What starting position does this attack require?

The first step is Operational decisions based on false data (T1486) — a impact primitive. Assumed environment: target uses LoRaWAN for distributed sensors (water level, gas, temperature).

What is the final impact of this kill-chain?

The final step lands on Sniff LoRaWAN traffic (cheap SDR / Heltec) (T1040), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

LoRaWAN replay → spoof environmental sensor

Capture LoRaWAN uplinks from a target sensor. Devices that reset FCnt on reboot accept replayed frames — feed false readings into the upstream IoT platform.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Impact

Operational decisions based on false data

T1486 · Data Encrypted for Impact

Impact

Inject false readings

T1486 · Data Encrypted for Impact

Discovery

Identify target device frames

T1083 · File and Directory Discovery

Impact

Replay frames with reset FCnt

OT-LORAWAN-REPLAY · LoRaWAN Replay / FCnt Reset

Credential Access

Sniff LoRaWAN traffic (cheap SDR / Heltec)

T1040 · Network Sniffing

§ Context

Assumed environment: target uses LoRaWAN for distributed sensors (water level, gas, temperature). Devices use Class A and reset FCnt on reboot (common for cheap industrial sensors).

§ Steps

01
Operational decisions based on false dataImpact
T1486— Data Encrypted for Impact
02
Inject false readingsImpact
T1486— Data Encrypted for Impact
03
Identify target device framesDiscovery
T1083— File and Directory Discovery
04
Replay frames with reset FCntImpact
OT-LORAWAN-REPLAY— LoRaWAN Replay / FCnt Reset
05
Sniff LoRaWAN traffic (cheap SDR / Heltec)Credential Access
T1040— Network Sniffing

§ References

§ Frequently asked

What is the "LoRaWAN replay → spoof environmental sensor" attack path?: Capture LoRaWAN uplinks from a target sensor. Devices that reset FCnt on reboot accept replayed frames — feed false readings into the upstream IoT platform. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Operational decisions based on false data (T1486) — a impact primitive. Assumed environment: target uses LoRaWAN for distributed sensors (water level, gas, temperature).
What is the final impact of this kill-chain?: The final step lands on Sniff LoRaWAN traffic (cheap SDR / Heltec) (T1040), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

LoRaWAN replay → spoof environmental sensor

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

BACnet HVAC → disrupt building operations

Reachable Modbus PLC → direct register override