Discovery privacy threats via device de-anonymization in LoRaWAN

LoRaWAN (Long Range WAN) is one of the well-known emerging technologies for the Internet of Things (IoT). Many IoT applications involve simple devices that transmit their data toward network gateways or access points that, in their turn, redirect data to application servers. While several security issues have been addressed in the LoRaWAN specification v1.1, there are still some aspects that may undermine privacy and security of the interconnected IoT devices. In this paper, we tackle a privacy aspect related to LoRaWAN device identity. The proposed approach, by monitoring the network traffic in LoRaWAN, is able to derive, in a probabilistic way, the unique identifier of the IoT device from the temporal address assigned by the network. In other words, the method identifies the relationship between the LoRaWAN DevAddress and the device manufacturer DevEUI. The proposed approach, named DEVIL (DEVice Identification and privacy Leakage), is based on temporal patterns arising in the packets transmissions. The paper presents also a detailed study of two real datasets: i) one derived by IoT devices interconnected to a prominent network operator in Italy; ii) one taken from the literature (the LoED dataset in Bhatia et al. (2020)). DEVIL is evaluated on the first dataset while the second is analyzed to support the hypothesis under the DEVIL operation. The results of our analysis, compared with other literature approaches, show how device identification through DEVIL can expose IoT devices to privacy leakage. Finally, the paper also provides some guidelines to mitigate the user re-identification threats.