LoRaWAN is a widely adopted low-power wide-area networking (LPWAN) protocol designed for scalable IoT communications. Much existing research on covert channels in LoRa systems focuses on physical-layer modulation, but higher layers present overlooked vectors for stealthy data embedding. We introduce a novel covert communication channel exploiting unused bits in the MAC header (MHDR) of LoRaWAN downlink packets. By modifying the LoRaWAN network server's message construction logic, covert bits can be injected into Reserved for Future Use (RFU) fields of downlink packets without altering physical-layer transmission. We maintain full compatibility with LoRaWAN's encryption and integrity-checking mechanisms, including the Message Integrity Code (MIC), by inserting covert bits before MIC generation. Experimental validation on a private LoRaWAN testbed confirms that the covert channel delivers the bits per downlink packet with no practical measurable impact on packet delivery, power consumption, or protocol compliance. Security analysis shows detection is improbable under standard LoRaWAN gateway, network server, or passive RF sniffer monitoring models. The proposed method enables low-bandwidth, stealthy communication for benign or adversarial purposes, highlighting the need for holistic security audits that extend beyond the PHY layer in LPWAN protocols. To this end, we also present several countermeasures to mitigate this issue.
