SECURE ROUTING IN WIRELESS SENSOR NETWORKS Gayathri Venkataraman Preeti Raghunath

AGENDA Sensor Networks Wireless Sensor Networks vs. Ad- Hoc Networks Sensor Network Security Challenges Attacks on Sensor Network routing Securing the Wireless Network Summary

Sensor Networks A sensor network is composed of a large number of sensor nodes that are densely deployed either inside the phenomenon or close it . Each of these sensor nodes collect data and transmit to the sink using special routing protocols. The sink may communicate to the task manager using Internet or satellite [1]. Figure 1 Sensor nodes communication Source : http://www.cdt.luth.se/babylon/snc/References/Akyildiz2002_SurveySensorNets_01024422.pdf Retrieved August 22, 2003

What is a Sensor Network? Heterogeneous system that combines tiny sensors and actuators with general purpose computing elements. Sensor readings from multiple nodes can be processed by one or more aggregation points Sensor network may consists of of several low-power and low-cost nodes. The nodes can be mobile but more likely in a fixed location, deployed en masse to monitor and affect the environment. Aggregation points ( also nodes themselves) collect sensor readings from surrounding nodes and forwards an single message representing the aggregate of the values..

Base Station Sensor Networks have one or more points of centralized control called Base Stations. Base stations are either: Gateway to another network Data processing or storage center Access point for human interface.

Sensor Network Architecture Base Stations Rectangular Boxes: Base Stations Orange Circles: Aggregation points Red Circles: Sensor Nodes Aggregation points Sensor Nodes

Constraints of Wireless Sensor Networks Sensor Networks are resource-starved when it comes to: Computational power Memory Bandwidth Power Memory is a resource that must be utilized carefully. There fore security protocols cannot maintain much state. In addition, public-key cryptography is too expensive to be deployed on a wide scale in wireless networks.

Sensor Networks VS. Ad Hoc Networks Ad-Hoc Network supports routing between any pairs of nodes. Sensor Networks have a specialized communication pattern: Many to One One to Many Local Communication Many to One: Multiple sensor nodes send sensor readings to a base station or aggregation point in the network. One to many: Base station multicasts a query to several sensor nodes Local communication: Neighboring nodes communicate with each other. It can be broadcast or Unicast.

Security challenges in Wireless Sensor networks (1 of 3) Network Assumptions: Radio links are not secure Attackers can deploy malicious nodes into the network. Trust Requirements: Base Stations are trusted nodes Aggregation points maybe trusted for certain protocols Sensor networks use radio communication which are not secure. Adversary ( or attacker) can deploy malicious nodes with the intent of eavesdropping or carrying out attacks. Trust Requirements: Since Base stations interface a sensor network to the outside world, compromise of a significant number of them can render the entire network useless.

Security challenges in Wireless Sensor networks (2 of 3) Threat models: Mote-Class attackers: Sensor nodes are used for attacks. Sensor can eavesdrop only nodes in its vicinity. Laptop-Class attackers: More sophisticated. Can eavesdrop or jam entire network. Outsider attacks: Attacker has no special access to the sensor network. Insider attacks: An authorized participant of the network has gone bad by running malicious code. Mote-Class attacks: Attacker has access to few sensor nodes, that have limited capabilities. Laptop- Class attack: Has access to more powerful devices such as a laptop and thus have an advantage over legitimate nodes in the network.

Security challenges in Wireless Sensor networks (3 of 3) Security Goals: Protection against eavesdropping is responsibility of application layer not routing algorithms. However, eavesdropping caused by abuse of routing protocol is the responsibility of protocols. Graceful degradation of network in case of insider attack. In the presence of insider adversaries, it is not likely that security goals in above slide can be achieved. However, the network should be designed for “graceful degradation”. Graceful degradation means that network performance should not degrade faster than the ratio of compromised nodes to total nodes in the network.

Attacks on Sensor Networks (1 of 3) Spoofing: Altering, spoofing or replaying routing information between nodes. Selective Forwarding: Malicious nodes does not forward any packets or selectively forwards packets. Selective Forwarding: A malicious node behaves as a black hole. However, the malicious node runs the risk of Neighboring nodes assuming that the malicious node has failed and hence seek other routes. A more sophisticated attack selectively forwards packets.

Attacks on Sensor Networks (2 of 3) Sinkhole attack: Here the attacker’s goal is to lure all the traffic through a compromised node Other nodes in the path have opportunities to tamper with application data Sybil attack: A single node presents multiple identities. Wormholes: Attacker tunnels messages received in one part of the network over a low-latency kink and replays them in a different part. Sinkhole attack: Makes a compromised node look very attractive to surrounding nodes with respect to the algorithm.This attack can enable many other attacks. Sybil attack: This attack can reduce effectiveness of fault-tolerant schemes such as, distributed storage, multi-path routing and topology maintenance as the adversary can be in more than one place and can take different identities. Wormhole: Two distant malicious nodes collude to understate distance between them by relaying packets along an tunnel available only to the attacker. An attacker situated close to a base station can disrupt routing as a result.

Attacks on Sensor Networks (3 of 3) HELLO Flood attack: An attacker with enough transmission power convinces every node in the network that the attacker is the neighbor. Acknowledgement spoofing: Link layer acknowledgements are spoofed to convince a weak link is strong and vice-versa. Hello Flood: Nodes announce themselves by broadcasting “Hello” packets. A laptop-class attacker with large enough transmission power could convince every node in the network that the attacker is a neighbor. Acknowledgement spoofing: Routing protocol may select the next hop in a path using link reliability. Artificially reinforcing weak or dead link is a way to manipulate the scheme.

Attacks on Specific Routing Protocols Gayathri Venkataraman

Special Routing Protocols! Why??? A typical mote has 4MHz processor, 128 KB of instruction memory, 4 KB of RAM data, and 512 KB of flash memory. The whole device is powered by two AA batteries. So the requirement of special routing protocols with Less computation Less memory Simple No global identification like IP address

Challenges For Security Resource starved nature of sensor networks poses a big challenge for security Public-key Cryptography is so expensive With only 4KB of RAM memory must be used carefully

Directed Diffusion Is a data centric routing Base stations flood interests for named data Nodes able to satisfy the interest disseminate information along the reverse path of interest propagation. Interests are initially transmitted at a lower rate. Based nodes reinforce the path where there is more data. Failed node paths are negatively reinforced.

Directed Diffusion http://www2.parc.com/spl/members/zhao/stanfordcs428/readings/Networking/Estrin_mobicom00.pdf  Retrieved August 27, 2003 The first picture (see from left) says that sink is transmitting interest to all nodes and has established gradient. A gradient is something like paths of data flow. The next picture shows that a node has found an event and has transmitted to the sink. The next picture shows multiple nodes transmitting events to the sink.

Attacks on Directed Diffusion Suppression Suppress the flow of data by sending negative reinforcement Cloning Attacker can replay an interest from legitimate base station Path Influence Attacker can influence the path taken by a data flow by spoofing positive and negative reinforcements and bogus data events. Selective forwarding and Tampering Attacker can insert himself into the path of events flow and gain Control of the event flow. In the path influence an adversary can influence the path and the following actions may result. 1. Data events generated by legitimate sources will be drawn to the attacker. 2. The attacker’s node will be reinforced by nodes above because of its high data rate.

Attacks on Directed Diffusion A Laptop class adversary can create worm hole between node A located near base station and node B located near likely events. Interests are advertised through worm hole and rebroadcast by node B. If node A sends negative reinforcements and worm hole does not pass those messages then node B continues its positive reinforcement then no data reaches the sink node and eventually node B’s power is lost.

Tiny-OS Beaconing In this protocol base stations periodically broadcast routing update. All station receiving the update marks the base station as its parent. This algorithm happens recursively with each node marking its parent as the first node from which it hears the update. All packets received or generated by a node is forwarded to its parent until it reaches the base station. This is a breadth first spanning tree rooted to the base station

Attacks on Tiny-OS Beaconing Routing updates are not authenticated Attacker can suppress, eaves-drop, and modify packets through a worm hole/ sink hole attack as shown in the figure Authenticated routing can prevent attacks from a mote class adversary, but a lap-top class attacker can create a worm hole between two nodes and participates in the network. Since it is a lap top class it can transmit with more strength and can form itself as parent for all nodes. Source: http://webs.cs.berkeley.edu/retreat-1-03/slides/sensor-route-security.pdf Retrieved on November 17, 2003

Attacks on Tiny-OS Beaconing A lap top class adversary can use Hello flood attack to broadcast a routing update and all nodes will consider the adversary as its parent. So the nodes which are not in the actual range of the parent may flood the packets to neighbors which also has the adversary as its parent Routing Loops can be created. Suppose adversary knows node A and node B are within radio range of each other. Adversary sends a routing update to B as if it came from A. B updates its parent as A, and sends routing update. Now A updates its parent as B.

Geographic Routing Two Kinds Geographic and Energy aware routing (GEAR) uses the energy information and the location of neighboring nodes to forward the packets Greedy Perimeter Stateless Routing (GPSR) used only the proximity of neighbors to forward its messages. The energy consumption is uneven within the nodes.

Attacks on Geographic Routing Regardless of adversary’s location he might advertise to be closest and place himself on the path of data flow. For GEAR the adversary can advertise to have maximum energy to divert all the packets to himself and can now mount a selective forwarding attack Routing Loops is possible in GPSR routing as shown in figure Routing Loops Assume the maximum radio range is one unit. An adversary can forge a message that B is at (2,1) and sends it to C. C now makes B as its parent. Now suppose legitimate B(0,1) wants to send a message to B then he forwards to C who again sends it back to B. Source: http://webs.cs.berkeley.edu/retreat-1-03/slides/sensor-route-security.pdf Retrieved on November 17, 2003

Counter Measures Link Layer Security Simple link layer encryption and authentication using a globally shared key. If a worm hole is established, encryption makes selective forwarding difficult, but can do nothing to prevent black hole selective forwarding. This worm hole is possible by replaying the message from one group of nodes to other group. Link layer security mechanisms cannot prevent any insider attack. Link Layer authentication can prevent an outsider attack like Sybil, Selective forwarding and Sink Hole attacks. But still this cannot avoid insider attacks, Hello flood, and worm hole attacks.

Counter Measures Sybil Attack Every node shares a unique symmetric key with base station Two nodes can use Needham-Schroeder like protocol to verify identity and establish a shared key. Base station limits the number of nodes an insider can have communication. This limits the number of nodes an adversary can communicate. In this the compromised node is not restricted from communication, however this restrict the number of nodes the adversary can affect. This is because of the limit set by the base station on the number of verified neighbors

Counter Measures Hello Flood Attacks Verify the bi-directionality of the link before taking any action Measures against Sybil Attack like limiting the number of verified neighbors to a node will also prevent Hello Flood Attack The bi-directional verification can be enforced by link layer authentication.

Counter Measures Worm Hole and Sink Hole Attacks Sink holes are difficult to defend in protocols which use advertised information like energy information and hop count. Hop count can be verified, however energy and TinyOs beaconing is difficult to defend. Best solution is to design protocols where above attacks are meaningless

Counter Measures Protocols that construct topology initiated by base station are susceptible to attacks Geographic protocols that construct topology on demand using localized interactions and not from base stations are good solutions. In geographic routing since proximity is a factor artificial link to sink hole is not possible because they may not fall in the normal radio range.

Counter Measures Geographic routing is secure against worm hole, sink hole, and Sybil attacks, but the remaining problem is that the location advertisement must be trusted. Probabilistic selection of next hop from several advertisement can reduce the problem Restricting the structure of the topology can eliminate the problem by eliminating advertisement. For example nodes can arrange itself in square, triangular, etc., So that every node can derive its neighbors

Counter Measures Selective Forwarding Multi-path routing can be used to avoid this attacks. Messages routed over n paths whose nodes are completely disjoint is an effective solution Creating this kind of path may be difficult . Probabilistic selection of next hop can add to security. One example of Multi-path is braided path. They can have common nodes but not common links. This can provide probabilistic protection

Counter Measures Authenticated Broadcast & flooding digital signatures symmetric-key cryptography delayed key disclosure and one –way key chains constructed with publicly computable cryptographically secure hash function Replay attack is not possible key is used only once. A base station is considered to be trustworthy. Broadcasts from base station must be authenticated. The authentication methods are discussed above.

Limitations of Multi-Hop Routing If nodes within one or two hops near the base station are compromised then the network will be completely down Protocols like leach which forms clusters and where cluster heads communicate directly with base station may yield a secure solution. LEACH is considered to be more secure because motes organize themselves to clusters and they choose a cluster head to communicate directly with base station. Also since the cluster and cluster head is not the same every time there is a probabilistic protection

Conclusion Secure routing is vital to the acceptance and use of sensor networks. Current protocols are insecure Careful protocol design is needed as a sensor mote cannot do complex cryptographic computations

References [1 ]Ian F. Akyildiz, Weilian Su, Yogesh Subramaniam, and Erdal Cayirci (2002, August). A Survey on Sensor Networks. http://www.cdt.luth.se/babylon/snc/References/Akyildiz2002_SurveySensorNets_01024422.pdf Retrieved August 26, 2003 [2]Charlermek Intanagonwiwat, Ramesh Govindan, and Deborah Estrin. Directed Diffusion:A Scalable and Robust Communication Paradigm for Sensor Networks http://www2.parc.com/spl/members/zhao/stanfordcs428/readings/Networking /Estrin_mobicom00.pdf Retrieved August 20, 2003 [3] Chris Karlof, David Wagner, Secure Routing in Wireless Sensor Networks: Attacks and Counter Measures

Thank You!!!!! Questions???????????