Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures

1
Secure Routing in Wireless Sensor Networks
Attacks and Countermeasures

• Brian Kessler Justin Matos
• Tufts University
• EE-194HHW S-07

2
Introduction

• We should all be familiar with the structure and
  use of wireless sensor networks by now
• With the most of the uses recently discussed,
  security is not a big issue, but with the
  potential uses of WSN growing, we are forced to
  investigate the threats of those with malicious
  intents on the network
• In order to test the security, many forms of
  attack were tested and analyzed and
  countermeasures were discussed

Justin Matos Brian Kessler
3
The Need

• In the environment of home, business, security
  and military use, a secure network is an absolute
  must in a WSN
• The hardware technology of the resource scarce
  devices will most likely not improve in the near
  future. This is because advances will only drive
  down the price of the current devices. This will
  lead many users to simply use more of the now
  cheaper devices

4
Quick Definitions

• Base stations can also be referred to as sinks
• An aggregation point is a node that collects
  information from surrounding nodes and combine
  the data into a single message
• An adversary is a encompassing term for a
  compromised node or a malicious device

5
WSN vs Ad-hoc Network

• WSNs and Ad-hoc networks have numerous
  similarities, but there are also a few generally
  dismissible differences that lead to security
  holes
• Both networks use a multi hop network for
  routing, but the pattern in the WSN is more
  specialized
• Many-to-one Multiple sensors send to one node
  or base-station
• One-to-many A single node (usually the sink)
  floods control signals to multiple nodes
• Local Communication Neighbors communicate and
  coordinate with each other with multicast and
  unicast packets
• Resources are more of a factor in WSNs as most of
  the points must rely only on battery power and
  are left unattended, so no chance for recharge
• In order to save energy and reduce traffic, WSNs
  incorporate much in-network processing,
  aggregation and duplicate elimination. This
  require a larger amount of trust between the
  nodes, meaning little to no authentication and
  encryption

6
WSN vs Ad-hoc Network

• Ad-hoc networks have many researched and
  implemented security types, but most are
  inapplicable due to the aforementioned reasons

7
Physical Security in WSN

• Radio links are assumed to be insecure
• Malicious machines can eavesdrop, inject bits and
  replay previous data into the data streams
• The nodes are relatively cheap, allowing
  attackers to purchase and modify their own
• The various node types are very similar allowing
  one type to be modified to effect others
• Nodes are cheaply made and not tamper resistant,
  also they are usually left unattended, allowing
  one ore more of them to be captured and
  overwritten. This will allow them to coordinate
  and attack the main network

8
WSN Trust Requirements

• Base stations are key in WSNs, so the nodes
  assume that they are trustworthy. This paper made
  the same assumption
• Most routing protocols require nodes to assume
  that the base stations are legitimate and are
  behaving correctly
• Aggregation points are regular nodes, and are
  assumed to not always be trustworthy

9
Classes of Threats

• Device Capability
• Mote-class attackers these attacks involve
  similar or modified nodes to perform the
  malicious attacks. These devices are confined to
  the same restraints as the motes regarding
  battery life and range
• Laptop-class attackers more powerful devices,
  such as laptops are used to attack the system.
  These attacks are more harmful as they are not
  constrained to the limitations of motes. Some
  advantages over mote-class attackers include
  greater battery life, increased range, better
  CPU, higher power transmitter, and a more
  sensitive antenna
• Attacker Type
• Outside attacker This attack is external to the
  network, usually via a laptop
• Inside attacker This attack is initiated by an
  authorized node in the WSN that is compromised
  and malicious

10
General Attacks on Sensor Networks

• Spoofed, altered, or replayed routing information
• Selective forwarding
• Sinkhole attacks
• Sybil attacks
• Wormholes
• HELLO flood attacks
• Acknowledgement spoofing
• Many of these attack work in tandem to malevolent
  ends

11
Spoofed, Altered, or Replayed Routing Info

• Targets routing information exchanged between
  nodes
• May be able to
• Create routing loops
• Attract or repel network traffic
• Extend or shorten source routes
• Generate false error messages
• Partition the network

12
Selective Forwarding

• Malicious nodes may refuse to forward certain
  messages and impede their propagation
• An adversary that is selectively forwarding only
  sends along only some of the packets received. If
  it stopped sending all together the surrounding
  nodes would just assume that the node had failed
  and would seek an alternate forwarding route
• Adversaries attempt to include themselves in the
  actual path of the data flow

13
Sinkhole Attacks

• Attempts to lure nearly all traffic from a area
  in the WSN to a certain malicious node. This
  creates a sinkhole with the adversary at the
  center
• Sinkholes have many opportunities to tamper with
  the transmitted data and can also start other
  types of attacks
• Sinkhole node will pretend to be a very high
  quality transmission route to entice more nodes
  to send information through it
• Laptop-class adversaries with powerful
  transmitters can provide a high quality route for
  data transmission by transmitting with enough
  power to reach the base station, so if the
  surrounding nodes attempt to verify the
  reliability or latency of the malicious node, it
  will appear as a very attractive route to send
  data through
• Nodes will spread the news of the attractiveness
  of the adversary to their neighbors
• Selectively suppresses or modifies packets
  originating from any node in the area of the
  malicious node

14
Selective Forwarding/Sinkhole
Enemy Area
15
The Sybil Attack

• A single node presents multiple identities to
  other nodes in the network
• Nodes think they are sensing multiple nodes, when
  in actuality they are just seeing the one
  malicious node posing as numerous nodes in the
  WSN
• Poses a great threat to geographic routing
  protocols since the adversary node can claim to
  be in multiple positions

16
The Sybil Attack
17
Wormholes

• A wormhole attack tunnels communication from one
  part of the network to another
• This can be done to make two far off nodes
  believe that they are close to each other
• Also, a wormhole can create a out of bounds
  path for only compromised nodes to communicate
  using a private frequency or modulation
• A powerful wormhole could create a sinkhole by
  convincing nodes that they are closer to the base
  station than they truly are and then sending the
  data somewhere else

18
Wormhole
19
HELLO Flood Attack

• Many protocols use the HELLO packet to announce
  themselves to their neighbors in the network,
  these announcements are not authenticated
• Nodes assume they are close when a HELLO is
  received but a powered device could cause
  misinformation by theoretically announcing a
  HELLO to the whole network
• This could cause all other nodes to want to use
  this new route, making further away nodes talk to
  no one
• This attack makes the network reorder itself and
  leaves it in a state of confusion
• Works like a one-way wormhole

20
HELLO!
21
Acknowledgement Spoofing

• By using false acknowledgements, a corrupted node
  can convince nodes that weak or dead links are
  strong or alive
• This would cause a network full of dead end hops

22
Specific Attacks on WSN Protocols

• TinyOS Beacon
• The base station broadcasts an unauthenticated
  route update periodically
• A laptop or mote can pretend to be the base
  station and initiate this update
• This causes all nodes to believe the adversary is
  the base station, whether it can reach it or not
• The adversary can not pretend to be the base, but
  instead reorder the routing tables into loops and
  dead ends
• TinyOS beacon is so simple that this attack
  leaves the network in a nearly irrecoverable state

23
Specific Attacks on WSN Protocols

• Directed Diffusion
• Uses a data-centric routing algorithm to draw
  information out of a WSN
• Base stations flood interest for named data, and
  the nodes that comply simply reverse the path
  back to the sink
• Paths are reinforced as more data is successfully
  sent along
• An attack can spoof negative reinforcements to
  weaken links
• A adversary can replay an data interest from the
  base with itself as the base, thereby routing the
  traffic to itself
• A compromised node can spoof positive
  reinforcements and data events to restructure to
  routes as it pleases therefore controlling the
  flow

24
Specific Attacks on WSN Protocols

• Geographic Routing
• This routing is based on the location of the
  nodes in a grid
• One method has packets trying a greedy direct
  route to its destination, and going around voids,
  regardless of energy
• Another method weighs the next hop in terms of
  distance to destination and energy consumption
• The Sybil attack is most effective here, by
  pretending to be multiple high powered nodes, a
  adversary can maximizes its chances controlling
  the flow

25
Specific Attacks on WSN Protocols

• Minimum Cost Forwarding
• Creates a cost based routing field with the base
  as 0
• Nodes do not maintain explicit path information
  or unique identifiers
• Extremely susceptible to a sinkhole
• Using HELLO attack a powerful devise can disable
  the whole network by advertising a cost 0 route
• Low-energy Adaptive Clustering Hierarchy
• Organizes nodes into clusters, where a rotating
  cluster head receives, compresses and send all
  data directly to the base
• A powerful adversary could use a HELLO attack to
  be chosen as the cluster head for all nodes. If
  the protocol desires different heads each cycle,
  a sybil attack can be used to maintain control
• Rumor Routing
• Uses probability to match queries with data
  events to form energy efficient routes
• A mote class adversary could disrupt the creation
  of routes with sinkhole that seems appealing to
  all nodes and then selectively forward data
• Energy Conserving Topology Maintenance
• Places many more nodes than needed and then
  adaptively decided which nodes need to be active
  to maintain the routes, allowing the others to
  sleep
• With HELLO and sybil attacks, compromised nodes
  could force all others to sleep by advertising as
  higher ranking nodes

26
CountermeasuresIntroduction to Keys

• Symmetric (Private) Key Algorithms
• The encryption key is trivially related to the
  decryption key being either the same, or a simple
  math function away
• Much less strain on processor power than public
  keys (to the order of 100-1000x)
• Requires both sides to know the shared secret key
• Due to adversaries, the key must be changed
  often, requiring a reliable method of changing
  and updating the key on all devices with no
  errors
• A device with plain text data, either of their
  choosing or not, and the post encryption data can
  attempt a crack
• Offers no authentication (signing) since the keys
  are universal

27
CountermeasuresIntroduction to Keys

• Asymmetric (Public) Key Cryptography
• Requires each user to have two keys, one public
  and one private
• Public Key Encryption
• Data is encrypted for a specific user with their
  public key, and only can be decoded with the
  private key
• Digital Signatures
• Data can be signed by using a private key. Others
  can authenticate the source due to only that
  public key will decipher the information
• Keys can be brute force attacked and deciphered
• In order to prevent this, a suitably long key can
  be chosen, making the computational time of the
  attack not worthwhile

28
Asymmetric Key Cryptography
29
CountermeasuresPrivate Keys and the WSN

• Use of global encryption keys are a good defense
  against outsider attacks
• The outsider adversary would be prevented from
  joining the topology, making such attacks at the
  sybil and selective forwarding attacks impossible
• However, attacks such as a HELLO flood and
  wormholes could still be implemented from the
  outside
• This security is ineffectual against insider
  attacks

30
CountermeasuresSybil Attack

• Using a global key allows a compromised node to
  pretend to be any node
• Identify verification using public key would
  prevent a node from masquerading as anyone other
  than itself
• Very taxing if not impossible for the simple node
  hardware to implement
• Solution the damage of a compromised node can be
  minimized by having a base station assign
  symmetric keys. Once this is done, node can then
  use these keys to communicate with a limited
  number of neighbors

31
CountermeasuresHELLO flood

• Using the type of security from the previous
  slide, the damage from a HELLO attack can be
  minimized
• Because the bidirectional communication between
  nodes is limited to a certain number of
  neighbors, a HELLO attack could only affect those
  verified neighbors

32
CountermeasuresWormhole and Sinkhole Attacks

• These attacks are extremely difficult to prevent.
  Wormholes use out-of-bounds communication, and
  sink holes use hard to verify advertisements to
  attract data.
• Protocols based on geographic node location
  depend only on local interactions and therefore
  have a degree of defense. Traffic routed
  naturally towards the base because making it
  difficult to pull the data off the path
• The is no generic defense that can prevent these
  attacks. Any adversary can sniff information and
  retransmit it anywhere to cause problems for the
  network

33
CountermeasuresLeveraging Global Knowledge

• When the network size is limited or the topology
  of the WSN is well-structured, global knowledge
  can be leveraged in security mechanisms
• After initially deploying nodes, the information
  about location and neighboring nodes can be sent
  back to base station. Drastic or suspicious
  changes to the network could indicate a malicious
  node, and action could be taken to limit its
  affect on the WSN
• Eliminating the need for the nodes to advertise
  their location can be achieved by restricting the
  layout of the nodes and arranging them in a
  grid-like pattern
• In the grid nodes can derive their neighbors
  locations from their own, and nodes can be
  addressed by location rather than by identifier

34
CountermeasuresSelective Forwarding

• Multipath routing can be used to counter
  selective forwarding attacks
• The use of multiple braided paths could give
  probabilistic protection against selective
  forwarding and use only localized information
• If a node is allowed to choose the next packet
  hop probabilistically from a set of neighboring
  nodes it can reduce the chances of a malevolent
  node gaining total control of the data flow

35
CountermeasuresAuthenticated Broadcast and
Flooding

• Nodes must be able to trust base stations, so
  harmful nodes must not be able to send spoof
  broadcast or flooded messages from base stations
• No node should be able to spoof messages from the
  base station, yet every node should be able to
  verify them
• Hello messages should be authenticated and
  impossible to spoof
• Authenticated broadcasts could possibly use
  digital signatures or extra packet overhead
• µTESLA is a protocol for efficient, authenticated
  broadcast and flooding
• Uses symmetric key cryptography and requires
  minimal packet overhead
• Achieves necessary asymmetry using delayed key
  disclosure and one-way chains built from publicly
  computable cryptographically secure hash function
• Requires loose time synchronization

36
Summery

• There are many attack that could be levied
  against wireless sensor networks, to control
  data, reorder the routing or simply wreak havoc
• Many of the best defenses use technology or
  processing power that defeats the purpose of
  cheap small nodes
• Using small amounts of authentication can cheaply
  provide enough protection to defer a few of the
  attack types
• The best defense is to know the goal of the
  devices beforehand, allowing the routing
  protocols and security to be designed in tandem

37
Works Cited

• Chris Karlof, and etc., Secure Routing in
  Wireless Sensor Networks Attacks and
  Countermeasures, Elsevier Ad Hoc Networks 1,
  293-315, 2003.
• www.wikipedia.org
• Mengke Li, Secure Routing Protocols in Wireless
  Sensor Networks, UNL 2004

38
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?