Title: Secure Routing in Sensor Networks: Attacks and Countermeasures
1Secure Routing in Sensor Networks Attacks and
Countermeasures
Chris Karlof and David Wagner University of
California at Berkeley
- First IEEE International Workshop on Sensor
Network Protocols and Applications - 5/11/2003
2Security in sensor networks
- Security is critical
- Military apps
- Building monitoring
- Burglar alarms
- Emergency response
- Yet security is hard
- Wireless links are inherently insecure
- Resource constraints
- Lossy, low bandwidth communication
- Lack of physical security
3Our contributions
- Threat models and security goals
- New attacks against sensor network routing
protocols - Detailed security analysis of 15 routing
protocols - Countermeasure suggestions
4Routing in sensor networks
- Base stations and sensor nodes
- Low overhead protocols
- Specialized traffic patterns
- In-network processing
- These differences necessitate new secure routing
protocols
5Secure routing goals and threat models
- Security goals
- Confidentiality messages are secret
- Integrity messages are not tampered with
- Availability
- In-network processing makes end-to-end security
hard - Link layer security still possible
- Need to consider compromised nodes (insiders) and
resourceful attackers
6Attacks
7TinyOS Beaconing
8Attack Bogus routing information
- Bogus routing information can cause havoc
- Example spoof routing beacons and claim to be
base station
- Lessons
- Authenticate routing info
- Trust but verify
9Attack HELLO floods
- Assumption the sender of a received packet is
within normal radio range - False! A powerful transmitter could reach the
entire network - Can be launched by insiders and outsiders
Lesson Verify the bidirectionality of links
10Attack Wormholes
- Tunnel packets received in one part of the
network and replay them in a different part - Can be launched by insiders and outsiders
Lesson Avoid routing race conditions
11Attack Sybil attack
B
- An adversary may present multiple identities to
other nodes
A
Lesson Verify identities
12Protocols analyzed
Protocol Relevant attacks
TinyOS beaconing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods
Directed diffusion and multipath variant Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods
Geographic routing (GPSR,GEAR) Bogus routing information, selective forwarding, Sybil
Minimum cost forwarding Bogus routing information, selective forwarding, sinkholes, wormholes, HELLO floods
Clustering based protocols (LEACH,TEEN,PEGASIS) Selective forwarding, HELLO floods
Rumor routing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes
Energy conserving topology maintenance Bogus routing information, Sybil, HELLO floods
All insecure
13Countermeasures
- We have countermeasure suggestions and design
considerations - See paper for details
14Conclusions
- End-to-end security is limited in sensor networks
- Link layer security is important
- It is not enough
- Design time security
15Questions?
16Extra Slides
17Countermeasures
- Access control with link layer crypto
- Globally shared key ? outsiders
- Per link keys ? insiders
- Authenticated broadcast and flooding
- Verify neighbors identities
- Prevents Sybil attack
- Verify bidirectionality of links
- Prevents HELLO floods
- Multipath and probabilistic routing
- Limits effects of selective forwarding
18Countermeasures (cont.)
- Wormholes are difficult to defend against
- Can be launched by insiders and outsiders
- Defenses exist for outsiders, but are not cheap
- Best solution ? avoid routing race conditions
- Geographic routing protocols hold promise
- Nodes near base stations are attractive to
compromise - Overlays
19Why is this a problem?
- Wireless security has been spotty
- WEP/802.11b
- GSM
- Secure routing mechanisms for ad-hoc wireless
networks are not necessarily applicable - Too much functionality ? any-to-any routing
- Not enough functionality ? sensor nets are often
app. specific - Too much overhead ? public key cryptography
20Wormhole attacks
- A wormhole is created when an adversary tunnels
packets received in one part of the network and
replays them in a different part. - Exploits routing race conditions
- Enables other attacks
- Can be launched by insiders and outsiders
21(No Transcript)
22(No Transcript)
23(No Transcript)
24(No Transcript)