Introduction to Sensor Networks Rabie A. Ramadan, PhD Cairo University 4

Security in WSN 2

3 Security Requirements Availability Data Confidentiality Data Integrity Non-repudiation Authorization and Key Management

4 Security Solution Constraints Lightweight Decentralized Reactive Fault-tolerant

5 Challenges in WSNs Sensor node hardware, resource constraints Algos must be energy- and storage-efficient Nodes operate unattended Adversary can compromise any node Nodes not tamper-resistant Adversary can compromise any node’s keys No fixed infrastructure Cannot assume any special- function node in vicinity No pre-config’ed topology Nodes don’t know neighbours in advance Communicate in an open medium Communications are world- readable and world-writeable by default ConstraintsImplications

6 Security design principles Favour computation over communication Communication 1000 times more energy-consuming than computation Favour resilience (tolerance) over absolute security

7 WSN Security Research Fields Routing security Data forwarding security Link layer security Key management.

Security issues in WSN The discussed applications require communication in WSN to be highly secure Main security threats in WSN are: Radio links are insecure – eavesdropping / injecting faulty information is possible Sensor nodes are not temper resistant – if it is compromised attacker obtains all security information Attacker types: Mote-class: attacker has access to some number of nodes with similar characteristics / laptop-class: attacker has access to more powerful devices Outside (discussed above) / inside: attacker compromised some number of nodes in the network

Attacks on WSN Main types of attacks on WSN are: Spoofed, altered, or replayed routing information Selective forwarding Sinkhole attack Sybil attack Wormholes HELLO flood attacks Acknowledgment spoofing

False routing information Injecting fake routing control packets into the network, examples: attract / repeal traffic, generate false error messages. Consequences: routing loops, increased latency, decreased lifetime of the network, low reliability B A1 A3 A2 A4 Example: captured node attracts traffic by advertising shortest path to sink, high battery power, etc

Selective forwarding Multi hop paradigm is prevalent in WSN It is assumed that nodes faithfully forward received messages Compromised node might refuse to forward packets, however neighbors might start using another route More dangerous: compromised node forwards selected packets

Sinkhole and Sybil attacks Sinkhole attack: Idea: attacker creates metaphorical sinkhole by advertising for example high quality route to a base station Laptop class attacker can actually provide this kind of route connecting all nodes to real sink and then selectively drop packets Almost all traffic is directed to the fake sinkhole WSN are highly susceptible to this kind of attack because of the communication pattern: most of the traffic is directed towards sink – single point of failure. Sybil attack: Idea: a single node pretends to be present in different parts of the network. Mostly affects geographical routing protocols

Wormholes Idea: tunnel packets received on one part of the network to another Well placed wormhole can completely disorder routing Wormholes may convince distant nodes that they are close to sink. This may lead to sinkhole if node on the other end advertises high-quality route to sink

Wormholes (cont.) Wormholes can exploit routing race conditions which happens when node takes routing decisions based on the first route advertisement Even encryption can not prevent this attack Wormholes may be used in conjunction with sybil attack

HELLO flood attack Many WSN routing protocols require nodes to broadcast HELLO packets after deployment, which is a sort of neighbor discovery based on radio range of the node Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink

Acknowledgment spoofing Some routing protocols use link layer acknowledgments Attacker may spoof acks Goals: convince that weak link is strong or that dead node is alive. Consequently weak link may be selected for routing; packets send through that link may be lost or corrupted

Overview of Countermeasures Link layer encryption prevents majority of attacks: bogus routing information, Sybil attacks, acknowledgment spoofing, etc. This makes the development of an appropriate key management architecture a task of a great importance Wormhole attack, HELLO flood attacks and some others are still possible: attacker can tunnel legitimate packets to the other part of the network or broadcast large number of HELLO packets Multi path routing, bidirectional link verification can also be used to prevent particular types of attacks like selective forwarding, HELLO flood

Part One Secure data aggregation

19 Phase 1: Query dissemination Sample query: SELECT AVERAGE(temperature) FROM sensors WHERE floor = 6 EPOCH DURATION 30s

20 Phase 2: Data aggregation aggregate Types of aggregation: (1) basic aggregation, (2) data compression, (3) parameter estimation

21 Phase 3: Result verification (optional) “Did you really report this?”

22 Security goals of data aggregation Robustness: Byzantine corruption of data would not make aggregation result totally meaningless Confidentiality: To ensure that other than the sink and the sources, no intermediate node should have knowledge of the raw data or the aggregation result perform averaging So the average is 251.5… Oh wait a minute sources sink What the hell am I aggreg ating? What the hell am I forwardi ng?

23 Voting Resource-intensive, only good for mission-critical, small-scale networks malicious No Yes “is mean = 61.4 reasonable?” malicious Alright, 61.4 is not reasonable!

24 Interactive proof algo By [Przydatek et al. 2003], algo for proving probabilistically a given figure is indeed the median of the samples Example for the sake of intuition: Prover must have the samples sorted first 2 Prover tells the verifier median is 3.5 and the no. of samples is 6 3 Verifier asks for the 3 rd sample, prover tells the 3 rd sample is 3 < 3.5, verifier is happy but still suspicious 4 Verifier asks for the 4 th sample, prover tells the 4 th sample is 4 > 3.5, verifier is happy but still suspicious 5 Verifier asks for the 1 st and 6 th sample, prover tells 1 st is 1 3.5, verifier says: “Alright, I’ve sampled enough, median should be 3.5 at high probability”. Relies on the trustworthiness of the samples, but how do we make sure?

Key Management Techniques Eng. Ahmed Ezz

Location verification – SerLoc (Secure Range-independent localization) 26

What is location verification? Different assumptions from general localization What if some malicious nodes lie about their location? Sample attack scenario Claim to be very close to the sink Attract many packets Drop some or all of them Very easy DoS attack especially for geographic routing protocols

28 Secure Verification of Location Claims [Sastry et al. WISE 2002]. Location Privacy Privacy-aware Location Sensor Networks [Gruteser et al. USENIX 2003]. Secure Localization: Ensure robust location estimation even in the presence of adversaries. SeRLoc: [Lazos and Poovendran, WISE 2004]. S-GPS: [Kuhn 2004]. SPINE: [Capkun & Hubeaux, Infocom 2005]. Secure Location Services

29 SeRLoc: SEcure Range-independent LOCalization. SeRLoc features No ranging hardware required. Decentralized Implementation, Scalable. Robust against attacks - Lightweight security. SeRLoc

30 Locators: Randomly deployed Known Location, Orientation Directional Antennas (X 1, Y 1 ) (X 3, Y 3 ) (X 4, Y 4 ) (X 5, Y 5 ) (X 2, Y 2 ) Two-tier network architecture Sensors: Randomly deployed, unknown location r R Locator range R Beamwidth θ θ Omnidirectional Antennas Sensor range r Locator Sensor

31 LocatorSensor L1L1 L4L4 L3L3 (0, 0) s L3L3 ROI The Idea of SeRLoc Each locator L i transmits information that defines the sector S i, covered by each transmission. Sensor defines the region of intersection (ROI) from all locators it hears.

How SerLoc works Node i claims its location is (x, y) Node i needs to send (x, y) a location verification request msg to a nearby verifier A verifier can be a normal sensor node The verifier sends a random nonce to node i and start the clock Node i has to immediately return the challenge through both radio and ultrasonic channels The verifier measures the time for node i returning the challenge and take the difference between the radio & ultrasonic signal propagation. Based on this observation, verify the claimed location

Weakness of SerLoc Requires extra hardware, i.e., ultrasonic channel Innocent victims may respond late due to backlog Not location verification but range verification Verifier M’s Real Location M’s claimed Location sink Oops... Verifier cannot tell the difference! Big trouble...

Possible Research Issues Most localization work is mathematical and evaluated via (high level) simulations More realistic work is needed Indoor localization is harder Look at CodeBlue project at Harvard Location verification Can’t trust sensors Secure localization Can’t trust anchors