Title: Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures
1Secure Routing in Wireless Sensor Networks
Attacks and Countermeasures
- Chris Karlof, David Wagner_at_UC Berkeley
- IEEE International Workshop on Sensor Network
Protocols and Applications, May 2003 - Presentation by Yi-jui Wu
2Outline
- Introduction
- Background
- Problem Statement
- Attacks on Sensor Network Routing
- Attacks on Specific Sensor Network Protocols
- Countermeasures
- Conclusions
3Introduction
- The authors focus on routing security in WSN.
- Most the major WSN routing protocols are
insecure, and this is non-trivial to fix. - Sensor network routing protocols must be designed
with security in mind.
4Introduction
- Five main contributions
- They propose threat models and security goals for
secure routing in WSN. - They introduce two novel classes of previously
undocumented attacks against sensor networks
sinkhole and HELLO floods.
5Introduction
- Five main contributions (cont.)
- They show, for the first time, how attacks
against ad-hoc wireless networks and peer-to-peer
networks, can be adapted into powerful attacks
against sensor networks. - They present the first detailed security analysis
of all the major routing protocols and energy
conserving topology maintenance algorithms for
sensor networks. - They discuss countermeasures and design
considerations for secure routing protocols in
sensor networks.
6Background
- Sensor network a heterogeneous system combining
tiny sensors and actuators. - They assume that all nodes locations are fixed
for the duration of their lifetime in this paper. - Target TinyOS platform in their work.
7Background
- We must discard many preconceptions about network
security. - Public-key cryptography is so expensive as to be
unusable, and even fast symmetric-key ciphers
must be used sparingly. (thus some ad-hoc network
security mechanisms based on key cryptography are
unsuitable for sensor networks.) - Security protocols cannot maintain much state.
- Communication bandwidth is extremely dear.
- Power is the scarcest resource of all.
8Problem Statement Network Assumptions
- The radio links are insecure.
- The adversary can deploy a few malicious nodes
with similar hardware capabilities as the
legitimate nodes. - By purchasing them separately, or by turning a
few legitimate nodes. - Sensor nodes are note tamper resistant.
9Problem Statement Trust Requirements
- The base stations are trustworthy.
- Aggregation points may not necessarily be
trustworthy.
10Problem Statement Threat Models
- Mote-class attacks vs. Laptop-class attacks
- Outsider attacks vs. Insider attacks.
11Problem Statement Security Goals
- In the ideal world, a secure routing protocol
should guarantee the integrity, authenticity, and
availability of messages in the presence of
adversaries. - In the authors view, protection against
eavesdropping is not an explicit security goal of
a secure routing algorithm. - Secrecy is usually most relevant to application
data. - Prevent eavesdropping cause by misuse or abuse of
the protocol itself.
12Problem Statement Security Goals
- Protection against the replay of data packets
should not be a security goal of a secure routing
protocol - Only the application can fully and accurately
detect the replay of data packets.
13Problem Statement Security Goals
- In the presence of only outsider adversaries, it
is conceivable to achieve these idealized goals. - However, in the presence of compromised or
insider attackers, especially those with
laptop-class capabilities, it is most likely that
some of these goals are not fully attainable. - Graceful degradation.
14Attacks on Sensor Network Routing
- Spoofed, altered, or replayed routing information
(Bogus routing information). - Selective forwarding
- Sinkhole attacks
- Sybil attacks
- Wormholes
- HELLO flood attacks
- Acknowledgement spoofing
15Attacks on WSN Routing Bogus Routing
- Target the routing information exchanged between
nodes. - The attackers may be able to create routing
loops, attract or repel network traffic, extend
or shorten source routes, generate false error
messages, partition the network, increase
end-to-end latency, etc.
16Attacks on WSN Routing Selective forwarding
- In a selective forwarding attack, malicious nodes
may refuse to forward certain messages and simply
drop them. - Black hole.
- Selectively forwards packets.
- Typically most effective when the attacker is
explicitly included on the path of a data flow. - Sinkhole attack and the Sybil attack are two
mechanisms by which an adversary can efficiently
include herself on the path of the targeted data
flow.
17Attacks on WSN Routing Sinkhole attacks
Sinkhole
18Attacks on WSN Routing Sinkhole attacks
- By making a compromised node look especially
attractive to surrounding nodes. - Spoof or replay an advertisement for an extremely
high quality route to a base station. - Laptop-class adversary.
- Wormhole attack.
- Sensor networks are particularly susceptible to
sinkhole attacks. - All packets share the same ultimate destination
(the base station).
19Attacks on WSN Routing The Sybil Attack
Fake nodes
Real node
20Attacks on WSN Routing The Sybil Attack
- The Sybil attack can significantly reduce the
effectiveness of fault-tolerant schemes. (such as
multi-path routing) - Pose a significant threat to geographic routing
protocols.
21Attacks on WSN Routing - Wormholes
B.S.
22Attacks on WSN Routing - Wormholes
- Use private channels.
- An adversary situated close to a base station may
be able to completely disrupt routing by creating
a well-place wormhole. - Sinkhole.
- To convince two distant nodes that they are
neighbors.
23Attacks on WSN Routing HELLO flood
attack
24Attacks on WSN Routing HELLO flood
attack
- A laptop-class attacker broadcasting routing or
other information with large enough transmission
power could convince every node in the network
that the adversary is its neighbor. - HELLO floods can be thought of as one-way,
broadcast wormholes.
25Attacks on WSN Routing Acknowledgement
Spoofing
- Several sensor network routing algorithms rely on
link layer acknowledgements. - To convince the sender that a weak link is strong
or a dead or disabled node is alive.
dead node.
26Attacks on Specific Sensor Network Protocols
27Attacks on Specific Sensor Network Protocols
Selective forwarding
Bogus routing
HELLO floods
Wormholes
Sinkholes
Sybil
28Attacks on TinyOS beaconing Protocols
29Attacks on TinyOS beaconing Protocols (bogus
routing)
- Routing updates are not authenticated.
- Any nodes can claim to be base station
- Authenticated routing updates will prevent an
attacker from claiming to be a base station.
30Attacks on TinyOS beaconing Protocols (selective
forwarding/blackhole/sinkhole)
31Attacks on TinyOS beaconing Protocols
(Wormholes/sinkhole attack)
32Attacks on TinyOS beaconing Protocols (HELLO
flood attack)
33Attacks on Directed diffusion protocols
- Directed diffusion is a data-centric routing
algorithm. - Base station flood interests for named data.
- Set up gradients.
- Positive reinforcement.
- Nodes generate data events.
34Attacks on Directed diffusion protocols
- Due to the robust nature of flooding, it may be
difficult for an adversary to prevent interests
from reaching targets. - Once sources begin to generate data events an
adversarys attack may have on of four goals - Suppression (by spoofing negative reinforcements)
- Cloning (replay a interest with itself listed as
a base station) - Path influence (by spoofing positive or negative
reinforcements) - Selective forwarding and data tampering (by path
influence)
35Attacks on Directed diffusion protocols
- Wormhole attacks
- Node A located next a base station and node B
located B close to where events are likely to be
generated. - Interests advertised by the base station are sent
through the wormhole and rebroadcast by node B. - Node A broadcast negative reinforcements
- Node B broadcast positive reinforcements
- Pushes data flows away from the base station.
- Result a sinkhole centered at node B.
36Attacks on Geographic routing
- Geographic and Energy Aware Routing (GEAR) and
Greedy Perimeter Stateless Routing (GPSR)
leverage nodes positions and explicit geographic
packet destinations to efficiently disseminate
queries and route replies. - In GPSR, packets along a single flow will always
use the same nodes for routing of each packet. - GEAR attempts to remedy this problem.
- Both protocols require location information.
37Attacks on Geographic Routing Protocols
- Location information can be misrepresented.
- GEAR tries to distribute the responsibility of
routing based on remaining energy.
38Attacks on Minimum cost forwarding protocols
4
5
4
3
5
2
4
2
1
3
BS (cost 0)
2
4
In Essence, this is a distributed shortest-paths
algorithm.
39Attacks on Minimum cost forwarding protocols
- Extremely susceptible to sinkhole attacks.
- By simply advertising cost zero anywhere in the
network. - A laptop-class adversary can use a wormhole to
help synchronize this attack. - HELLO flood a laptop-class adversary can
advertise cost zero to every node in the network.
40Attacks on LEACH Low-Energy Adaptive
Clustering Hierarchy
- LEACH assumes every node can directly reach a
base station by transmitting with sufficiently
high power. - LEACH organizes nodes into clusters with one node
from each cluster serving as a cluster-head. - Set-up phase steady-state phase.
41Attacks on LEACH Low-Energy Adaptive
Clustering Hierarchy
- Nodes choose a cluster-head based on received
signal strength using the HELLO flood attack can
disable the entire network. - Selective forwarding.
- Simple countermeasures (refusing to use the same
cluster-head or randomized selection of a
cluster-head) can easily be defeated by a Sybil
attack.
42Countermeasures Outsiders attacks and link
layer security
- Link layer encryption and authentication using a
globally shared key. - Sybil attack is no longer relevant.
- The majority of selective forwarding and sinkhole
attacks are not possible. - Link layer acknowledgements can be authenticated.
- Little affect on Wormhole and HELLO flood.
- Can do nothing to prevent black hole
- Ineffective in presence of insider attacks.
43Countermeasures The Sybil attack
- Generating and verifying digital signatures is
beyond the capabilities of sensor nodes. - Verify identities of neighbors through unique
symmetric keys with base station
(Needham-Schroeder like protocol). - A sends nonce Na to B (using Kb)
- B decrypts it to obtain Na, and then B returns
(Na . Nb) to A (using Ka) - When A receives this message, it concludes it
talking to B. - Limit number of neighbors.
44Countermeasures HELLO flood attacks
- To verify the bidirectionality of a link before
taking meaningful actions. - Use the protocol on previous slides to verify
identity.
45Countermeasures Wormhole and sinkhole attacks
- Very difficult to defend against
- Wormholes use private channel
- Sinkholes some information (such as remaining
energy) is hard to verify. - Combination hop-count can be completely
misrepresented through a worm hole. - A technique for detecting wormhole attacks is
presented in 1 - Temporal leash requires extremely tight time
synchronization - Geographical leash similar to geographic routing
46Countermeasures Wormhole and sinkhole attacks
- Geographic routing protocols hold promise.
- The main problem is that location information
advertised form neighboring nodes must be
trusted. - Restrict the structure of the topology. For ex.,
node can be arranged in a grid with square,
triangular, or hex shaped cells.
47Countermeasures Selective forwarding
- Selective forwarding is very difficult to defend
against in some case. - Strategically located near the source or a bs.
- Multi-path routing and probabilistic routing.
48Countermeasures - Notes
- Nodes near base stations are attractive to
compromise - Clustering may reduce their significance.
- Randomly rotating set of virtual stations to
create overlay network. - Can leverage global knowledge
- Send localized info to base station
- Base station maps network topology
- Periodically updated
- Drastic / suspicious changes observed
49Countermeasures - Notes
- Base Station Authentication no node can spoof
BS, but every node can verify messages from BS - SPINS Security protocols for sensor networks -
µTESLA SNEP
50Conclusion
- Secure routing is a prerequisite to effective
WSN. - Traditional security solutions arent applicable.
- Currently proposed routing protocols for WSN are
insecure. - Link layer encryption and authentication
mechanisms may be a reasonable first
approximation for defense against mote-class
outsiders. - Careful protocol design is needed as well.