LoRaWAN and cybersecurity in plain terms: how data is encrypted and what to do to keep the network reliable

What exactly LoRaWAN protects and who can see the data

In LoRaWAN networks, protection is built directly into the communication rules. Two layers operate in tandem. The network layer ensures that a frame is not corrupted in transit via a MIC integrity check. The application layer encrypts the “contents” of the frame—the meter readings and telemetry—so that even the network operator cannot read them. This type of protection is called application layer security and is backed by AES-128 encryption and LoRaWAN encryption.

Recent protocol versions further separate roles and keys to reduce LoRaWAN vulnerabilities and strengthen LoRaWAN authentication privacy.

Devices are best attached using the OTAA join procedure, where session keys are generated automatically and can be rotated regularly, enabling secure key exchange. The ABP mode is convenient for laboratory tests, but is less suitable for real projects because keys are static.

Each frame carries a counter whose value only increases, providing replay attack prevention. To prevent a device from “forgetting” this counter after reboot, it is stored in non-volatile memory as part of rigorous device provisioning and device authentication IoT practices.

Gateways and the “cloud”: where configuration errors are most common

A gateway is the bridge between the radio channel and the IP segment. A secure configuration is the LoRa Basics™ Station with TLS and certificate-based authentication—core measures of gateway security. Gateways are usually isolated into a dedicated network, allowed only strictly defined outbound connections, and kept current with timely firmware updates.

To mitigate against possible IoT cybersecurity risks, the same strict approach applies in the cloud: LoRaWAN servers (network, join, and application) communicate only over TLS with mutual authentication, use role-based access control, and maintain event logs.

Typical threats

Eavesdropping on the radio does not reveal contents, as data is protected by end-to-end encryption LoRaWAN, and integrity is verified. Replaying a captured frame will also not work because of the counter. A cloned device is detected and blocked thanks to unique keys and the secure attachment procedure (OTAA).

Interference on the air is a real issue for any radio network. It is mitigated by overlapping coverage (several gateways “hearing” the same device) and by monitoring link quality, such as the share of lost packets and signal level, using intrusion detection IoT–style observability. At critical sites, a backup channel is added.

Risks in the cloud are reduced by traditional measures such as network segmentation, least-privilege access for users and services, multi-factor authentication, timely updates, external vulnerability assessments, and an incident recovery plan—all of which is essential for data confidentiality within IoT devices backends.

Personal data: why this matters

Meter readings reflect the behavior of people and organizations and are considered sensitive information in smart city carbon management–style reporting. Sound practice is to transmit only the necessary minimum, strictly limit access, define retention periods in advance, and use anonymization for open reports and public dashboards.

A brief configuration guide for cybersecurity

• Attach devices via OTAA, store keys in protected vaults, rotate session keys regularly, and keep frame counters in non-volatile memory.
• Build encrypted channels: TLS between gateways and the backend and between all backend components, with mutual authentication.
• Isolate gateways on the network, keep software updated, apply allow-lists for connections, and use the principle of least privilege.
• Introduce role-based access control, multi-factor authentication, action auditing, and immutable event logs.
• Continuously observe network health: fraction of successful transmissions, signal level, join anomalies, “silent” nodes, and counter resets.
• Formalize the lifecycle: checklist-based acceptance, device identifier inventory, signed firmware and secure over-the-air updates, regular audits, and recovery drills.

LoRaWAN provides a high level of security, including encryption, integrity control, and protection against replays—foundational elements of end-to-end encryption LoRaWAN. However, to make this ensemble a full-fledged “immune system,” it is important to attach devices correctly, manage keys with discipline, configure gateways and servers properly, and maintain continuous monitoring. 

Putting these safeguards in place will make it easier to demonstrate compliance, reduce costs, and ensure a stable service because data is protected, the network operates predictably, and users receive accurate bills—outcomes that are aligned with IoT sustainability projects, environmental monitoring systems, and data analytics best practices.