Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures Chris Karlof and David Wagner

Key Contributions Secure routing issues in WSNs Show how they are different from ad hoc networks Introduce two new classes of attacks  Sinkhole attack  Hello flood attack Analyze security aspects of major routing protocols Discuss countermeasures & design considerations for secure routing in WSNs

WSNs vs. Ad Hoc Networks Multi-hop wireless communications Ad hoc nets: communication between two arbitrary nodes WSNs Specialized communication patterns  Many-to-one  One-to-many  Local communication More resource constrained More trust needed for in-network processing, aggregation, duplicate elimination

Assumptions Insecure radio links Malicious nodes can collude to attack the WSN Sensors are not tamper-resistant Adversary can access all key material, data & code Aggregation points may not be trustworthy Base station is trustworthy

Threat Models Device capability Mote class attacker Laptop class attacker: more energy, more powerful CPU, sensitive antenna, more radio power Attacker type Outside attacker: External to the network Inside attacker: Authorized node in the WSN is compromised or malicious

Security Goals Secure routing Support integrity, authenticity, availability of messages in presence of attack Data confidentiality

Potential Attacks Attacks on general WSN routing Attacks on specific WSN protocols

Attacks on General WSN Routing Protocols Spoof, alter, or replay routing info. Create loops, attack or repel network traffic, partition the network, attract or repel network traffic, etc. Message authentication can partly handle these issues Selective forwarding Malicious node selectively drops incoming packets

Sinkhole attack Specific to WSNs All packets are directed to base station A malicious node advertises a high quality link to the base station to attract a lot of packets Enable other attacks, e.g., selective forwarding or wormhole attack

Sybil attack A single node presents multiple ID’s to other nodes Affect geographic routing, distributed storage, multi-path routing, topology maintenance

Wormhole attack Two colluding nodes A node at one end of the wormhole advertises high quality link to the base station Another node at the other end receives the attracted packets

Hello flood attack Specific to WSNs In some protocols, nodes have to periodically broadcast “hello” to advertise themselves  Not authenticated! Laptop-class attacker can convince it’s a neighbor of distant nodes by sending high power hello messages

Acknowledge spoofing Adversary spoofs ACKs to convince the sender a weak/dead link support good link quality

Attacks on Specific Routing Protocols TinyOS beaconing Construct a BFS tree rooted at the base station Beacons are not authenticated Adversary can take over the whole WSN by broadcasting beacons

Directed diffusion Replay interest Selective forwarding & data tampering Inject false data

Geographic routing Adversary can provide false, possibly multiple, location info. Create routing loop GEAR considers energy in addition to location  Laptop-class attacker can exploit it

Countermeasures Shared key & link layer encryption Prevent outsider attacks, e.g., Sybil attacks, selective forwarding, ACK spoofing Cannot handle insider attacks  Wormhole, Hello flood, TinyOS beaconing Sybil attack Every node shares a unique secret key with the base station Create pairwise shared key for msg authentication Limit the number of neighbors for a node Hello flood attack Verify link bidirectionality Doesn’t work if adversary has very sensitive radio

Countermeasures Wormhole, sinkhole attack Cryptography may not help directly Good routing protocol design Geographic routing Location verification Use fixed topology, e.g., grid structure Selective forwarding Multi-path routing Route messages over disjoint or Braided paths Dynamically pick next hop from a set of candidates Measure the trustworthiness of neighbors

Countermeasures Authenticated broadcast uTESLA Base station floods blacklist Should be authenticated Adversaries must not be able to spoof

Towards Resilient Geographic Routing in WSNs Ke Liu, Nael Abu-Ghazaleh, KD Kang Computer Science Dept. State University of New York at Binghamton

Outline Background: Geographic Forwarding Security Threats and Threat Model Localization and Location Verification Secure Trust-based Multi-path Routing Conclusions

Geographic Forwarding Keep track of neighbors’ locations Forwarding set is set of neighbors closer to destination than self Pick next hop as a member of the forwarding set Greedy forwarding – pick closest to destination

Geographical Forwarding (2) Local interactions only – no local state maintained Can get stuck in voids; void traversal algorithm needed (e.g., perimeter routing) We don ’ t consider this aspect of operation

Threat Model/Assumptions Two types of nodes: Anchors:  Know their location (e.g., using GPS)  Act as reference points for localization  Sufficient density to enable localization  First assume they are trusted; later relax the assumption Sensor Nodes:  Can be compromised  Key pre-distribution to provide cryptographic keys Confidentiality, authentication, message integrity, can be supported if needed

Threat Models/Assumptions (2) GF is different from traditional topology based routing protocols We do not consider MAC/physical level attacks Orthogonal techniques apply there Sybil attack (node claiming multiple locations) are possible Blackhole, wormhole and selective forwarding attacks are possible

Location Verification First contribution of this paper Each node is responsible for reporting its location information Trusted to provide the correct information; no mechanism to verify using traditional localization approaches If nodes can falsify their location GF breaks down Sybil attacks, blackholes, and other attacks easily possible Location Verification: prevent nodes from lying about their location

Existing Solution (Sastry et al 2004) Echo Protocol: Location challenged by verifier Node responds instantly with ultrasonic pulse Speed of sound allows estimate of distance Includes a nonce sent by the verifier  Prevents early response to appear closer Argue that delaying response not possible because it moves node into another verifiers region Coarse-grained verification (within region) Requires ultrasound channel

Localization via Triangulation Lateration is the calculation of position information based on distance measurements from three known points (anchors) 2D position requires three distance measurements. Signal Strength, Time of Arrival, Time Difference of Arrival, etc.. used to estimate distance Triangulation measures angle of arrival d2 d3 d1

Proposed Solution – Anchors Localize Protocol 1. Node transmits localization packet 2. Anchors receive it concurrently; each anchor estimates distance to node 3. Anchors exchange estimates to calculate location Localization responsibility moved to trusted anchors Location passed to node with certificate or supplied by anchors Limitation: range based localization – range free localization requires extension d2 d3 d1

Possible Attacks (1) Nodes cheat by manipulating the localization transmission E.g., in signal power based ranging  transmit at higher power to appear closer;  or lower power to appear farther In TDOA  Send ultrasonic pulse before RF pulse to appear closer;  Send RF pulse before ultrasonic to appear further

Defense Key observation: node will appear closer to, or further, from all anchors concurrently Detectable when anchors exchange ranges Leads to Non-feasible location in all non-trivial anchor placements d2 d3 d1 d2-dx d3-dx d1-dx d2+dx d3+dx d1+dx

Possible Attacks (2) Directional antenna version of previous attack Use directional antenna to send different localization beacons to each anchor  Other anchors cannot hear the directional packet  Falsifying distance to each anchor separately can allow undetectable (consistent) forgery Two versions: Sequential: attacker sends the beacons sequentially to the different anchors Concurrent: attacker has multiple radios and can concurrently forge distances

Defense Sequential version can be defended by having anchors be loosely synchronized Can detect the different time stamps on the packets received by the different anchors Concurrent version challenging A sophisticated attacker with expensive H/W MAC level authentication? Moving anchors? Other sensors detecting inconsistency?

Compromising Anchors So far, assumed anchors are trusted If they are compromised they can assist nodes in falsifying their location Cause errors in the localization of legitimate nodes Correctly evaluating location under byzantine failure is a variant of byzantine quorum However, unlike classical byzantine quorum, consensus is on an indirect value (location) With n anchors in range, can localize correctly if  3+ceiling((n-3)/2) anchors are not compromised Can use threshold cryptography or similar approaches to ensure that a rogue anchor doesn ’ t bypass localization process

Possible Attacks Mobility attack: Localize and obtain a valid localization certificate Move to a new location and use the invalid (but certified) location to do mischief  Or send the certificate to a proxy node that can use it Defense: Have anchors in an area responsible for supplying certified location Place time bounds on location validity (energy- security tradeoff)

Secure Multi-path Routing

Forwarding Misbehavior Misbehaving nodes can mis-route or selectively forward packets Can have valid location estimates Since GF is completely localized, problem is difficult to detect A node has no idea where the packet should be sent beyond its current next hop

Proposed Solution Multi-path routing: Select next hop probabilistically among forwarding set  Probability proportional to trust (aka reputation) Trust estimate is adapted over time Based on observed behavior of the nodes How to detect misbehavior?

Detecting Misbehavior/Updating Trust Trust updated up or down depending on observed behavior of neighbors Rebroadcast check A sending node hears if the next hop forwards it again  Drop reputation if not Not fool proof  Can miss rebroadcast due to collision or fading  Next hop can pretend to forward the packet to a non-existing next hop neighbor (securely building 2-hop neighbor cliques can help here) Trust consensus Exchange trust estimates with neighbors among neighbors that are trustworthy

Summary Sybil, blackhole and wormhole attacks require location falsification in GF Prevented using location verification mechanism Forwarding misbehavior does not depend on location falsification Multi-path routing helps avoid bad paths even when misbehaving nodes are not known Building and tracking reputation helps ostracize misbehaving nodes

Conclusions Presented a verified localization algorithm for use in GF in WSNs Specific to range-based localization Outlined a number of attacks and their defense Derived limit for anchor byzantine quorum on location Presented a preliminary secure routing protocol Use probabilistically multi-path routing Track trust estimate to discover and avoid bad paths

Future/Ongoing Work Extend to range-free localization Extended to the case with compromised anchors Extend to void avoidance/face routing Virtual Coordinate routing Initialize node coordinates and use them as identifiers and for routing Similar to GF, but some unique and more difficult attacks Explore interaction with localization errors Evaluate trust-based multi-path routing on motes

Conclusion WSN security is challenging, relatively new area of research #Problems >> #Solutions Any ideas to address challenges?

Thank you – Any questions?