In the hacker's world, not everything can be solved by hacking software. Sometimes you need hardware that operates far and wide, unnoticed. Long-Range isn't just a buzzword, but a whole class of technologies that allow data to be transmitted over kilometers, consume microwatts of power, and operate in areas where regular Wi-Fi would die after 100 meters.
I've combed through tons of documentation on LoRa, Yagi antennas, and other long-range technologies, configured gateways, lost packets, and found them again. Now I'll explain how to approach Long-Range from a hacker's perspective: how to deploy your own network, how to extract data from other people's devices, and how to avoid detection.
Part 1: What is Long-Range and Why is it Interesting?
Long-Range (LoRa, LoRaWAN, Sigfox, and others) are technologies that operate at frequencies below 1 GHz. They use a narrow bandwidth and special modulations to ensure the signal travels far and penetrates walls.
Advantages for a hacker:
Range. Open terrain—kilometers. Urban areas—hundreds of meters.
Low power consumption. Devices can operate for years on battery power.
Penetration. The signal passes through concrete, metal, and earth.
Inexpensive. LoRa modules cost pennies.
Applications:
Smart cities (light sensors, trash bins).
Agriculture (humidity and temperature sensors).
Industry (pipe and pump monitoring).
Security (opening and motion sensors).
For a hacker, these are all potential attack vectors.
Part 2: What we'll need for the experiments
2.1. Gateway: This is the data collection point. It typically connects to the internet via Ethernet or 3G and listens to the broadcast. The most popular ones are:
Dragino LG01 – inexpensive, single-channel.
RAK7249 – powerful, eight-channel, with PoE.
IMST iC880A – for building your own gateway on a Raspberry Pi.
2.2. LoRa Modules: For creating your own devices or intercepting others':
RAK811 – inexpensive and compact.
RFM95W – a classic, works with Arduino.
HopeRF RFM96 – for 433 MHz (in Russia).
2.3. Antennas: Without a proper antenna, the range will be negligible. For hacking purposes, directional antennas (Yagi) are often needed to "shoot" at a specific point.
2.4. Software
ChirpStack — a server for LoRaWAN.
The Things Network (TTN) — a public network.
Wireshark — for traffic analysis (if you can find it).
SDR (HackRF, RTL-SDR) — for signal hunting.
Part 3: Deploying Your Gateway and Server
First, you need to understand how the network works. Install your gateway and set up the server.
3.1. Building the Gateway on Raspberry Pi
Install Raspberry Pi.
Connect the LoRa module via SPI (e.g., RAK2245).
Install the lora-gateway and packet-forwarder packages.
Edit the packet-forwarder config (global_conf.json) for your frequency. In Russia, 868 MHz frequencies are permitted for LoRaWAN.
3.2. Installing ChirpStack: ChirpStack is an open-source server for LoRaWAN. It can be installed on the same Raspberry Pi or a separate server.
```
sudo apt install mosquitto mosquitto-clients redis-server postgresql
# continue following the instructions on the chirpstack.io website
```
After installation, register the gateway and add devices.
3.3. Creating a Device (End Node) Use an Arduino + RFM95W or a ready-made module like the RAK811. Write firmware that sends the temperature once per minute.
In ChirpStack, create an application and add a device with DevEUI, AppEUI, and AppKey. Enable OTAA (Over-The-Air Activation)—this is the most secure mode.
Part 4: Hacking Scenarios with Long-Range
4.1. Sniffing LoRa Traffic LoRa isn't like WiFi; packets aren't easy to catch because they can be on different frequencies and with different spreading factors. But you can try.
Option 1: Use an SDR (HackRF) with the gr-lora program. It decodes LoRa packets if you catch them on the air. Option 2: Build your own sniffer based on the same RFM95W, programming it to scan channels.
Important: LoRaWAN packets are encrypted (AES-128). So without the keys, you'll only see junk. However, if the manufacturer hasn't enabled encryption (this happens in cheap sensors) or uses static keys that are known, then everything can be read.
4.2. Replay Attacks: If the device uses fixed keys and doesn't check packet counters, you can record a legitimate packet and resend it later. For example, a door sensor sends an "open" signal; you intercept it and can resend it at any time.
Security: LoRaWAN uses frame counters (FCnt), so replay won't work. However, older devices may not support this.
4.3. Jamming (signal suppression): If you need to jam a LoRa device, you can simply generate noise on the same frequency. A 1-watt transmitter at 868 MHz will disrupt the entire network within a few hundred meters.
But this is illegal, so don't do it.
4.4. Intercepting Data from Weather Stations and Sensors: Many household weather stations, leak detectors, and alarms operate on 433 MHz or 868 MHz without encryption. You can listen to them using RTL-SDR with the rtl_433 program. You'll see the temperature, humidity, and sensor ID.
Example: Your neighbor has a window sensor. You know when they leave—the window is open. You can plan a visit.
4.5. Creating a Fake Gateway: Place your gateway near the target devices. If they're configured for the public network (The Things Network), they can switch to your gateway if it provides a better signal. Then all the data will flow through you.
But this requires a dedicated server to simulate TTN.
4.6. OTAA Attack (Key Swapping) In OTAA, the device and server exchange keys upon connection. If it's possible to intercept this exchange (which occurs in the clear before the session is established), the keys can be deduced. This is difficult in practice, but theoretically possible.
Part 5: Hunting Tools
5.1. RTL-SDR (for $10) The cheapest way to eavesdrop. Can't transmit, but is suitable for LoRa reception (with software).
5.2. HackRF One Can both transmit and receive. Priced at around $300, but offers more features. You can generate your own LoRa packets and send them.
5.3. LimeSDR / USRP For those with plenty of money and time. Full duplex, wide bandwidth.
5.4. Ready-made LoRa modules: ESP32 + LoRa, Arduino + RFM95 — for creating your own devices.
5.5. Software
gr-lora — GNU Radio block for decoding LoRa.
LimeSDR LoRa — firmware for sending LoRa.
ChirpStack — your own server.
Wireshark — for packet analysis (if you have the keys).
Part 6: The pitfalls I've stepped on
Possibility 1: I thought LoRa was like WiFi—you could just turn it on and use it. But it has spreading factor, and the frequency fluctuates. Without proper configuration, you'll have no idea what you're getting.
Possibility 2: I bought a 433 MHz module, but in Russia, those frequencies are occupied by radio-controlled toys and other junk. The interference is horrendous. 868 MHz is better.
Problem 3: I tried to receive a packet through the RTL-SDR, but it didn't fit within the bandwidth. I had to tweak the filters.
Problem 4: I forgot that LoRaWAN is encrypted. I intercepted a bunch of packets, but couldn't read them. Good thing I was just testing them on my own devices.
Problem 5: I built a Yagi antenna from scrap materials, calculated the results on paper, but in practice, it turned out I didn't have an SWR meter, and the antenna didn't work.
Part 7: Legality - Don't Get in Trouble
The 868 MHz frequency is permitted for unlicensed use in the Russian Federation, but with power restrictions (up to 25 mW for some modes). If you install an amplifier and jam the airwaves, that's already a violation.
Sniffing other people's data is covered by Article 138 of the Russian Criminal Code (violation of the privacy of correspondence). Even if the data is unencrypted, hacking into other people's sensors is prohibited.
What is legal:
· Listening to the airwaves in general (without decoding specific devices).
· Testing on your own equipment.
· Participating in CTFs and hackathons on IoT security.
What is prohibited:
· Decode other people's packets.
· Send your own commands to other people's devices.
· Jamming signals.
Summary
Long-Range is a vast field for research and hacker experiments. You can collect data from smart cities, find vulnerable IoT devices, and study protocols.
I've combed through tons of documentation on LoRa, Yagi antennas, and other long-range technologies, configured gateways, lost packets, and found them again. Now I'll explain how to approach Long-Range from a hacker's perspective: how to deploy your own network, how to extract data from other people's devices, and how to avoid detection.
Part 1: What is Long-Range and Why is it Interesting?
Long-Range (LoRa, LoRaWAN, Sigfox, and others) are technologies that operate at frequencies below 1 GHz. They use a narrow bandwidth and special modulations to ensure the signal travels far and penetrates walls.
Advantages for a hacker:
Range. Open terrain—kilometers. Urban areas—hundreds of meters.
Low power consumption. Devices can operate for years on battery power.
Penetration. The signal passes through concrete, metal, and earth.
Inexpensive. LoRa modules cost pennies.
Applications:
Smart cities (light sensors, trash bins).
Agriculture (humidity and temperature sensors).
Industry (pipe and pump monitoring).
Security (opening and motion sensors).
For a hacker, these are all potential attack vectors.
Part 2: What we'll need for the experiments
2.1. Gateway: This is the data collection point. It typically connects to the internet via Ethernet or 3G and listens to the broadcast. The most popular ones are:
Dragino LG01 – inexpensive, single-channel.
RAK7249 – powerful, eight-channel, with PoE.
IMST iC880A – for building your own gateway on a Raspberry Pi.
2.2. LoRa Modules: For creating your own devices or intercepting others':
RAK811 – inexpensive and compact.
RFM95W – a classic, works with Arduino.
HopeRF RFM96 – for 433 MHz (in Russia).
2.3. Antennas: Without a proper antenna, the range will be negligible. For hacking purposes, directional antennas (Yagi) are often needed to "shoot" at a specific point.
2.4. Software
ChirpStack — a server for LoRaWAN.
The Things Network (TTN) — a public network.
Wireshark — for traffic analysis (if you can find it).
SDR (HackRF, RTL-SDR) — for signal hunting.
Part 3: Deploying Your Gateway and Server
First, you need to understand how the network works. Install your gateway and set up the server.
3.1. Building the Gateway on Raspberry Pi
Install Raspberry Pi.
Connect the LoRa module via SPI (e.g., RAK2245).
Install the lora-gateway and packet-forwarder packages.
Edit the packet-forwarder config (global_conf.json) for your frequency. In Russia, 868 MHz frequencies are permitted for LoRaWAN.
3.2. Installing ChirpStack: ChirpStack is an open-source server for LoRaWAN. It can be installed on the same Raspberry Pi or a separate server.
```
sudo apt install mosquitto mosquitto-clients redis-server postgresql
# continue following the instructions on the chirpstack.io website
```
After installation, register the gateway and add devices.
3.3. Creating a Device (End Node) Use an Arduino + RFM95W or a ready-made module like the RAK811. Write firmware that sends the temperature once per minute.
In ChirpStack, create an application and add a device with DevEUI, AppEUI, and AppKey. Enable OTAA (Over-The-Air Activation)—this is the most secure mode.
Part 4: Hacking Scenarios with Long-Range
4.1. Sniffing LoRa Traffic LoRa isn't like WiFi; packets aren't easy to catch because they can be on different frequencies and with different spreading factors. But you can try.
Option 1: Use an SDR (HackRF) with the gr-lora program. It decodes LoRa packets if you catch them on the air. Option 2: Build your own sniffer based on the same RFM95W, programming it to scan channels.
Important: LoRaWAN packets are encrypted (AES-128). So without the keys, you'll only see junk. However, if the manufacturer hasn't enabled encryption (this happens in cheap sensors) or uses static keys that are known, then everything can be read.
4.2. Replay Attacks: If the device uses fixed keys and doesn't check packet counters, you can record a legitimate packet and resend it later. For example, a door sensor sends an "open" signal; you intercept it and can resend it at any time.
Security: LoRaWAN uses frame counters (FCnt), so replay won't work. However, older devices may not support this.
4.3. Jamming (signal suppression): If you need to jam a LoRa device, you can simply generate noise on the same frequency. A 1-watt transmitter at 868 MHz will disrupt the entire network within a few hundred meters.
But this is illegal, so don't do it.
4.4. Intercepting Data from Weather Stations and Sensors: Many household weather stations, leak detectors, and alarms operate on 433 MHz or 868 MHz without encryption. You can listen to them using RTL-SDR with the rtl_433 program. You'll see the temperature, humidity, and sensor ID.
Example: Your neighbor has a window sensor. You know when they leave—the window is open. You can plan a visit.
4.5. Creating a Fake Gateway: Place your gateway near the target devices. If they're configured for the public network (The Things Network), they can switch to your gateway if it provides a better signal. Then all the data will flow through you.
But this requires a dedicated server to simulate TTN.
4.6. OTAA Attack (Key Swapping) In OTAA, the device and server exchange keys upon connection. If it's possible to intercept this exchange (which occurs in the clear before the session is established), the keys can be deduced. This is difficult in practice, but theoretically possible.
Part 5: Hunting Tools
5.1. RTL-SDR (for $10) The cheapest way to eavesdrop. Can't transmit, but is suitable for LoRa reception (with software).
5.2. HackRF One Can both transmit and receive. Priced at around $300, but offers more features. You can generate your own LoRa packets and send them.
5.3. LimeSDR / USRP For those with plenty of money and time. Full duplex, wide bandwidth.
5.4. Ready-made LoRa modules: ESP32 + LoRa, Arduino + RFM95 — for creating your own devices.
5.5. Software
gr-lora — GNU Radio block for decoding LoRa.
LimeSDR LoRa — firmware for sending LoRa.
ChirpStack — your own server.
Wireshark — for packet analysis (if you have the keys).
Part 6: The pitfalls I've stepped on
Possibility 1: I thought LoRa was like WiFi—you could just turn it on and use it. But it has spreading factor, and the frequency fluctuates. Without proper configuration, you'll have no idea what you're getting.
Possibility 2: I bought a 433 MHz module, but in Russia, those frequencies are occupied by radio-controlled toys and other junk. The interference is horrendous. 868 MHz is better.
Problem 3: I tried to receive a packet through the RTL-SDR, but it didn't fit within the bandwidth. I had to tweak the filters.
Problem 4: I forgot that LoRaWAN is encrypted. I intercepted a bunch of packets, but couldn't read them. Good thing I was just testing them on my own devices.
Problem 5: I built a Yagi antenna from scrap materials, calculated the results on paper, but in practice, it turned out I didn't have an SWR meter, and the antenna didn't work.
Part 7: Legality - Don't Get in Trouble
The 868 MHz frequency is permitted for unlicensed use in the Russian Federation, but with power restrictions (up to 25 mW for some modes). If you install an amplifier and jam the airwaves, that's already a violation.
Sniffing other people's data is covered by Article 138 of the Russian Criminal Code (violation of the privacy of correspondence). Even if the data is unencrypted, hacking into other people's sensors is prohibited.
What is legal:
· Listening to the airwaves in general (without decoding specific devices).
· Testing on your own equipment.
· Participating in CTFs and hackathons on IoT security.
What is prohibited:
· Decode other people's packets.
· Send your own commands to other people's devices.
· Jamming signals.
Summary
Long-Range is a vast field for research and hacker experiments. You can collect data from smart cities, find vulnerable IoT devices, and study protocols.
