SECURE ROUTING IN WIRELESS SENSOR NETWORKS

1

• SECURE ROUTING IN WIRELESS SENSOR NETWORKS
• Gayathri Venkataraman
• Preeti Raghunath

2
AGENDA

• Sensor Networks
• Wireless Sensor Networks vs. Ad- Hoc Networks
• Sensor Network Security Challenges
• Attacks on Sensor Network routing
• Securing the Wireless Network
• Summary

3
Sensor Networks

• A sensor network is composed of a large
  number of sensor nodes that are densely deployed
  either inside the phenomenon or close it . Each
  of these sensor nodes collect data and transmit
  to the sink using special routing protocols. The
  sink may communicate to the task manager using
  Internet or satellite 1.

Figure 1 Sensor nodes communication Source
http//www.cdt.luth.se/babylon/snc/References/Akyi
ldiz2002_SurveySensorNets_01024422.pdf
Retrieved August 22, 2003
4
What is a Sensor Network?

• Heterogeneous system that combines tiny sensors
  and actuators with general purpose computing
  elements.
• Sensor readings from multiple nodes can be
  processed by one or more aggregation points

5
Base Station

• Sensor Networks have one or more points of
  centralized control called Base Stations.
• Base stations are either
• Gateway to another network
• Data processing or storage center
• Access point for human interface.

6
Sensor Network Architecture
Base Stations
Aggregation points
Sensor Nodes
7
Constraints of Wireless Sensor Networks

• Sensor Networks are resource-starved when it
  comes to
• Computational power
• Memory
• Bandwidth
• Power

8
Sensor Networks VS. Ad Hoc Networks

• Ad-Hoc Network supports routing between any pairs
  of nodes.
• Sensor Networks have a specialized communication
  pattern
• Many to One
• One to Many
• Local Communication

9
Security challenges in Wireless Sensor networks
(1 of 3)

• Network Assumptions
• Radio links are not secure
• Attackers can deploy malicious nodes into the
  network.
• Trust Requirements
• Base Stations are trusted nodes
• Aggregation points maybe trusted for certain
  protocols

10
Security challenges in Wireless Sensor networks
(2 of 3)

• Threat models
• Mote-Class attackers Sensor nodes are used for
  attacks. Sensor can eavesdrop only nodes in its
  vicinity.
• Laptop-Class attackers More sophisticated. Can
  eavesdrop or jam entire network.
• Outsider attacks Attacker has no special access
  to the sensor network.
• Insider attacks An authorized participant of the
  network has gone bad by running malicious code.

11
Security challenges in Wireless Sensor networks
(3 of 3)

• Security Goals
• Protection against eavesdropping is
  responsibility of application layer not routing
  algorithms.
• However, eavesdropping caused by abuse of routing
  protocol is the responsibility of protocols.
• Graceful degradation of network in case of
  insider attack.

12
Attacks on Sensor Networks (1 of 3)

• Spoofing Altering, spoofing or replaying routing
  information between nodes.
• Selective Forwarding Malicious nodes does not
  forward any packets or selectively forwards
  packets.

13
Attacks on Sensor Networks (2 of 3)

• Sinkhole attack
• Here the attackers goal is to lure all the
  traffic through a compromised node
• Other nodes in the path have opportunities to
  tamper with application data
• Sybil attack
• A single node presents multiple identities.
• Wormholes
• Attacker tunnels messages received in one part of
  the network over a low-latency kink and replays
  them in a different part.

14
Attacks on Sensor Networks (3 of 3)

• HELLO Flood attack An attacker with enough
  transmission power convinces every node in the
  network that the attacker is the neighbor.
• Acknowledgement spoofing
• Link layer acknowledgements are spoofed to
  convince a weak link is strong and vice-versa.

15
Attacks on Specific Routing Protocols Gayathri
Venkataraman
16
Special Routing Protocols! Why???
A typical mote has 4MHz processor, 128 KB of
instruction memory, 4 KB of RAM data, and 512 KB
of flash memory. The whole device is powered by
two AA batteries. So the requirement of special
routing protocols with Less computation Less
memory Simple No global identification like IP
address
17
Challenges For Security
Resource starved nature of sensor networks poses
a big challenge for security Public-key
Cryptography is so expensive With only 4KB of
RAM memory must be used carefully
18
Directed Diffusion

• Is a data centric routing
• Base stations flood interests for named data
• Nodes able to satisfy the interest disseminate
  information along
• the reverse path of interest propagation.
• Interests are initially transmitted at a lower
  rate.
• Based nodes reinforce the path where there is
  more data.
• Failed node paths are negatively reinforced.

19
Directed Diffusion
http//www2.parc.com/spl/members/zhao/stanfordcs42
8/readings/Networking/Estrin_mobicom00.pdf 
Retrieved August 27, 2003
20
Attacks on Directed Diffusion

• Suppression
• Suppress the flow of data by sending negative
  reinforcement
• Cloning
• Attacker can replay an interest from legitimate
  base station
• Path Influence
• Attacker can influence the path taken by a data
  flow by spoofing
• positive and negative reinforcements and bogus
  data events.
• Selective forwarding and Tampering
• Attacker can insert himself into the path of
  events flow and gain
• Control of the event flow.

21
Attacks on Directed Diffusion

• A Laptop class adversary can create worm hole
  between node A located near base station and node
  B located near likely events.
• Interests are advertised through worm hole and
  rebroadcast by
• node B.
• If node A sends negative reinforcements and worm
  hole does not pass those messages then node B
  continues its positive reinforcement then no data
  reaches the sink node and eventually node Bs
  power is lost.

22
Tiny-OS Beaconing

• In this protocol base stations periodically
  broadcast routing update.
• All station receiving the update marks the base
  station as its parent.
• This algorithm happens recursively with each node
  marking its parent as the first node from which
  it hears the update.
• All packets received or generated by a node is
  forwarded to its parent until it reaches the base
  station.
• This is a breadth first spanning tree rooted to
  the base station

23
Attacks on Tiny-OS Beaconing
Routing updates are not authenticated Attacker
can suppress, eaves-drop, and modify packets
through a worm hole/ sink hole attack as shown in
the figure
Source http//webs.cs.berkeley.edu/retreat-1-03/s
lides/sensor-route-security.pdf Retrieved on
November 17, 2003
24
Attacks on Tiny-OS Beaconing

• A lap top class adversary can use Hello flood
  attack to broadcast a routing update and all
  nodes will consider the adversary as its parent.
• So the nodes which are not in the actual range of
  the parent may flood the packets to neighbors
  which also has the adversary as its parent
• Routing Loops can be created. Suppose adversary
  knows node A and node B are within radio range of
  each other. Adversary sends a routing update to B
  as if it came from A. B updates its parent as A,
  and sends routing update. Now A updates its
  parent as B.

25
Geographic Routing

• Two Kinds
• Geographic and Energy aware routing (GEAR) uses
  the energy information and the location of
  neighboring nodes to forward the packets
• Greedy Perimeter Stateless Routing (GPSR) used
  only the proximity of neighbors to forward its
  messages. The energy consumption is uneven within
  the nodes.

26
Attacks on Geographic Routing

• Regardless of adversarys location he might
  advertise to be closest and place himself on the
  path of data flow.
• For GEAR the adversary can advertise to have
  maximum energy to divert all the packets to
  himself and can now mount a selective forwarding
  attack
• Routing Loops is possible in GPSR routing as
  shown in figure

Source http//webs.cs.berkeley.edu/retreat-1-03/s
lides/sensor-route-security.pdf Retrieved on
November 17, 2003
27
Counter Measures

• Link Layer Security
• Simple link layer encryption and authentication
  using a globally shared key.
• If a worm hole is established, encryption makes
  selective forwarding difficult, but can do
  nothing to prevent black hole selective
  forwarding. This worm hole is possible by
  replaying the message from one group of nodes to
  other group.
• Link layer security mechanisms cannot prevent any
  insider attack.

28
Counter Measures

• Sybil Attack
• Every node shares a unique symmetric key with
  base station
• Two nodes can use Needham-Schroeder like protocol
  to verify
• identity and establish a shared key.
• Base station limits the number of nodes an
  insider can have
• communication.
• This limits the number of nodes an adversary can
  communicate.

29
Counter Measures

• Hello Flood Attacks
• Verify the bi-directionality of the link before
  taking any action
• Measures against Sybil Attack like limiting the
  number of
• verified neighbors to a node will also prevent
  Hello Flood Attack

30
Counter Measures

• Worm Hole and Sink Hole Attacks
• Sink holes are difficult to defend in protocols
  which use advertised information like energy
  information and hop count. Hop count can be
  verified, however energy and TinyOs beaconing is
  difficult to defend.
• Best solution is to design protocols where above
  attacks are meaningless

31
Counter Measures

• Protocols that construct topology initiated by
  base station are susceptible to attacks
• Geographic protocols that construct topology on
  demand using localized interactions and not from
  base stations are good solutions.
• In geographic routing since proximity is a factor
  artificial link to sink hole is not possible
  because they may not fall in the normal radio
  range.

32
Counter Measures

• Geographic routing is secure against worm hole,
  sink hole, and Sybil attacks, but the remaining
  problem is that the location advertisement must
  be trusted.
• Probabilistic selection of next hop from several
  advertisement can reduce the problem
• Restricting the structure of the topology can
  eliminate the problem by eliminating
  advertisement. For example nodes can arrange
  itself in square, triangular, etc., So that every
  node can derive its neighbors

33
Counter Measures

• Selective Forwarding
• Multi-path routing can be used to avoid this
  attacks.
• Messages routed over n paths whose nodes are
  completely disjoint is an effective solution
• Creating this kind of path may be difficult .
• Probabilistic selection of next hop can add to
  security.

34
Counter Measures

• Authenticated Broadcast flooding
• digital signatures
• symmetric-key cryptography
• delayed key disclosure and one way key chains
  constructed with publicly computable
  cryptographically secure hash function
• Replay attack is not possible key is used only
  once.

35
Limitations of Multi-Hop Routing

• If nodes within one or two hops near the base
  station are
• compromised then the network will be completely
  down
• Protocols like leach which forms clusters and
  where cluster heads communicate directly with
  base station may yield a secure solution.

36
Conclusion

• Secure routing is vital to the acceptance and use
  of sensor networks.
• Current protocols are insecure
• Careful protocol design is needed as a sensor
  mote cannot do complex cryptographic computations

37
References
1 Ian F. Akyildiz, Weilian Su, Yogesh
Subramaniam, and Erdal Cayirci (2002, August). A
Survey on Sensor Networks. http//www.cdt.luth.se/
babylon/snc/References/Akyildiz2002_SurveySensorNe
ts_01024422.pdf Retrieved August 26,
2003 2Charlermek Intanagonwiwat, Ramesh
Govindan, and Deborah Estrin. Directed
DiffusionA Scalable and Robust Communication
Paradigm for Sensor
Networks http//www2.parc.com/spl/members/zhao/sta
nfordcs428/readings/Networking /Estrin_mobicom00.p
df Retrieved August 20, 2003 3 Chris Karlof,
David Wagner, Secure Routing in Wireless Sensor
Networks Attacks and Counter Measures
38
Thank You!!!!! Questions???????????