) (a) (b)

Fig. 13. Countermeasure performance with different transmission power. Fig. 15. Impact of (a) SF and (b) BW on Symbol Error Rate (SER) of
Protege’s (a) PRR and (b) Throughput. Victim and Protege.

setting as in subsection VI-B1. Fig. 13 presents the results. respectively, even higher than that of victim (77%) using
The average PRR and throughput of protege is higher than standard LoRa demodulation. In high SINR scenario, Choir
70% across all transmission power of jammer. In comparison and FTrack still have very high SER and low throughput, while
with Fig. 12, the overall PRR and throughput of protege are protege and victim have almost 0 SER and 100% throughput.
much higher than those of victim, especially when jamming This experiment demonstrates that our RSS-assisted counter-
power is higher than 15 dBm. The throughput of protege measure outperforms all existing countermeasures.
is 20× higher than that of victim when jamming power is
25 dBm, and 23× when jamming power is 30 dBm. This C. Impact of LoRa Configuration
is because when transmission power is higher than 15 dBm,
the SINR at receiver is low (−10 ∼ −5 dB). In this case, In this subsection, we examine the impact of LoRa packet
the power of legitimate chirps is weaker than that of jamming configuration on the performance of jamming attack and
chirps, leading to incorrect demodulation results of victim. our countermeasure strategy. We adopt the same experiment
In contrast, our countermeasure can leverage the difference settings as in Section VI-B. Due to page limit, we only present
in received signal strength and separate the legitimate chirps the results of high jamming power (≥ 20 dBm).
from the jamming chirps. The experiment results indicate that We first study the impact of LoRa spreading factor (SF).
our countermeasure can protect the LoRa gateway against such In this experiment, we fix the bandwidth to 250 kHz and
synchronized jamming attacks. vary SF from 7 to 11. We compare the PHY layer symbol
3) Comparison with Existing Countermeasures: In the fol- error rates of standard demodulation method (i.e., victim) and
lowing, we compare victim and protege with two typical our countermeasure strategy (i.e., protege) in Fig. 15(a). As
collision recovery and parallel decoding methods, i.e., FTrack expected, the SER of victim stays at high level (e.g., > 90%)
and Choir. We compare these four methods in low (−10 ∼ for all SFs due to the high jamming power. In contrast, the
−5 dB), medium (−5 ∼ 5 dB), and high (5 ∼ 10 dB) SINR protege can decode legitimate packets with SER lower than
scenarios. Each scenario includes over 120 measurements. 10% when SF = 7 ∼ 9. We observe that the SER of protege
We plot the SER and throughput in Fig. 14. We observe increases dramatically to higher than 60% as SF increases to
that victim, Choir and protege have lower SER as SINR 10 and 11. This is because the frequency gap between LoRa
becomes higher. However, FTrack has over 72% SER in symbols becomes narrower as SF increases. As such, a larger
all scenarios. This is because FTrack distinguishes colliding SF will generally make the demodulation more vulnerable to
chirps by using frequency tracks caused by time misalignment jamming attacks.
of two chirps. However, jammer in this paper synchronizes We next evaluate the SERs of victim and protege in various
jamming chirps with legitimate chirps, making it hard for bandwidth (BW) of LoRa packet. We set SF = 8 and
collision recovery method which uses timing information to change BW from 125 kHz to 500 kHz in the experiment.
separate. Since Choir disentangles colliding chirps by leverag- In Fig. 15(b), we see that as compared to the high SERs of
ing the disparity in frequency domain, higher signal strength standard demodulation method (i.e., victim), our countermea-
benefits its performance. We can also see that protege has sure strategy can correctly demodulate legitimate chirps with
best performance in terms of SER and throughput in all SINR SER < 20% when BW ≥ 250 kHz. This is because wider
scenarios. Specifically, in low SINR scenario, our countermea- bandwidth corresponds to larger frequency gap between LoRa
sure (i.e., protege) only has 26% SER in low SINR scenario symbols. As such, a wider bandwidth will generally make the
while FTrack and Choir have SER of 96.38% and 98.7% demodulation more robust to jamming attacks.
 1
Victim
1
Victim
support wide area network connection for IoT devices. Prior
Protege Protege
efforts [1], [23]–[27] are devoted to the measurement study
Symbol Error Rate

Symbol Error Rate

0.8 0.8

0.6 0.6 and performance analysis of LoRa, such as packet air-time

0.4 0.4
[28], [29], power consumption [1], [30], coverage [31], [32],
PHY security [33], etc. Based on these measurements, many
0.2 0.2
strategies [4], [34]–[40] have been proposed to optimize LoRa
0
15 30 45 60 90 120 160
0
10 20 25 30 50 communications and applications.
Distance between Tx and Jammer (m) Distance between Rx and Jammer (m)
Wireless jamming has been extensively studied in literature
[41]–[43]. Recent works study the impact of jammer to Lo-
(a) (b)
RaWAN and propose countermeasures. LoRaTS [44] studies
Fig. 16. Impact of (a) Distance between Tx and Jammer and (b) Distance the attack-aware data timestamping in LoRaWAN, which can
between Rx and Jammer on SER of Victim and Protege.
protect LoRaWAN against frame delay attack. Aras et al.
[45] identify a few security vulnerabilities of LoRa including
encryption key extraction, jamming attacks, and replay attacks.
D. Impact of Jamming Distance Aras et al. [9] use commodity LoRa nodes as jammers to
We perform testbed experiments in an outdoor environment selectively jam LoRa packets. Previous collision recovery and
as shown in Fig. 11(b). Unless otherwise specified, we adopt parallel decoding schemes can help mitigate the impact of
the default LoRa packet configuration of SF = 8, BW = those jammers. Unlike those works, we study the impact of
250 kHz. In the first experiment, we place the jammer at a synchronized jamming chirps and propose countermeasure to
fixed distance (15 m) to the gateway and keep them static. protect against such new jamming attacks.
We place the legitimate LoRa node at different locations to Collision recovery and parallel demodulation schemes can
evaluate the effective jamming range. The transmit power of be used to solve collisions of LoRa chirps and jamming signals
jammer is fixed to 20 dBm. We configure the legitimate node and thereby protect LoRa communication under jamming
with the maximum transmit power (i.e., 23 dBm) and change attacks. Choir [13] differentiates LoRa chirps by examining
node locations with distances of 15 ∼ 160 m to the gateway. the frequency differences between different LoRa nodes. Choir
We present the SER results of standard demodulation method groups different chirps according to different frequencies and
(i.e., victim) and our countermeasure strategy (i.e., protege) separates colliding LoRa chirps. Other works leverage the
in Fig. 16(a). We observe that both victim and protege can misalignment of colliding packets in the time domain to
correctly demodulate legitimate packets when the node is separate colliding chirps. FTrack [12] detects the continuity
within 45 m from the gateway because of the high SINR of chirps within a demodulation window to recover collisions.
of packets (i.e., higher signal power than jamming power). mLoRa [14] derives the time offset between colliding packets
When the distance is between 60 ∼ 120 m, the SER of victim based on preamble detection results and obtains collision-
increases dramatically ≥ 80%, because the signal power of free PHY samples. CoLoRa [17] groups LoRa chirps to their
legitimate packets falls below the jammer power. Protected corresponding LoRa nodes by examining the power level
by our countermeasure, protege can still correctly demodulate of the same frequency in different demodulation windows.
packets when the distance is between 60 ∼ 120 m. When NScale [16] amplifies the time offsets between colliding pack-
the distance further increases to 160 m, the received signal ets with non-stationary signal scaling. Those previous works
strength of legitimate packets becomes too weak, leading to mainly resolve collisions by leveraging the time domain and
almost 100% SERs for both strategies. the frequency domain information. Our protection mechanism
In the second experiment, we keep the gateway and the complements and enhances the previous works. We extract
legitimate node at fixed locations and move the jammer to legitimate chirps from jamming chirps by examining their
evaluate the jamming performance at different distances. The corresponding received power in demodulation windows.
legitimate node transmits with the maximum power (i.e.,
23 dBm). The distance between the legitimate node and the VIII. C ONCLUSION
gateway is 20 m. We configure the jammer with the TX In this paper, we reveal the vulnerability of LoRa PHY
power gain of 80 dB. In Fig. 16(b), we find that the SER under the attack of synchronized jamming chirps. The insight
of standard demodulation method (i.e., victim) decreases with of the jamming attack is that a well-synchronized jamming
jamming distance, because the power strength of jamming chirp cannot be separated from a legitimate LoRa chirp in the
chirps become weaker as the distance increases. The SERs of time domain. As a result, most existing protection methods
protege are higher than 30% when jamming distance ≤ 25 m, cannot protect the LoRa PHY against such synchronized
because of the comparable signal power between jamming jamming chirps. To enhance the LoRa PHY, we propose a
chirps and legitimate chirps. When the distance ≥ 30 m, both novel countermeasure, which leverages the difference between
victim and protege can correctly demodulate the symbols since the received signal strength of legitimate chirps and jamming
the power of jamming chirps becomes too weak in this range. chirps in the power domain. The protection method can
In summary, when a jammer is very close to the gateway, complement and enhance existing collision recovery schemes
victim’s performance will be dramatically affected by the jam- which leverage the chirp misalignment in time domain or the
mer. With our countermeasure, protege can still demodulate frequency disparity in frequency domain.
some of the symbols correctly. Note that the LoRa PHY adopts
error correction code to correct symbol errors in practice. ACKNOWLEDGEMENT
This work is supported by the National Nature Science
VII. R ELATED W ORK Foundation of China under grant 61702437 and Hong Kong
A variety of LPWAN technologies such as SigFox [19], NB- GRF under grant PolyU 152165/19E. Yuanqing Zheng is the
IoT [20], LTE-M [21] and LoRa [22] have been proposed to corresponding author.
 R EFERENCES [25] D. Bankov, E. Khorov, and A. Lyakhov, “On the limits of lorawan
channel access,” in Proceedings of the 2016 International Conference
[1] J. C. Liando, A. Gamage, A. W. Tengourtius, and M. Li, “Known and on Engineering and Telecommunication (EnT), Nov 2016, pp. 10–14.
unknown facts of lora: Experiences from a large-scale measurement [26] M. C. Bor, U. Roedig, T. Voigt, and J. M. Alonso, “Do lora low-
study,” ACM Trans. Sen. Netw., vol. 15, no. 2, Feb. 2019. power wide-area networks scale?” in Proceedings of the 19th ACM
[2] J. P. S. Sundaram, W. Du, and Z. Zhao, “A survey on lora networking: International Conference on Modeling, Analysis and Simulation of
Research problems, current solutions and open issues,” IEEE Commu- Wireless and Mobile Systems (MSWiM’16), Nov 2016, pp. 59–67.
nications Surveys & Tutorials, vol. 22, no. 1, 2019. [27] J. Haxhibeqiri, F. V. den Abeele, I. Moerman, and J. Hoebeke, “Lora
[3] W. Gao, W. Du, Z. Zhao, G. Min, and M. Singhal, “Towards energy- scalability: A simulation model based on interference measurements,”
fairness in lora networks,” in IEEE ICDCS’19, 2019. Sensors, vol. 17, no. 6, p. 1193, Mar 2017.
[4] X. Xia, Y. Zheng, and T. Gu, “Litenap: Downclocking lora reception,” [28] U. Noreen, A. Bounceur, and L. Clavier, “A study of lora low power and
in IEEE INFOCOM’20, 2020. wide area network technology,” in Proceedings of the 2017 International
[5] Semtech lora applications. [Online]. Available: Conference on Advanced Technologies for Signal and Image Processing
https://www.semtech.com/lora/lora-applications (ATSIP), Oct 2017, pp. 1–6.
[6] F. Zhang, Z. Chang, K. Niu, J. Xiong, B. Jin, Q. Lv, and D. Zhang, [29] A. Lavric and V. Popa, “A lorawan: Long range wide area networks
“Exploring lora for long-range through-wall sensing,” Proc. ACM study,” in Proceedings of the 2017 International Conference on Elec-
Interact. Mob. Wearable Ubiquitous Technol., vol. 4, no. 2, Jun. 2020. tromechanical and Power Systems (SIELMEN), Oct 2017, pp. 417–420.
[Online]. Available: https://doi.org/10.1145/3397326 [30] T. Bouguera, J.-F. Diouris, J.-J. Chaillout, R. Jaouadi, and G. Andrieux,
[7] L. Chen, J. Xiong, X. Chen, S. I. Lee, K. Chen, D. Han, D. Fang, “Energy consumption model for sensor nodes based on lora and lo-
Z. Tang, and Z. Wang, “Widesee: Towards wide-area contactless wire- rawan,” Sensors, vol. 18, no. 7, p. 2104, Jul 2018.
less sensing,” in Proceedings of the 17th Conference on Embedded [31] J. Petajajarvi, K. Mikhaylov, A. Roivainen, T. Hanninen, and M. Pet-
Networked Sensor Systems, ser. SenSys ’19, 2019, p. 258–270. tissalo, “On the coverage of lpwans: range evaluation and channel
[8] A. Mpitziopoulos, D. Gavalas, C. Konstantopoulos, and G. Pantziou, attenuation model for lora technology,” in Proceedings of the 2015 14th
“A survey on jamming attacks and countermeasures in wsns,” IEEE International Conference on ITS Telecommunications (ITST), Dec 2015,
Communications Surveys & Tutorials, vol. 11, no. 4, pp. 42–56, 2009. pp. 55–59.
[9] E. Aras, N. Small, G. S. Ramachandran, S. Delbruel, W. Joosen, and [32] J. Petäjäjärvi, K. Mikhaylov, M. Pettissalo, J. Janhunen, and J. Iinatti,
D. Hughes, “Selective jamming of lorawan using commodity hardware,” “Performance of a low-power wide-area network based on lora tech-
in Proceedings of the 14th EAI International Conference on Mobile and nology: Doppler robustness, scalability, and coverage,” International
Ubiquitous Systems: Computing, Networking and Services, 2017, pp. Journal of Distributed Sensor Networks, vol. 13, no. 3, pp. 1–16, Mar
363–372. 2017.
[10] A. Rahmadhani and F. Kuipers, “When lorawan frames collide,” in [33] N. Hou and Y. Zheng, “Cloaklora: A covert channel over lora phy,”
Proceedings of the 12th International Workshop on Wireless Network in The 28th IEEE International Conference on Network Protocols
Testbeds, Experimental Evaluation & Characterization, 2018, pp. 89– (ICNP’20), 2020.
97. [34] A. Dongare, R. Narayanan, A. Gadre, A. Luong, A. Balanuta, S. Kumar,
[11] K. Mikhaylov, R. Fujdiak, A. Pouttu, V. Miroslav, L. Malina, and B. Iannucci, and A. Rowe, “Charm: Exploiting geographical diversity
P. Mlynek, “Energy attack in lorawan: experimental validation,” in Pro- through coherent combining in low-power wide-area networks,” in
ceedings of the 14th International Conference on Availability, Reliability Proceedings of the ACM/IEEE IPSN’18, 2018, p. 60–71.
and Security, 2019, pp. 1–6. [35] A. Gadre, R. Narayanan, A. Luong, A. Rowe, B. Iannucci, and S. Ku-
[12] X. Xia, Y. Zheng, and T. Gu, “Ftrack: Parallel decoding for lora mar, “Frequency configuration for low-power wide-area networks in a
transmissions,” in Proceedings of the 17th Conference on Embedded heartbeat,” in Proceedings of the USENIX NSDI’20, 2020, pp. 339–352.
Networked Sensor Systems, 2019, pp. 192–204. [36] A. Gadre, F. Yi, A. Rowe, B. Iannucci, and S. Kumar, “Quick (and
[13] R. Eletreby, D. Zhang, S. Kumar, and O. Yağan, “Empowering low- dirty) aggregate queries on low-power wans,” in 2020 19th ACM/IEEE
power wide area networks in urban settings,” in Proceedings of the International Conference on Information Processing in Sensor Networks
Conference of the ACM Special Interest Group on Data Communication, (IPSN), 2020, pp. 277–288.
2017, pp. 309–321. [37] A. Balanuta, N. Pereira, S. Kumar, and A. Rowe, “A cloud-optimized
[14] X. Wang, L. Kong, L. He, and G. Chen, “mlora: A multi-packet reception link layer for low-power wide-area networks,” in Proceedings of the 18th
protocol in lora networks,” in 2019 IEEE 27th International Conference International Conference on Mobile Systems, Applications, and Services,
on Network Protocols (ICNP). IEEE, 2019, pp. 1–11. ser. MobiSys ’20. New York, NY, USA: Association for Computing
[15] Y. Peng, L. Shangguan, Y. Hu, Y. Qian, X. Lin, X. Chen, D. Fang, and Machinery, 2020, p. 247–259.
K. Jamieson, “Plora: Passive long-range data networks from ambient [38] A. Gamage, J. C. Liando, C. Gu, R. Tan, and M. Li, “Lmac: Efficient
lora transmissions,” in ACM SIGCOMM’18, 2018. carrier-sense multiple access for lora,” in The 26th Annual International
[16] S. Tong, J. Wang, and Y. Liu, “Combating packet collisions using non- Conference on Mobile Computing and Networking (MobiCom’20), 2020.
stationary signal scaling in lpwans,” in ACM MobiSys’20, 2020. [39] M. Hessar, A. Najafi, and S. Gollakota, “Netscatter: Enabling large-
[17] S. Tong, Z. Xu, and J. Wang, “Colora: Enable muti-packet reception in scale backscatter networks,” in 16th USENIX Symposium on Networked
lora,” in IEEE INFOCOM’20, 2020. Systems Design and Implementation (NSDI 19), 2019, pp. 271–284.
[18] Z. Wang, L. Kong, K. Xu, L. He, K. Wu, and G. Chen, “Online [40] R. Nandakumar, V. Iyer, and S. Gollakota, “3d localization for sub-
concurrent transmissions at lora gateway,” in IEEE INFOCOM’20, 2020. centimeter sized devices,” in Proceedings of the 16th ACM Conference
[19] SigFox. (2019, Jan.) Sigfox overview. [Online]. Available: https://www. on Embedded Networked Sensor Systems, 2018, pp. 108–119.
sigfox.com/en/sigfox-iot-technology-overview [41] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The feasibility of launching
[20] R. Ratasuk, B. Vejlgaard, N. Mangalvedhe, and A. Ghosh, “Nb-iot and detecting jamming attacks in wireless networks,” in Proceedings of
system for m2m communication,” in Proceedings of IEEE Wireless the 6th ACM international symposium on Mobile ad hoc networking and
Communications and Networking Conference, ser. (WCNC 2016), Apr computing, 2005, pp. 46–57.
2016, pp. 1–5. [42] Y. Zou, J. Zhu, X. Wang, and L. Hanzo, “A survey on wireless security:
[21] M. Lauridsen, I. Z. Kovacs, P. Mogensen, M. Sorensen, and S. Holst, Technical challenges, recent advances, and future trends,” Proceedings
“Coverage and capacity analysis of lte-m and nb-iot in a rural area,” in of the IEEE, vol. 104, no. 9, pp. 1727–1765, 2016.
Proceedings of IEEE 84th Vehicular Technology Conference, ser. (VTC- [43] Y. Liu, H.-H. Chen, and L. Wang, “Physical layer security for next
Fall 2016), Sep 2016, pp. 1–5. generation wireless networks: Theories, technologies, and challenges,”
[22] L. Alliance. (2019, Jan.) Lorawan for developer. [Online]. Available: IEEE Communications Surveys and Tutorials, vol. 19, no. 1, pp. 347–
https://lora-alliance.org/lorawan-for-developers 376, 2017.
[23] A. Rahmadhani and F. Kuipers, “When lorawan frames collide,” in [44] C. Gu, L. Jiang, R. Tan, M. Li, and J. Huang, “Attack-aware data
Proceedings of the 12th International Workshop on Wireless Network timestamping in low-power synchronization-free lorawan,” in IEEE
Testbeds, Experimental Evaluation & Characterization (WiNTECH’18). ICDCS’20, 2020.
New York, USA: ACM, Nov 2018, pp. 89–97. [45] E. Aras, G. S. Ramachandran, P. Lawrence, and D. Hughes, “Exploring
[24] F. Adelantado, X. Vilajosana, P. Tuset-Peiro, B. Martinez, J. Melia- the security vulnerabilities of lora,” in CYBCONF’17, 2017.
Segui, and T. Watteyne, “Understanding the limits of lorawan,” IEEE
Communications Magazine, vol. 55, no. 9, pp. 34–40, Sep. 2017.