Discovery privacy threats via device de-anonymization in LoRaWAN

LoRaWAN (Long Range WAN) is one of the well-known emerging technologies for the Internet of Things (IoT). Many IoT applications involve simple devices that transmit their data toward network gateways or access points that, in turn, redirect the data to application servers. While several security issues have been faced in the LoRaWAN v1.1 specification from the very beginning, there are still some aspects that may undermine the privacy and the security of the IoT devices. In this paper we tackle the privacy aspect in the LoRaWAN device identity. The proposed approach, by monitoring the traffic of a LoRaWAN Network, is able to derive, in a probabilistic way, the unique identifier of the device from the temporal address assigned from the network. In other words, the method identifies the relationship between the LoRaWAN DevAddress and the device manufacturer DevEUI. The proposed approach, named DEVIL (DEVice Identification and privacy Leakage), is based on temporal patterns arising in the packet transmissions by LoRaWAN devices, and it is evaluated on the dataset extracted from real applications scenario deployed in Italy by a network operator. The results of our analysis show how device identification, during the time, can expose users to privacy leakage.