Title: Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures
1Secure Routing in Wireless Sensor Networks
Attacks and Countermeasures
- Brian Kessler Justin Matos
- Tufts University
- EE-194HHW S-07
2Introduction
- We should all be familiar with the structure and
use of wireless sensor networks by now - With the most of the uses recently discussed,
security is not a big issue, but with the
potential uses of WSN growing, we are forced to
investigate the threats of those with malicious
intents on the network - In order to test the security, many forms of
attack were tested and analyzed and
countermeasures were discussed
Justin Matos Brian Kessler
3The Need
- In the environment of home, business, security
and military use, a secure network is an absolute
must in a WSN - The hardware technology of the resource scarce
devices will most likely not improve in the near
future. This is because advances will only drive
down the price of the current devices. This will
lead many users to simply use more of the now
cheaper devices
4Quick Definitions
- Base stations can also be referred to as sinks
- An aggregation point is a node that collects
information from surrounding nodes and combine
the data into a single message - An adversary is a encompassing term for a
compromised node or a malicious device
5WSN vs Ad-hoc Network
- WSNs and Ad-hoc networks have numerous
similarities, but there are also a few generally
dismissible differences that lead to security
holes - Both networks use a multi hop network for
routing, but the pattern in the WSN is more
specialized - Many-to-one Multiple sensors send to one node
or base-station - One-to-many A single node (usually the sink)
floods control signals to multiple nodes - Local Communication Neighbors communicate and
coordinate with each other with multicast and
unicast packets - Resources are more of a factor in WSNs as most of
the points must rely only on battery power and
are left unattended, so no chance for recharge - In order to save energy and reduce traffic, WSNs
incorporate much in-network processing,
aggregation and duplicate elimination. This
require a larger amount of trust between the
nodes, meaning little to no authentication and
encryption
6WSN vs Ad-hoc Network
- Ad-hoc networks have many researched and
implemented security types, but most are
inapplicable due to the aforementioned reasons
7Physical Security in WSN
- Radio links are assumed to be insecure
- Malicious machines can eavesdrop, inject bits and
replay previous data into the data streams - The nodes are relatively cheap, allowing
attackers to purchase and modify their own - The various node types are very similar allowing
one type to be modified to effect others - Nodes are cheaply made and not tamper resistant,
also they are usually left unattended, allowing
one ore more of them to be captured and
overwritten. This will allow them to coordinate
and attack the main network
8WSN Trust Requirements
- Base stations are key in WSNs, so the nodes
assume that they are trustworthy. This paper made
the same assumption - Most routing protocols require nodes to assume
that the base stations are legitimate and are
behaving correctly - Aggregation points are regular nodes, and are
assumed to not always be trustworthy
9Classes of Threats
- Device Capability
- Mote-class attackers these attacks involve
similar or modified nodes to perform the
malicious attacks. These devices are confined to
the same restraints as the motes regarding
battery life and range - Laptop-class attackers more powerful devices,
such as laptops are used to attack the system.
These attacks are more harmful as they are not
constrained to the limitations of motes. Some
advantages over mote-class attackers include
greater battery life, increased range, better
CPU, higher power transmitter, and a more
sensitive antenna - Attacker Type
- Outside attacker This attack is external to the
network, usually via a laptop - Inside attacker This attack is initiated by an
authorized node in the WSN that is compromised
and malicious
10General Attacks on Sensor Networks
- Spoofed, altered, or replayed routing information
- Selective forwarding
- Sinkhole attacks
- Sybil attacks
- Wormholes
- HELLO flood attacks
- Acknowledgement spoofing
- Many of these attack work in tandem to malevolent
ends
11Spoofed, Altered, or Replayed Routing Info
- Targets routing information exchanged between
nodes - May be able to
- Create routing loops
- Attract or repel network traffic
- Extend or shorten source routes
- Generate false error messages
- Partition the network
12Selective Forwarding
- Malicious nodes may refuse to forward certain
messages and impede their propagation - An adversary that is selectively forwarding only
sends along only some of the packets received. If
it stopped sending all together the surrounding
nodes would just assume that the node had failed
and would seek an alternate forwarding route - Adversaries attempt to include themselves in the
actual path of the data flow
13Sinkhole Attacks
- Attempts to lure nearly all traffic from a area
in the WSN to a certain malicious node. This
creates a sinkhole with the adversary at the
center - Sinkholes have many opportunities to tamper with
the transmitted data and can also start other
types of attacks - Sinkhole node will pretend to be a very high
quality transmission route to entice more nodes
to send information through it - Laptop-class adversaries with powerful
transmitters can provide a high quality route for
data transmission by transmitting with enough
power to reach the base station, so if the
surrounding nodes attempt to verify the
reliability or latency of the malicious node, it
will appear as a very attractive route to send
data through - Nodes will spread the news of the attractiveness
of the adversary to their neighbors - Selectively suppresses or modifies packets
originating from any node in the area of the
malicious node
14Selective Forwarding/Sinkhole
Enemy Area
15The Sybil Attack
- A single node presents multiple identities to
other nodes in the network - Nodes think they are sensing multiple nodes, when
in actuality they are just seeing the one
malicious node posing as numerous nodes in the
WSN - Poses a great threat to geographic routing
protocols since the adversary node can claim to
be in multiple positions
16The Sybil Attack
17Wormholes
- A wormhole attack tunnels communication from one
part of the network to another - This can be done to make two far off nodes
believe that they are close to each other - Also, a wormhole can create a out of bounds
path for only compromised nodes to communicate
using a private frequency or modulation - A powerful wormhole could create a sinkhole by
convincing nodes that they are closer to the base
station than they truly are and then sending the
data somewhere else
18Wormhole
19HELLO Flood Attack
- Many protocols use the HELLO packet to announce
themselves to their neighbors in the network,
these announcements are not authenticated - Nodes assume they are close when a HELLO is
received but a powered device could cause
misinformation by theoretically announcing a
HELLO to the whole network - This could cause all other nodes to want to use
this new route, making further away nodes talk to
no one - This attack makes the network reorder itself and
leaves it in a state of confusion - Works like a one-way wormhole
20HELLO!
21Acknowledgement Spoofing
- By using false acknowledgements, a corrupted node
can convince nodes that weak or dead links are
strong or alive - This would cause a network full of dead end hops
22Specific Attacks on WSN Protocols
- TinyOS Beacon
- The base station broadcasts an unauthenticated
route update periodically - A laptop or mote can pretend to be the base
station and initiate this update - This causes all nodes to believe the adversary is
the base station, whether it can reach it or not - The adversary can not pretend to be the base, but
instead reorder the routing tables into loops and
dead ends - TinyOS beacon is so simple that this attack
leaves the network in a nearly irrecoverable state
23Specific Attacks on WSN Protocols
- Directed Diffusion
- Uses a data-centric routing algorithm to draw
information out of a WSN - Base stations flood interest for named data, and
the nodes that comply simply reverse the path
back to the sink - Paths are reinforced as more data is successfully
sent along - An attack can spoof negative reinforcements to
weaken links - A adversary can replay an data interest from the
base with itself as the base, thereby routing the
traffic to itself - A compromised node can spoof positive
reinforcements and data events to restructure to
routes as it pleases therefore controlling the
flow
24Specific Attacks on WSN Protocols
- Geographic Routing
- This routing is based on the location of the
nodes in a grid - One method has packets trying a greedy direct
route to its destination, and going around voids,
regardless of energy - Another method weighs the next hop in terms of
distance to destination and energy consumption - The Sybil attack is most effective here, by
pretending to be multiple high powered nodes, a
adversary can maximizes its chances controlling
the flow
25Specific Attacks on WSN Protocols
- Minimum Cost Forwarding
- Creates a cost based routing field with the base
as 0 - Nodes do not maintain explicit path information
or unique identifiers - Extremely susceptible to a sinkhole
- Using HELLO attack a powerful devise can disable
the whole network by advertising a cost 0 route - Low-energy Adaptive Clustering Hierarchy
- Organizes nodes into clusters, where a rotating
cluster head receives, compresses and send all
data directly to the base - A powerful adversary could use a HELLO attack to
be chosen as the cluster head for all nodes. If
the protocol desires different heads each cycle,
a sybil attack can be used to maintain control - Rumor Routing
- Uses probability to match queries with data
events to form energy efficient routes - A mote class adversary could disrupt the creation
of routes with sinkhole that seems appealing to
all nodes and then selectively forward data - Energy Conserving Topology Maintenance
- Places many more nodes than needed and then
adaptively decided which nodes need to be active
to maintain the routes, allowing the others to
sleep - With HELLO and sybil attacks, compromised nodes
could force all others to sleep by advertising as
higher ranking nodes
26CountermeasuresIntroduction to Keys
- Symmetric (Private) Key Algorithms
- The encryption key is trivially related to the
decryption key being either the same, or a simple
math function away - Much less strain on processor power than public
keys (to the order of 100-1000x) - Requires both sides to know the shared secret key
- Due to adversaries, the key must be changed
often, requiring a reliable method of changing
and updating the key on all devices with no
errors - A device with plain text data, either of their
choosing or not, and the post encryption data can
attempt a crack - Offers no authentication (signing) since the keys
are universal
27CountermeasuresIntroduction to Keys
- Asymmetric (Public) Key Cryptography
- Requires each user to have two keys, one public
and one private - Public Key Encryption
- Data is encrypted for a specific user with their
public key, and only can be decoded with the
private key - Digital Signatures
- Data can be signed by using a private key. Others
can authenticate the source due to only that
public key will decipher the information - Keys can be brute force attacked and deciphered
- In order to prevent this, a suitably long key can
be chosen, making the computational time of the
attack not worthwhile
28Asymmetric Key Cryptography
29CountermeasuresPrivate Keys and the WSN
- Use of global encryption keys are a good defense
against outsider attacks - The outsider adversary would be prevented from
joining the topology, making such attacks at the
sybil and selective forwarding attacks impossible - However, attacks such as a HELLO flood and
wormholes could still be implemented from the
outside - This security is ineffectual against insider
attacks
30CountermeasuresSybil Attack
- Using a global key allows a compromised node to
pretend to be any node - Identify verification using public key would
prevent a node from masquerading as anyone other
than itself - Very taxing if not impossible for the simple node
hardware to implement - Solution the damage of a compromised node can be
minimized by having a base station assign
symmetric keys. Once this is done, node can then
use these keys to communicate with a limited
number of neighbors
31CountermeasuresHELLO flood
- Using the type of security from the previous
slide, the damage from a HELLO attack can be
minimized - Because the bidirectional communication between
nodes is limited to a certain number of
neighbors, a HELLO attack could only affect those
verified neighbors
32CountermeasuresWormhole and Sinkhole Attacks
- These attacks are extremely difficult to prevent.
Wormholes use out-of-bounds communication, and
sink holes use hard to verify advertisements to
attract data. - Protocols based on geographic node location
depend only on local interactions and therefore
have a degree of defense. Traffic routed
naturally towards the base because making it
difficult to pull the data off the path - The is no generic defense that can prevent these
attacks. Any adversary can sniff information and
retransmit it anywhere to cause problems for the
network
33CountermeasuresLeveraging Global Knowledge
- When the network size is limited or the topology
of the WSN is well-structured, global knowledge
can be leveraged in security mechanisms - After initially deploying nodes, the information
about location and neighboring nodes can be sent
back to base station. Drastic or suspicious
changes to the network could indicate a malicious
node, and action could be taken to limit its
affect on the WSN - Eliminating the need for the nodes to advertise
their location can be achieved by restricting the
layout of the nodes and arranging them in a
grid-like pattern - In the grid nodes can derive their neighbors
locations from their own, and nodes can be
addressed by location rather than by identifier
34CountermeasuresSelective Forwarding
- Multipath routing can be used to counter
selective forwarding attacks - The use of multiple braided paths could give
probabilistic protection against selective
forwarding and use only localized information - If a node is allowed to choose the next packet
hop probabilistically from a set of neighboring
nodes it can reduce the chances of a malevolent
node gaining total control of the data flow
35CountermeasuresAuthenticated Broadcast and
Flooding
- Nodes must be able to trust base stations, so
harmful nodes must not be able to send spoof
broadcast or flooded messages from base stations - No node should be able to spoof messages from the
base station, yet every node should be able to
verify them - Hello messages should be authenticated and
impossible to spoof - Authenticated broadcasts could possibly use
digital signatures or extra packet overhead - µTESLA is a protocol for efficient, authenticated
broadcast and flooding - Uses symmetric key cryptography and requires
minimal packet overhead - Achieves necessary asymmetry using delayed key
disclosure and one-way chains built from publicly
computable cryptographically secure hash function - Requires loose time synchronization
36Summery
- There are many attack that could be levied
against wireless sensor networks, to control
data, reorder the routing or simply wreak havoc - Many of the best defenses use technology or
processing power that defeats the purpose of
cheap small nodes - Using small amounts of authentication can cheaply
provide enough protection to defer a few of the
attack types - The best defense is to know the goal of the
devices beforehand, allowing the routing
protocols and security to be designed in tandem
37Works Cited
- Chris Karlof, and etc., Secure Routing in
Wireless Sensor Networks Attacks and
Countermeasures, Elsevier Ad Hoc Networks 1,
293-315, 2003. - www.wikipedia.org
- Mengke Li, Secure Routing Protocols in Wireless
Sensor Networks, UNL 2004
38?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?