Wireless Security in the Real World: Using Physical Properties to Mitigate Wormhole Attacks SIGNET Seminar University of Delaware 15 September 2004 David

Wireless Security in the Real World: Using Physical Properties to Mitigate Wormhole AttacksSIGNET SeminarUniversity of Delaware15 September 2004

David Evans(work with Lingxuan Hu)

University of VirginiaComputer Science

www.cs.virginia.edu/physicrypt 2

Computing is Entering Real World

Desktop PCProtected BoxNarrow Interface1 Machine per

User-Admin

Sensor NetworkUnprotected NodesWide InterfaceThousands of Nodes

per Admin


…this Changes Security

Desktop PCAccess ControlPerimetersAuthenticity

Sensor NetworkResource ConsumptionIntegrity, SurvivabilityResilience


Challenges in Sensor Networks

• Vulnerable communication channels

• Physically vulnerable devices

• Limited energy• No (or little) established

infrastructure• Depend on other nodes

to accomplish anything


New Opportunities• Embedded in an

environment– Physical properties of

the environment constrain reality (space)

– Inertia: it takes time for things to change

• Quantity– Many redundancies


This Talk• Two protocols for sensor networks:

– Secure neighbor discovery protocol that uses space and quantity.

– Localization protocol that uses space, time and quantity.

L. Hu and D. Evans. Using Directional Antennas to Prevent Wormhole Attacks. NDSS 2004.

L. Hu and D. Evans. Localization for Mobile Sensor Networks. MobiCom 2004.


Wormhole Attacks


Wormhole Attack

S

DA

BC

Attacker needs a transceivers at two locations in the network, connected by a low latency link

Attacker replays (selectively) packets heard at one location at the other location

XY

Pirate image by Donald Synstelien


Beacon Routing

0

1

2

34

Nodes select parentsbased on minimumhops to base station


Wormhole vs. Beacon Routing

0

1

2

X

Y

0

1

2

Wormhole attack disruptsnetwork without needing to break any cryptography!

[Karlof and Wagner, 2003][Hu, Perrig, Johnson 2003]


0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 50 100 150 200 250 300 350 400 450 500

Fract

ion o

f R

ou

tes

to B

ase

Sta

tion

Dis

rupte

d

Position of Endpoint (x,x)

Base Station at Corner

Base Station at Center

Wormhole Impact

0 500

0 500

A randomly placed wormhole disrupts ~5% of linksA single wormhole can disrupt 40% of links (center)


Previous Solution: Use Arrival Time

• “Leashes” constrain distance packet can travel• Geographical leashes: nodes know their location

– Sender includes its location and send time in packet– Receiver checks distance to sender

• Temporal leashes: tightly synchronized clocks– Sender sets expiration time when sending packet

• Drawback: requires clock synchronization or accurate localization

Yih-Chun Hu, Perrig and Johnson. INFOCOM 2003


Our Approach

• Use directional information– Directional antennas can identify direction

of sender

• Exploit simple physical properties of space

• Cooperate with neighbors (in different locations) to validate legitimacy of other nodes

• No clock synchronization or location information required


Directional Antennas

Model based on [Choudhury and Vaidya, 2002]General benefits: power saving, less collisions

1

23

4

5 6

North

Aligned to magnetic North, so zone 1 alwaysfaces East

Omnidirectional TransmissionDirectional Transmission from Zone 4


Assumptions• Legitimate nodes can establish secure node-

node links (all critical messages are authenticated)

• Network is fairly dense• Nodes are stationary• Most links are bidirectional (unidirectional links

cannot be established)• Transmissions are perfect wedges (relaxed later)• Nodes are aligned perfectly (relaxed later)


Protocol Idea

• Wormhole attack depends on a node that is not nearby convincing another node it is

• Verify neighbors are really neighbors– Directional consistency

• Only accept messages from verified neighbors


Directional Neighbor Discovery A

1. A Region HELLO | IDA

Sent by all antenna elements (sweeping)

2. B A IDB | EKBA (IDA | R | zone (B, A))Sent by zone (B, A) element, R is

nonce3. A B R

Checks zone is opposite, sent by zone (A, B)

B

zone (B, A) = 4is the antennazone in whichB hears A

1

23

4

5 6


1

23

4

5 6

A Bzone (B, A[Y]) = 1

zone (A, B [X]) = 1 False Neighbor:

zone (A, B) should be opposite zone (B, A)

Detecting False Neighbors

X Y


A B

zone (B, A[Y]) = 4

zone (A, B [X]) = 1

Undetected False Neighbor: zone (A, B) = opposite of zone (B, A)

Not Detecting False Neighbors

1

23

45 6

X Y

Directional neighbor discovery prevents 1/6 of false direct links…but doesn’t prevent disruption


Observation: Cooperate!

• Wormhole can only trick nodes in particular locations

• Verify neighbors using other nodes• Based on the direction from which

you hear the verifier node, and it hears the announcer, can distinguish legitimate neighbor


Verifier Region

v

zone (B, A) = 4zone (V, A) = 3

1

23

4

5 6

A verifier must satisfy these two properties:1. Be heard by B in a different zone:

zone (B, A) ≠ zone (B, V)otherwise V could be through wormhole

2. B and V hear A in different zones: zone (B, A) ≠ zone (V, A)otherwise A could have tricked V too

zone (B, A) = 4zone (B, V) = 5

(one more constraint will be explained soon)


V

Verified Neighbor Discovery

1. A Region Announcement, done through sequential sweeping2. B A Include nonce and zone information in the

message3. A B Check zone information and send back the

nonce

A B 4. INQUIRY | IDB | IDA | zone (B, A)

5. IDV | EKBV (IDA | zone (V, B))

Same asbefore

4. B Region Request for verifier to validate A5. V B If V is a valid verifier, sends confirmation6. B A Accept A as its neighbor and notify A

Verifier Analysis

vB

A

Region 1

Region 2

X

Y

1

23

4

5 6

1

23

4

5 6

Wormhole cannot trick a valid verifier:zone (V, A [Y]) = 5zone (A, V [X]) = 1 Not opposites: verification fails


Connectivity

0

50

100

150

200

250

300

350

400

450

500

0 50 100 150 200 250 300 350 400 450 500

y (m

eter

s)

x (meters)

Establishedall linksEstablishedsome links(but not all)

Disconnected

Verified Protocol,Density = 3(Directional Density = 9.7)


Worawannotai Attackv

B

A

Region 1

Region 2

X

1

23

5 6

23

4

5 6

V hearsA and B directly

A and B hear V directly

But, A and B hear each other only through repeated X


Preventing Attack

1. zone (B, A) zone (B, V) 2. zone (B, A) zone (V, A)3. zone (B, V) cannot be both adjacent to zone (B, A) and adjacent to zone (V, A)


Cost Analysis• Communication Overhead

– Minimal– Establishing link keys typically requires

announcement, challenge and response– Adds messages for inquiry, verification

and acceptance

• Connectivity– How many legitimate links are lost

because they cannot be verified?


Lose Some Legitimate Links

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Link

Dis

covery

Pro

babili

ty

Node Distance (r)

Verified Protocol

Strict Protocol(Preventing

Worawannotai Attack)

Network Density = 10

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1Node Distance (r)

0

Verified Protocol

Strict Protocol(Preventing

Worawannotai Attack)

Network Density = 3


…but small effect on connectivity and routing

0

1

2

3

4

5

6

7

8

9

10

4 6 8 10 12 14 16 18 20

Avera

ge P

ath

Length

Omnidirectional Node Density

Strict Protocol

Trust All

Verified Protocol

Network density = 10

Verified protocol: 0.5% links are lost no nodes disconnectedStrict protocol: 40% links are lost 0.03% nodes

disconnected


Dealing with Error

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 10 20 30 40 50 60

Rati

o

Maximum Directional Error Degree

Lost Links, Strict Protocol

Lost Links, Verified Protocol

Disconnected Nodes, Strict Protocol

Disconnected Nodes, Verified Protocol

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 10 20 30 40 50 60Maximum Directional Error Degree

Lost Links, Strict Protocol

Lost Links, Verified Protocol

Disconnected Nodes

Network Density = 10Network Density = 3

Even with no control over antenna alignment, few nodes are

disconnected


Vulnerabilities

• Attacker with multiple wormhole endpoints– Can create packets coming from different

directions to appear neighborly

• Magnet Attacks– Protocol depends on compass alignment of

nodes

• Antenna, orientation inaccuracies– Real transmissions are not perfect wedges


Moral• An attacker with few

resources and no crypto keys can substantially disrupt a network with a wormhole attack

• Mr. Rogers was right: “Be a good neighbor”– If you know your neighbors, can detect

wormhole– Need to cooperate with your neighbors to know

who your legitimate neighbors are


Roadmap

• Use directional information to defeat wormhole attacks– Simple properties of space– Cooperation of nodes

• But…most sensor nodes don’t have directional antennas– Rest of the talk: Location Determination


Location Determination• Important for many sensor network

applications • Approaches:

– Nodes can determine their locations directly (GPS)• Too expensive for many applications

– Nodes determine their locations indirectly by using information received from a few seed nodes that know their locations


Localization Error and Routing

GPSRRouting

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

6 8 10 12 14 16 18 20

Density (Neighbors)

Delivery Ratio No Error

0.2R0.4R0.6R0.8R1R

Slide from Qing Cao. Details in Qing Cao and Tarek Abdelzaher, A Scalable Logical Coordinates Framework for Routing in Wireless Sensor Networks. RTSS 2004

Karp and Kung. MobiCom 2000


Our Approach: Monte Carlo Localization

• Take advantage of mobility:– Moving makes things harder…but

provides more information– Properties of time and space limit

possible locations; cooperation from neighbors

• Adapts an approach from robotics localization

Frank Dellaert, Dieter Fox, Wolfram Burgard and Sebastian Thrun. Monte Carlo Localization for Mobile Robots. ICRA 1999.


Scenarios

NASA Mars TumbleweedImage by Jeff Antol

Nodes moving, seeds stationary

Nodes and seeds moving

Nodes stationary, seeds moving


MCL: Initialization

Initialization: Node has no knowledge of its location.

L0 = { set of N random locations in the deployment area }

Node’s actual position


MCL Step: Predict

Node’s actual position

Predict: Node guesses new possible locations based on previous possible locations and maximum velocity, vmax

Filter

Filter: Remove samples that are inconsistent with observations

Seed node: knowsand transmits location

r


Prediction

p(lt | lt-1) = c if d(lt, lt-1) < vmax

0 if d(lt, lt-1) ≥ vmax

Assumes node is equally likely to move in any direction with any speed between 0 and vmax.


Filtering

Direct Seed Indirect Seed

s s

If you don’t hear a seed, but one of your neighbors hears it, must be within distance (r, 2r] of that seed’s location.

If you hear a seed,must (likely) be

with distance r ofthe seed’s location


Resampling

Use prediction distribution to create enough sample points that are consistent with the observations.


Recap: AlgorithmInitialization: Node has no knowledge of its location. L0 = { set of N random locations in the deployment area }

Iteration Step: Compute new possible location set Lt based on Lt-1, thepossible location set from the previous time step, and the new observations. Lt = { } while (size (Lt) < N) do R = { l | l is selected from the prediction distribution } Rfiltered = { l | l where l R and filtering condition is met } Lt = choose (Lt Rfiltered, N)


Parameters

• Effect accuracy and convergence time:– Speed of nodes and seeds– Density of nodes and seeds

• Tradeoff memory and accuracy:– Number of samples maintainted

• Movement:– Control should help; interdependence

hurts


Convergence

Node density nd = 10, seed density sd = 1

The localization error converges in first 10-20 steps

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2

0 5 10 15 20 25 30 35 40 45 50

Est

imate

Err

or

(r)

Time (steps)

vmax=.2 r, smax=0

vmax=r, smax=0

vmax=r, smax=r


Speed Helps and Hurts

Increasing speed increases location uncertainty ̶[ but provides more observations.

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0.10.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2

Est

imat

e E

rror

(r)

vmax (r distances per time unit)

sd=1, smin=0, smax=vmax

sd=1, smax=smin=r

sd=2, smax=vmax

sd=2, smax=smin=r

Node density nd = 10


00.20.40.60.81

1.21.41.61.82

2.22.42.62.83

0.1 0.5 1 1.5 2 2.5 3 3.5 4

Est

imate

Err

or

(r)

Seed Density

MCL

Centroid

Amorphous

Seed Density

nd = 10, vmax = smax=.2r

Better accuracy than other localization algorithms

Centroid: Bulusu, Heidemann and Estrin. IEEE Personal Communications Magazine. Oct 2000.

Amorphous: Nagpal, Shrobe and Bachrach. IPSN 2003.


Samples Maintained

00.10.20.30.40.50.60.70.80.91.0

1.2

1 2 5 10 20 50 100 200 5001000

Est

imate

Err

or

(r)

Sample Size (N)

sd=1, vmax=smax=.2r

sd=1, vmax=smax=r

sd=2, vmax=smax=.2rsd=2, vmax=smax=r

1.1 nd = 10

Good accuracy is achieved with only 20 samples (~100 bytes)


Radio Irregularity

nd = 10, sd = 1, vmax = smax=.2r

Insensitive to irregular radio pattern

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2

0 0.1 0.2 0.3 0.4 0.5

Est

imate

Err

or

(r)

Degree of Irregularity (r varies ±dr)

MCL

Centroid

Amorphous


Motion

nd=10, vmax=smax=r

Adversely affected by consistent group motion

00.51

1.52

2.53

3.54

4.55

5.56

0 0.5 1 2 4 60

0.51

1.52

2.53

3.54

4.55

5.56

0 0.5 1 2 4 6

Est

imate

Err

or

(r)

Maximum Group Motion Speed (r units per time step)

sd =.3

sd =1

sd =2

0

1

2

3

4

0 20 40 60 80 100 120 140 160 180 200Est

imate

Err

or

(r)

Time

Random, vmax=smax=.2r

Area Scan

Random, vmax=0, smax=.2r

Scan

Stream and Currents Random Waypoint vs. Area Scan

Controlled motion of seeds improves accuracy


Recap• MCL:

– Maintain set of samples representing possible locations

– Filter out impossible locations based on observations from direct and indirect seeds

• Achieves accurate localization cheaply

• But…what about security?Caveat: this is the speculative part of the talk!


Attacks on Localization

• Interfere with seed locations– Overload GPS signal

• Inject bogus seed announcements– Need to authenticate announcements

• Replay attacks (including wormhole)– Ranging information– Physical challenges


MCL Advantages• Filtering

– Bogus seeds filter out possible locations

• Direct– Does not require long range seed-node

communication

• Mobile– Nodes expect to hear announcements from

different seeds over time

• Historical– Current sample set reflects history of

previous observations


Prevent Bogus Announcements

• Pairwise authentication: assumes nodes preloaded with pairwise keys for each seed

1. S region IDS Broadcast identity2. N S EKNS

(RN) | IDN Send nonce challenge

3. S N EKNS(RN | LS ) Respond with location

Nonce prevents standard replays, but not wormhole attacks


“Expensive” Defense

• Distance Bounding– Light travels 1 ft per nanosecond (2-4

cycles on modern PC!)– Need special hardware to instantly

respond to received bits

• Use distance bounding to perform secure multilateration

• Prove node encounters

Brands and Chaum, EUROCRYPT 1993

Capkun and Hubaux, 2004

Capkun, Buttyan and Hubaux, 2003


“Cheap” Defense:Multiple Location

Speculation• As long as one legitimate seed

announcement is received, worst an attacker can do if filter out all possible locations: denial of service attack

• Maintain multiple possible locations instead of giving up when observations are inconsistent

• Current work: – Can we design routing protocols that work well

with multiple locations?


Conclusion• Computing is moving into the real

world:– Rich interfaces to environment– No perimeters

• Simple properties of physical world are useful:– Directional consistency can prevent

wormhole attacks– Space and time can be used to achieve

accurate localization cheaply


Thanks!

Students: Lingxuan Hu, Chalermpong Worawannotai Nathaneal Paul, Jinlin Yang, Joel Winstead

Funding: NSF ITR, NSF CAREER, DARPA SRS

For more information and paper links:http://www.cs.virginia.edu/physicrypt

Documents

Wireless Security in the Real World: Using Physical Properties to Mitigate Wormhole Attacks SIGNET Seminar University of Delaware 15 September 2004 David