Secure Routing in Wireless Sensor Networks

This Paper  One of the first to examine security on sensor networks prior work focused on wired and adhoc prior work focused on wired and adhoc  Not an algorithms or systems paper  Describes general attacks on routing general attacks on routing attacks on specific sensor systems attacks on specific sensor systems some countermeasures some countermeasures  Also useful as survey of sensor routing protocols

Outline  Context  Routing attacks  Protocol attacks  What next?

Security for Sensor Nets  A larger challenge in sensor nets security not priority in protocol design security not priority in protocol design mainly optimize for power (CPU / transmissions)mainly optimize for power (CPU / transmissions) E2E principle does not apply E2E principle does not apply routers need access to data for aggregationrouters need access to data for aggregation many to one communication instead of end-to-endmany to one communication instead of end-to-end  Result Protocols easy to attack and cripple Protocols easy to attack and cripple Security needs to be built-in at protocol design Security needs to be built-in at protocol design

Context  Large static sensor networks large # (100’s, 1000’s) of low power nodes large # (100’s, 1000’s) of low power nodes fixed location for their entire lifetime fixed location for their entire lifetime focused scenario: Berkeley Motes focused scenario: Berkeley Motes 4Mhz CPU, 4KB RAM (data), 40Kbps max b/w4Mhz CPU, 4KB RAM (data), 40Kbps max b/w  Connectivity base stations: powerful pts of central control base stations: powerful pts of central control sensors form multi-hop wireless network sensors form multi-hop wireless network periodic data stream aggregated to BS periodic data stream aggregated to BS

Worrying about Power  Power is #1 concern for sensors small power reserves  1% duty cycle or less small power reserves  1% duty cycle or less radio uses power 10 3 more than sleep mode radio uses power 10 3 more than sleep mode  Other constraints minimal CPU, RAM, radio power minimal CPU, RAM, radio power cannot support: public-key, source routing or distance vector, anything that requires cannot support: public-key, source routing or distance vector, anything that requires  May not benefit from Moore’s law strong pressure to use cheaper nodes strong pressure to use cheaper nodes is this a temporary trend? will eventually benefit is this a temporary trend? will eventually benefit

Assumptions  Network assumptions radio is insecure radio is insecure base stations are trust-worthy base stations are trust-worthy  Attackers can control/turn nodes, collude can control/turn nodes, collude mote-class vs. laptop-class attackers mote-class vs. laptop-class attackers inside vs. outside attackers inside vs. outside attackers

Outline  Context  Routing attacks  Protocol attacks  What next?

Attacks on Sensor Routing  Spoofed, altered, replayed routing info result: routing loops, attract or repel network traffic, extend or shorten routes, partition network result: routing loops, attract or repel network traffic, extend or shorten routes, partition network  Selective forwarding drop subset of packets w/o being detected drop subset of packets w/o being detected (enabled by) Sinkhole attack (enabled by) Sinkhole attack provide or falsely advertise shorter routesprovide or falsely advertise shorter routes many to one model makes this easymany to one model makes this easy

Routing Attacks II  Sybil attack one node, many (network) identities one node, many (network) identities  Wormholes use out-of-band fast channel to route msgs faster than regular network use out-of-band fast channel to route msgs faster than regular network exploit out-of-order delivery (race conditions) exploit out-of-order delivery (race conditions)  hello flood broadcast msg to all nodes (laptop-class) broadcast msg to all nodes (laptop-class) disrupt topology construction disrupt topology construction  Ack spoofing replay link layer acks to misrepresent link quality between nodes replay link layer acks to misrepresent link quality between nodes

Understanding Routing Attacks  Key weakness insecure wireless channel (eavesdropping, replays) insecure wireless channel (eavesdropping, replays) unequal transmission power / link quality unequal transmission power / link quality  Selective forwarding be a sinkhole (concentrate traffic into malicious node) be a sinkhole (concentrate traffic into malicious node)  Enablers (distort view of wireless network) wormholes, HELLO flood (leverage transmission pwr) wormholes, HELLO flood (leverage transmission pwr) acknowledgement/route spoofing (distort view of links) acknowledgement/route spoofing (distort view of links) sybil (appear as many nodes at once) sybil (appear as many nodes at once)

Outline  Context  Routing attacks  Protocol attacks  What next?

Protocols Attacks  TinyOS beaconing base station constructs depth first spanning tree with itself as root base station constructs depth first spanning tree with itself as root  Attacks w/o authentication: anyone can claim 2b BS w/o authentication: anyone can claim 2b BS wormhole  sinkhole attack w/ laptop-class nodes wormhole  sinkhole attack w/ laptop-class nodes HELLO flood  strand nodes out of range HELLO flood  strand nodes out of range

Protocol Attacks II  Directed diffusion BS flood “interests” for named data BS flood “interests” for named data sensors send data on reverse interest path sensors send data on reverse interest path paths “reinforced” to in/decrease data flow paths “reinforced” to in/decrease data flow  Attacks flooding is more robust to sinkholes flooding is more robust to sinkholes once path established, can suppress or clone flows using path reinforcements once path established, can suppress or clone flows using path reinforcements can modify in-flight data once it’s on path can modify in-flight data once it’s on path

Protocol Attacks III  Geographic routing (GPSR, GEAR) use coordinates to route towards destination use coordinates to route towards destination GEAR spreads out path to load-balance GEAR spreads out path to load-balance attack: misrepresent location data for sinkhole attack attack: misrepresent location data for sinkhole attack attack: use sybil to surround target node (sinkhole) attack: use sybil to surround target node (sinkhole)  Minimum cost forwarding each node keeps local cost of reaching BS each node keeps local cost of reaching BS broadcast out msg w/ budget, each hop subtracts cost. If budget exceeded, msg dropped broadcast out msg w/ budget, each hop subtracts cost. If budget exceeded, msg dropped attack: advertise low cost path (can also use HELLO) attack: advertise low cost path (can also use HELLO)

Protocol Attacks IV  Rumor routing send out agent carrying useful events on random walk through network w/ TTL send out agent carrying useful events on random walk through network w/ TTL queries and data both sent out via agents queries and data both sent out via agents attack: mishandle agents & remove data attack: mishandle agents & remove data attack: send out tendrils with large TTLs advertising low cost attack: send out tendrils with large TTLs advertising low cost

Protocol Attacks V  Energy conserving topology maintenance GAF: nodes placed into grid squares GAF: nodes placed into grid squares occasionally wake to see if they’re needed, otherwise sleepoccasionally wake to see if they’re needed, otherwise sleep SPAN: “coordinators” keep connectivity SPAN: “coordinators” keep connectivity nodes occasionally wake to see if they should be upgraded to coordinatornodes occasionally wake to see if they should be upgraded to coordinator  Attacks spoof route/discovery msgs to lull nodes to sleep  destroy connectivity spoof route/discovery msgs to lull nodes to sleep  destroy connectivity

Understanding Protocol Attacks  Inherent tradeoff: energy vs. security optimizing route vs. susceptibility to attacks optimizing route vs. susceptibility to attacks  Attacks all leading to sinkhole attack all leading to sinkhole attack manipulate cost function to represent self as optimal path manipulate cost function to represent self as optimal path  Is resistance futile? flooding  useful, but high cost flooding  useful, but high cost random walks  potentially high cost random walks  potentially high cost key is randomization key is randomization

Outline  Context  Routing attacks  Protocol attacks  What next?

Countermeasures  Link layer security (shared key auth.) costly, but can disable sybil attacks costly, but can disable sybil attacks useless against compromised nodes (insiders) useless against compromised nodes (insiders)  Hello floods verify bi-directionality, or authenticate identity of neighbors w/ separate protocol verify bi-directionality, or authenticate identity of neighbors w/ separate protocol  Use global knowledge nodes are static, so learn global map nodes are static, so learn global map scalability: enough state to keep info? scalability: enough state to keep info?

Intuition  Tight tradeoff energy conservation via optimized paths energy conservation via optimized paths optimization  manipulation of cost factors optimization  manipulation of cost factors  Avoid powerful nodes (they can’t be authenticated) powerful nodes (they can’t be authenticated) centralized functionality (same reason) centralized functionality (same reason)  What can we use? randomization / probabilistic routing? randomization / probabilistic routing?