1

Secure Routing in Wireless Sensor Networks : Attacks and Countermeasures

Authors: Chris Karlof and David Wagner

Presenter: Ivanka Todorova

2

Outline

Introduction and Contributions Background Sensor vs. ad-hoc wireless networks Problem Statement Attacks on sensor network routing Attacks on specific sensor network protocols Countermeasures Conclusions

3

Introduction and Contributions Threat models and security goals for routing in WSNs

Two new attacks Sinkhole attacks HELLO floods

How to adapt attacks against ad-hoc wireless networks into powerful attacks against WSNs

Practical attacks against routing protocols and topology maintenance algorithms for WSNs

Countermeasures and design considerations for secure routing protocols in WSNs

4

Background WSNs consist of hundreds or thousands of

low-power, low-cost nodes having a CPU, power source, radio, and other sensing elements

Have one or more points of centralized control called base stations or sinks

Sensor readings from multiple nodes processed at aggregation points

Power is the scarcest resource

5

Background

A representative sensor network architecture

Picture from [7]

6

WSNs vs. Ad-hoc WNs

WSNs Communication method -

multihop networking One or more points of

centralized control such as base stations

Routing - specialized communication pattern

Resource-starved nature Trust relationships between

nodes assumed Public key cryptography not

feasible

AD-hoc WNs Communication method

- multihop networking There is no fixed

infrastructure such as base stations

Routing - any pair of nodes

Limited resources Trust relationships

between nodes not assumed

Public key cryptography possible

7

Problem Statement Network assumptions

Insecure radio links Malicious nodes may collude to attack the

network Sensor nodes not temper resistant Physical and MAC layers vulnerable to direct

attacks Trust Requirements

Base stations are trustworthy Aggregation points not necessarily trustworthy

8

Problem Statement cont’d Two types of threat models Based on type of attacking devices

Mote-class attackers Laptop-class attackers

Based on attacker location Outsider attacks Insider attacks

Security goals Confidentiality, integrity, authenticity, and

availability of all messages

9

Attacks on sensor network routing Spoofed, altered, or replayed routing

information Selective forwarding Sinkhole attacks

Adversary’s goal is to lure traffic through a compromised node

Work by making the compromised node look attractive

Makes selective forwarding trivial

10

Attacks on sensor network routing cont’d

Sybil Attack“One can have, some claim, as many electronic personas as one has time and energy to create.”

Judith S. Donath [1]

Picture from [2]

11

Attacks on sensor network routing cont’d

WormholeAn adversary tunnels packets received in one part of the network over a low-latency link and replays them in a different part of the network

Picture from http://library/thinkquest.org/27930/wormhole.htm

12

Attacks on sensor network routing cont’d HELLO flood attack

Many protocols require that nodes broadcast HELLO packets to announce themselves to their neighbors

Laptop-class attacker can convince all nodes that it is their neighbor by transmitting at high power

Acknowledgement spoofing

13

Attacks on specific sensor network protocols TinyOS beaconing

Description Attacks

Can authenticated routing updates solve the problem?

Picture from [7]

14

Attacks on specific sensor network protocols cont’d

Combined wormhole/sinkhole attack

Picture from [7]

15

Attacks on specific sensor network protocols cont’d

What if a laptop-class adversary uses a HELLO flood attack?

What about mote-class adversaries? Routing loops

Picture from [7]

16

Attacks on specific sensor network protocols cont’d

Directed diffusion

•AttacksAttacks – Suppression, Cloning, Path influence, Selective – Suppression, Cloning, Path influence, Selective forwarding and data tamperingforwarding and data tampering

Interest propagation Initial gradients set up Data delivery along reinforced path

Pictures from [6]

17

Attacks on specific sensor network protocols cont’d

Geographic routing Two protocols

GPSR (Greedy Perimeter Stateless Routing) GEAR (Geographic and Energy Aware Routing)

Description Greedy forwarding routing each packet to the neighbor

closest to the destination GEAR weighs the choice of the next hop by both remaining

energy and distance from the target

18

Attacks on specific sensor network protocols cont’d Geographic routing

Greedy forwarding example: y is x’s closest neighbor to D

Greedy forwarding failure: x is a local maximum inits geographic proximity to D; w and y are farther from D.

Pictures from [14]

19

Attacks on specific sensor network protocols cont’d

Geographic routing

Node x’s void with respect to destination D.

Picture from [14]

20

Attacks on specific sensor network protocols cont’d

Geographic routing Attacks

Sybil attack

Picture from [7]

21

Attacks on specific sensor network protocols cont’d

Attacks cont’d Creating routing loops in GPSR

Picture from 7

22

Attacks on specific sensor network protocols cont’d Minimum cost forwarding

Description

Attacks Sinkhole attack HELLO flood attack can disable the entire network

MN

CM+LN, M

CN

CM

23

Attacks on specific sensor network protocols cont’d LEACH: low-energy adaptive clustering

hierarchy Description

Nodes organized into clusters with one node serving as a cluster-head

Cluster-heads aggregate data for transmission to a base station

Attacks HELLO flood attack Countermeasures defeated by a Sybil attack

24

Attacks on specific sensor network protocols cont’d

Energy conserving topology maintenance Geographic Adaptive Fidelity

(GAF)State transitions

Node redundancy

Virtual grid

Pictures from [5]

25

Countermeasures Shared key and link layer encryption

Prevent outsider attacks - Sybil attacks, selective forwarding, ACK spoofing

Cannot handle insider attacks - Wormhole, HELLO flood, TinyOS beaconing attacks In case of a wormhole encryption may make selective

forwarding more difficult but cannot prevent blackholes

Sybil and HELLO flood attacks A globally shared key allows an insider to masquerade

as any node A pair of nodes can use a Needham-Schroeder

protocol to establish a shared key Limit the number of neighbors for a node Verify the bidirectionality of the link for a HELLO flood

attack

26

Countermeasures Amended Needham Schroeder Symmetric Key

Author(s): Roger Needham and Michael Schroeder  (1987) Distribution of a shared symmetric key by a trusted server

and mutual authentication. Symmetric key cryptography with server.

27

Countermeasures Wormhole and sinkhole attacks

Protocols that construct a topology initiated by a base station are the most vulnerable

Good routing protocol design may be the solution – geographic routing protocols

Geographic routing attacks Use fixed topology to eliminate the need for location

information Selective forwarding

Multipath routing Braided paths Allowing nodes to dynamically choose a packet’s next hop

probabilistically from a set of possible candidates

28

Countermeasures

Braided path

Picture from [10]

29

Countermeasures Authenticated broadcast and flooding

μTESLA protocol to prevent replay of broadcast messages issued by the base station Replay is prevented because messages authenticated

with previously disclosed keys are ignored Flood the information about the malicious nodes

in the network

30

Conclusions

End-to-end security mechanisms between a sensor node and a base station unlikely to guarantee integrity, authenticity, and confidentiality of messages

Link layer security not enough to protect against insider attacks

The routing protocol itself must be secure

31

Conclusions Protection against the replay of data packets should

not be a security goal of a routing protocol Sinkhole attacks and wormholes are a significant

challenge Wormholes are hard to detect because they use private,

out-of-band channel invisible to the underlying network Sinkholes are difficult to defend against because they

leverage hard to verify information such as remaining energy

Protocols that construct topology initiated by a base station are most vulnerable

Geographic routing protocols are resistant Crucial to design routing protocols in which these

attacks are meaningless

32

Conclusions Geographic routing relatively secure against

wormhole, sinkhole, and Sybil attacks Traffic naturally routed toward the physical location of a

base station

The main remaining problem is that location information must be trusted

Restricting the structure of the topology eliminates the need for nodes to advertise their locations

If nodes are arranged in a grid every node can easily derive its neighbors’ locations

33

Conclusions

Clustering protocols like LEACH may yield the most secure solutions against node compromise and insider attacks

Virtual base stations can be used to create an overlay network

34

Future Work

How the feature of autonomic computing can be applied to WSNs to improve security [11,12]

Self-healing in WSNs [13]

35

References1. J. S. Donath, “Identity and Deception in the Virtual Community”, Communities

in Cyberspace, Routledge, 1998.2. J.R. Douceur, The Sybil attack, in: 1st International Workshop on Peer-to-

Peer Systems (IPTPS 02), 2002.3. L. Zhou, Z. Haas, Securing ad hoc networks, IEEE Network Magazine 13 (6)

(1999) 24–30.4. F. Stajano, R.J. Anderson, The resurrecting duckling: security issues for ad-

hoc wireless networks, in: Seventh International Security Protocols Workshop, 1999, pp. 172–194.

5. Y. Xu, J. Heidemann, D. Estrin, Geography-informed energy conservation for ad hoc routing, in: Proceedings of the Seventh Annual ACM/IEEE International Conference on Mobile Computing and Networking, 2001.

6. C. Intanagonwiwat, R. Govindan, D. Estrin, Directed diffusion: a scalable and robust communication paradigm for sensor networks, in: Proceedings of the Sixth Annual International Conference on Mobile Computing and Networks (Mobi-COM 00), 2000.

7. C. Karlof and D. Wagner, "Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures," in IEEE SPNA, 2002

36

References8. F. Ye, A. Chen, S. Lu, L. Zhang, A scalable solution to minimum cost forwarding

in large sensor networks, in: Tenth International Conference on Computer Communications and Networks, 2001, pp. 304–309.

9. W.R. Heinzelman, A. Chandrakasan, H. Balakrishnan, Energy-efficient communication protocol for wireless microsensor networks, in: 33rd Annual Hawaii International Conference on System Sciences, 2000, pp. 3005–3014.

10. Deepak Ganesan, Ramesh Govindan, Scott Shenker, Deborah Estrin, Highly-resilient, energy-efficient multipath routing in wireless sensor networks, in: Proceedings of the 2nd ACM International Symposium on Mobile Ad Hoc Networking & Computing, 2001, pp. 251-254.

11. http://s3lab.cs.okstate.edu/projects/CIP-WSN/12. http://www.cse.msu.edu/~mckinley/920/Spring-2006/920-reading-final.html13. Tatiana Bokareva, Nirupama Bulusu, Sanjay Jha, SASHA: Toward a Self-

Healing Hybrid Sensor Network Architecture. Retrieved from http://web.cecs.pdx.edu/~nbulusu/papers/emnets.pdf on March 2, 2008.

14. Brad Karp, H.T. Kung, GPSR: Greedy Perimeter Stateless Routing for WirelessNetworks, Retrieved March 4, 2008 from http://www.eecs.harvard.edu/~htk/publication/2000-mobi-karp-kung.pdf