1. 1 Secure Routing in Wireless Sensor Networks : Attacks and Countermeasures Authors: Chris Karlof and David Wagner Presenter: Ivanka Todorova

2. 2 Outline Introduction and Contributions Background Sensor vs. ad-hoc wireless networks Problem Statement Attacks on sensor network routing Attacks on specific sensor network protocols Countermeasures Conclusions

3. 3 Introduction and Contributions Threat models and security goals for routing in WSNs Two new attacks  Sinkhole attacks  HELLO floods How to adapt attacks against ad-hoc wireless networks into powerful attacks against WSNs Practical attacks against routing protocols and topology maintenance algorithms for WSNs Countermeasures and design considerations for secure routing protocols in WSNs

4. 4 Background WSNs consist of hundreds or thousands of low-power, low-cost nodes having a CPU, power source, radio, and other sensing elements Have one or more points of centralized control called base stations or sinks Sensor readings from multiple nodes processed at aggregation points Power is the scarcest resource

5. 5 Background A representative sensor network architecture Picture from [7]

6. 6 WSNs vs. Ad-hoc WNs WSNs Communication method - multihop networking One or more points of centralized control such as base stations Routing - specialized communication pattern Resource-starved nature Trust relationships between nodes assumed Public key cryptography not feasible AD-hoc WNs Communication method - multihop networking There is no fixed infrastructure such as base stations Routing - any pair of nodes Limited resources Trust relationships between nodes not assumed Public key cryptography possible

7. 7 Problem Statement Network assumptions  Insecure radio links  Malicious nodes may collude to attack the network  Sensor nodes not temper resistant  Physical and MAC layers vulnerable to direct attacks Trust Requirements  Base stations are trustworthy  Aggregation points not necessarily trustworthy

8. 8 Problem Statement cont’d Two types of threat models Based on type of attacking devices  Mote-class attackers  Laptop-class attackers Based on attacker location  Outsider attacks  Insider attacks Security goals  Confidentiality, integrity, authenticity, and availability of all messages

9. 9 Attacks on sensor network routing Spoofed, altered, or replayed routing information Selective forwarding Sinkhole attacks  Adversary’s goal is to lure traffic through a compromised node  Work by making the compromised node look attractive  Makes selective forwarding trivial

10. 10 Attacks on sensor network routing cont’d Sybil Attack “One can have, some claim, as many electronic personas as one has time and energy to create.” Judith S. Donath [1] Picture from [2]

11. 11 Attacks on sensor network routing cont’d Wormhole An adversary tunnels packets received in one part of the network over a low-latency link and replays them in a different part of the network Picture from http://library/thinkquest.org/27930/wormhole.htm

12. 12 Attacks on sensor network routing cont’d HELLO flood attack  Many protocols require that nodes broadcast HELLO packets to announce themselves to their neighbors  Laptop-class attacker can convince all nodes that it is their neighbor by transmitting at high power Acknowledgement spoofing

13. 13 Attacks on specific sensor network protocols TinyOS beaconing  Description  Attacks Can authenticated routing updates solve the problem? Picture from [7]

14. 14 Attacks on specific sensor network protocols cont’d Combined wormhole/sinkhole attack Picture from [7]

15. 15 Attacks on specific sensor network protocols cont’d What if a laptop-class adversary uses a HELLO flood attack? What about mote-class adversaries?  Routing loops Picture from [7]

16. 16 Attacks on specific sensor network protocols cont’d Directed diffusion Attacks – Suppression, Cloning, Path influence, Selective forwarding and data tamperingAttacks – Suppression, Cloning, Path influence, Selective forwarding and data tampering Interest propagation Initial gradients set upData delivery along reinforced path Pictures from [6]

17. 17 Attacks on specific sensor network protocols cont’d Geographic routing  Two protocols GPSR (Greedy Perimeter Stateless Routing) GEAR (Geographic and Energy Aware Routing)  Description Greedy forwarding routing each packet to the neighbor closest to the destination GEAR weighs the choice of the next hop by both remaining energy and distance from the target

18. 18 Attacks on specific sensor network protocols cont’d Geographic routing Greedy forwarding example: y is x’s closest neighbor to D Greedy forwarding failure: x is a local maximum in its geographic proximity to D; w and y are farther from D. Pictures from [14]

19. 19 Attacks on specific sensor network protocols cont’d Geographic routing Node x’s void with respect to destination D. Picture from [14]

20. 20 Attacks on specific sensor network protocols cont’d Geographic routing  Attacks Sybil attack Picture from [7]

21. 21 Attacks on specific sensor network protocols cont’d  Attacks cont’d Creating routing loops in GPSR Picture from 7

22. 22 Attacks on specific sensor network protocols cont’d Minimum cost forwarding  Description  Attacks Sinkhole attack HELLO flood attack can disable the entire network MN C M +L N, M CNCN CMCM

23. 23 Attacks on specific sensor network protocols cont’d LEACH: low-energy adaptive clustering hierarchy  Description Nodes organized into clusters with one node serving as a cluster-head Cluster-heads aggregate data for transmission to a base station  Attacks HELLO flood attack Countermeasures defeated by a Sybil attack

24. 24 Attacks on specific sensor network protocols cont’d Energy conserving topology maintenance  Geographic Adaptive Fidelity (GAF) State transitions Node redundancy Virtual grid Pictures from [5]

25. 25 Countermeasures Shared key and link layer encryption  Prevent outsider attacks - Sybil attacks, selective forwarding, ACK spoofing  Cannot handle insider attacks - Wormhole, HELLO flood, TinyOS beaconing attacks In case of a wormhole encryption may make selective forwarding more difficult but cannot prevent blackholes Sybil and HELLO flood attacks  A globally shared key allows an insider to masquerade as any node  A pair of nodes can use a Needham-Schroeder protocol to establish a shared key  Limit the number of neighbors for a node  Verify the bidirectionality of the link for a HELLO flood attack

26. 26 Countermeasures Amended Needham Schroeder Symmetric Key  Author(s): Roger Needham and Michael Schroeder (1987)  Distribution of a shared symmetric key by a trusted server and mutual authentication. Symmetric key cryptography with server.

27. 27 Countermeasures Wormhole and sinkhole attacks  Protocols that construct a topology initiated by a base station are the most vulnerable  Good routing protocol design may be the solution – geographic routing protocols Geographic routing attacks  Use fixed topology to eliminate the need for location information Selective forwarding  Multipath routing  Braided paths  Allowing nodes to dynamically choose a packet’s next hop probabilistically from a set of possible candidates

28. 28 Countermeasures Braided path Picture from [10]

29. 29 Countermeasures Authenticated broadcast and flooding  μTESLA protocol to prevent replay of broadcast messages issued by the base station Replay is prevented because messages authenticated with previously disclosed keys are ignored  Flood the information about the malicious nodes in the network

30. 30 Conclusions End-to-end security mechanisms between a sensor node and a base station unlikely to guarantee integrity, authenticity, and confidentiality of messages Link layer security not enough to protect against insider attacks The routing protocol itself must be secure

31. 31 Conclusions Protection against the replay of data packets should not be a security goal of a routing protocol Sinkhole attacks and wormholes are a significant challenge  Wormholes are hard to detect because they use private, out-of-band channel invisible to the underlying network  Sinkholes are difficult to defend against because they leverage hard to verify information such as remaining energy  Protocols that construct topology initiated by a base station are most vulnerable  Geographic routing protocols are resistant Crucial to design routing protocols in which these attacks are meaningless

32. 32 Conclusions Geographic routing relatively secure against wormhole, sinkhole, and Sybil attacks Traffic naturally routed toward the physical location of a base station The main remaining problem is that location information must be trusted Restricting the structure of the topology eliminates the need for nodes to advertise their locations If nodes are arranged in a grid every node can easily derive its neighbors’ locations

33. 33 Conclusions Clustering protocols like LEACH may yield the most secure solutions against node compromise and insider attacks Virtual base stations can be used to create an overlay network

34. 34 Future Work How the feature of autonomic computing can be applied to WSNs to improve security [11,12] Self-healing in WSNs [13]

35. 35 References 1. J. S. Donath, “Identity and Deception in the Virtual Community”, Communities in Cyberspace, Routledge, 1998. 2. J.R. Douceur, The Sybil attack, in: 1st International Workshop on Peer-to- Peer Systems (IPTPS 02), 2002. 3. L. Zhou, Z. Haas, Securing ad hoc networks, IEEE Network Magazine 13 (6) (1999) 24–30. 4. F. Stajano, R.J. Anderson, The resurrecting duckling: security issues for ad- hoc wireless networks, in: Seventh International Security Protocols Workshop, 1999, pp. 172–194. 5. Y. Xu, J. Heidemann, D. Estrin, Geography-informed energy conservation for ad hoc routing, in: Proceedings of the Seventh Annual ACM/IEEE International Conference on Mobile Computing and Networking, 2001. 6. C. Intanagonwiwat, R. Govindan, D. Estrin, Directed diffusion: a scalable and robust communication paradigm for sensor networks, in: Proceedings of the Sixth Annual International Conference on Mobile Computing and Networks (Mobi-COM 00), 2000. 7. C. Karlof and D. Wagner, "Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures," in IEEE SPNA, 2002

36. 36 References 8. F. Ye, A. Chen, S. Lu, L. Zhang, A scalable solution to minimum cost forwarding in large sensor networks, in: Tenth International Conference on Computer Communications and Networks, 2001, pp. 304–309. 9. W.R. Heinzelman, A. Chandrakasan, H. Balakrishnan, Energy-efficient communication protocol for wireless microsensor networks, in: 33rd Annual Hawaii International Conference on System Sciences, 2000, pp. 3005–3014. 10. Deepak Ganesan, Ramesh Govindan, Scott Shenker, Deborah Estrin, Highly- resilient, energy-efficient multipath routing in wireless sensor networks, in: Proceedings of the 2nd ACM International Symposium on Mobile Ad Hoc Networking & Computing, 2001, pp. 251-254. 11. http://s3lab.cs.okstate.edu/projects/CIP-WSN/ http://s3lab.cs.okstate.edu/projects/CIP-WSN/ 12. http://www.cse.msu.edu/~mckinley/920/Spring-2006/920-reading-final.html http://www.cse.msu.edu/~mckinley/920/Spring-2006/920-reading-final.html 13. Tatiana Bokareva, Nirupama Bulusu, Sanjay Jha, SASHA: Toward a Self- Healing Hybrid Sensor Network Architecture. Retrieved from http://web.cecs.pdx.edu/~nbulusu/papers/emnets.pdf on March 2, 2008. http://web.cecs.pdx.edu/~nbulusu/papers/emnets.pdf 14. Brad Karp, H.T. Kung, GPSR: Greedy Perimeter Stateless Routing for WirelessNetworks, Retrieved March 4, 2008 from http://www.eecs.harvard.edu/~htk/publication/2000-mobi-karp-kung.pdf http://www.eecs.harvard.edu/~htk/publication/2000-mobi-karp-kung.pdf