1. SECURE ROUTING IN WIRELESS SENSOR NETWORKS
Gayathri Venkataraman
Preeti Raghunath

2. AGENDA Sensor Networks Wireless Sensor Networks vs. Ad- Hoc Networks
Sensor Network Security Challenges
Attacks on Sensor Network routing
Securing the Wireless Network
Summary

3. Sensor Networks
A sensor network is composed of a large number of sensor nodes that are densely deployed either inside the phenomenon or close it . Each of these sensor nodes collect data and transmit to the sink using special routing protocols. The sink may communicate to the task manager using Internet or satellite [1].
Figure 1 Sensor nodes communication
Source :
Retrieved August 22, 2003

4. What is a Sensor Network?
Heterogeneous system that combines tiny sensors and actuators with general purpose computing elements.
Sensor readings from multiple nodes can be processed by one or more aggregation points
Sensor network may consists of of several low-power and low-cost nodes. The nodes can be mobile but more likely in a fixed location, deployed en masse to monitor and affect the environment.
Aggregation points ( also nodes themselves) collect sensor readings from surrounding nodes and forwards an single message representing the aggregate of the values..

5. Base Station
Sensor Networks have one or more points of centralized control called Base Stations.
Base stations are either:
Gateway to another network
Data processing or storage center
Access point for human interface.

6. Sensor Network Architecture
Base Stations
Rectangular Boxes: Base Stations
Orange Circles: Aggregation points
Red Circles: Sensor Nodes
Aggregation points
Sensor Nodes

7. Constraints of Wireless Sensor Networks
Sensor Networks are resource-starved when it comes to:
Computational power
Memory
Bandwidth
Power
Memory is a resource that must be utilized carefully. There fore security protocols cannot maintain much state.
In addition, public-key cryptography is too expensive to be deployed on a wide scale in wireless networks.

8. Sensor Networks VS. Ad Hoc Networks
Ad-Hoc Network supports routing between any pairs of nodes.
Sensor Networks have a specialized communication pattern:
Many to One
One to Many
Local Communication
Many to One: Multiple sensor nodes send sensor readings to a base station or aggregation point in the network.
One to many: Base station multicasts a query to several sensor nodes
Local communication: Neighboring nodes communicate with each other. It can be broadcast or Unicast.

9. Security challenges in Wireless Sensor networks (1 of 3)
Network Assumptions:
Radio links are not secure
Attackers can deploy malicious nodes into the network.
Trust Requirements:
Base Stations are trusted nodes
Aggregation points maybe trusted for certain protocols
Sensor networks use radio communication which are not secure.
Adversary ( or attacker) can deploy malicious nodes with the intent of eavesdropping or carrying out attacks.
Trust Requirements:
Since Base stations interface a sensor network to the outside world, compromise of a significant number of them can render the entire network useless.

10. Security challenges in Wireless Sensor networks (2 of 3)
Threat models:
Mote-Class attackers: Sensor nodes are used for attacks. Sensor can eavesdrop only nodes in its vicinity.
Laptop-Class attackers: More sophisticated. Can eavesdrop or jam entire network.
Outsider attacks: Attacker has no special access to the sensor network.
Insider attacks: An authorized participant of the network has gone bad by running malicious code.
Mote-Class attacks: Attacker has access to few sensor nodes, that have limited capabilities.
Laptop- Class attack: Has access to more powerful devices such as a laptop and thus have an advantage over legitimate nodes in the network.

11. Security challenges in Wireless Sensor networks (3 of 3)
Security Goals:
Protection against eavesdropping is responsibility of application layer not routing algorithms.
However, eavesdropping caused by abuse of routing protocol is the responsibility of protocols.
Graceful degradation of network in case of insider attack.
In the presence of insider adversaries, it is not likely that security goals in above slide can be achieved. However, the network should be designed for “graceful degradation”. Graceful degradation means that network performance should not degrade faster than the ratio of compromised nodes to total nodes in the network.

12. Attacks on Sensor Networks (1 of 3)
Spoofing: Altering, spoofing or replaying routing information between nodes.
Selective Forwarding: Malicious nodes does not forward any packets or selectively forwards packets.
Selective Forwarding: A malicious node behaves as a black hole. However, the malicious node runs the risk of Neighboring nodes assuming that the malicious node has failed and hence seek other routes. A more sophisticated attack selectively forwards packets.

13. Attacks on Sensor Networks (2 of 3)
Sinkhole attack:
Here the attacker’s goal is to lure all the traffic through a compromised node
Other nodes in the path have opportunities to tamper with application data
Sybil attack:
A single node presents multiple identities.
Wormholes:
Attacker tunnels messages received in one part of the network over a low-latency kink and replays them in a different part.
Sinkhole attack: Makes a compromised node look very attractive to surrounding nodes with respect to the algorithm.This attack can enable many other attacks.
Sybil attack: This attack can reduce effectiveness of fault-tolerant schemes such as, distributed storage, multi-path routing and topology maintenance as the adversary can be in more than one place and can take different identities.
Wormhole: Two distant malicious nodes collude to understate distance between them by relaying packets along an tunnel available only to the attacker. An attacker situated close to a base station can disrupt routing as a result.

14. Attacks on Sensor Networks (3 of 3)
HELLO Flood attack: An attacker with enough transmission power convinces every node in the network that the attacker is the neighbor.
Acknowledgement spoofing:
Link layer acknowledgements are spoofed to convince a weak link is strong and vice-versa.
Hello Flood: Nodes announce themselves by broadcasting “Hello” packets. A laptop-class attacker with large enough transmission power could convince every node in the network that the attacker is a neighbor.
Acknowledgement spoofing:
Routing protocol may select the next hop in a path using link reliability. Artificially reinforcing weak or dead link is a way to manipulate the scheme.

15. Attacks on Specific Routing Protocols
Gayathri Venkataraman

16. Special Routing Protocols! Why???
A typical mote has 4MHz processor, 128 KB of instruction memory, 4 KB of RAM data, and 512 KB of flash memory. The whole device is powered by two AA batteries. So the requirement of special routing protocols with
Less computation
Less memory
Simple
No global identification like IP address

17. Challenges For Security
Resource starved nature of sensor networks poses a big challenge for security
Public-key Cryptography is so expensive
With only 4KB of RAM memory must be used carefully

18. Directed Diffusion Is a data centric routing
Base stations flood interests for named data
Nodes able to satisfy the interest disseminate information along
the reverse path of interest propagation.
Interests are initially transmitted at a lower rate.
Based nodes reinforce the path where there is more data.
Failed node paths are negatively reinforced.

19. Directed Diffusion
Retrieved August 27, 2003
The first picture (see from left) says that sink is transmitting interest to all nodes and has established gradient. A gradient is something like paths of data flow. The next picture shows that a node has found an event and has transmitted to the sink. The next picture shows multiple nodes transmitting events to the sink.

20. Attacks on Directed Diffusion
Suppression
Suppress the flow of data by sending negative reinforcement
Cloning
Attacker can replay an interest from legitimate base station
Path Influence
Attacker can influence the path taken by a data flow by spoofing
positive and negative reinforcements and bogus data events.
Selective forwarding and Tampering
Attacker can insert himself into the path of events flow and gain
Control of the event flow.
In the path influence an adversary can influence the path and the following actions may result. 1. Data events generated by legitimate sources will be drawn to the attacker. 2. The attacker’s node will be reinforced by nodes above because of its high data rate.

21. Attacks on Directed Diffusion
A Laptop class adversary can create worm hole between node A located near base station and node B located near likely events.
Interests are advertised through worm hole and rebroadcast by
node B.
If node A sends negative reinforcements and worm hole does not pass those messages then node B continues its positive reinforcement then no data reaches the sink node and eventually node B’s power is lost.

22. Tiny-OS Beaconing
In this protocol base stations periodically broadcast routing update.
All station receiving the update marks the base station as its parent.
This algorithm happens recursively with each node marking its parent as the first node from which it hears the update.
All packets received or generated by a node is forwarded to its parent until it reaches the base station.
This is a breadth first spanning tree rooted to the base station

23. Attacks on Tiny-OS Beaconing
Routing updates are not authenticated
Attacker can suppress, eaves-drop, and modify packets through
a worm hole/ sink hole attack as shown in the figure
Authenticated routing can prevent attacks from a mote class adversary, but a lap-top class attacker can create a worm hole between two nodes and participates in the network. Since it is a lap top class it can transmit with more strength and can form itself as parent for all nodes.
Source:
Retrieved on November 17, 2003

24. Attacks on Tiny-OS Beaconing
A lap top class adversary can use Hello flood attack to broadcast a routing update and all nodes will consider the adversary as its parent.
So the nodes which are not in the actual range of the parent may flood the packets to neighbors which also has the adversary as its parent
Routing Loops can be created. Suppose adversary knows node A and node B are within radio range of each other. Adversary sends a routing update to B as if it came from A. B updates its parent as A, and sends routing update. Now A updates its parent as B.

25. Geographic Routing Two Kinds
Geographic and Energy aware routing (GEAR) uses the energy information and the location of neighboring nodes to forward the packets
Greedy Perimeter Stateless Routing (GPSR) used only the proximity of neighbors to forward its messages. The energy consumption is uneven within the nodes.

26. Attacks on Geographic Routing
Regardless of adversary’s location he might advertise to be closest and place himself on the path of data flow.
For GEAR the adversary can advertise to have maximum energy to divert all the packets to himself and can now mount a selective forwarding attack
Routing Loops is possible in GPSR routing as shown in figure
Routing Loops
Assume the maximum radio range is one unit. An adversary can forge a message that B is at (2,1) and sends it to C. C now makes B as its parent. Now suppose legitimate B(0,1) wants to send a message to B then he forwards to C who again sends it back to B.
Source:
Retrieved on November 17, 2003

27. Counter Measures Link Layer Security
Simple link layer encryption and authentication using a globally shared key.
If a worm hole is established, encryption makes selective forwarding difficult, but can do nothing to prevent black hole selective forwarding. This worm hole is possible by replaying the message from one group of nodes to other group.
Link layer security mechanisms cannot prevent any insider attack.
Link Layer authentication can prevent an outsider attack like Sybil, Selective forwarding and Sink Hole attacks. But still this cannot avoid insider attacks, Hello flood, and worm hole attacks.

28. Counter Measures Sybil Attack
Every node shares a unique symmetric key with base station
Two nodes can use Needham-Schroeder like protocol to verify
identity and establish a shared key.
Base station limits the number of nodes an insider can have
communication.
This limits the number of nodes an adversary can communicate.
In this the compromised node is not restricted from communication, however this restrict the number of nodes the adversary can affect. This is because of the limit set by the base station on the number of verified neighbors

29. Counter Measures Hello Flood Attacks
Verify the bi-directionality of the link before taking any action
Measures against Sybil Attack like limiting the number of
verified neighbors to a node will also prevent Hello Flood Attack
The bi-directional verification can be enforced by link layer authentication.

30. Counter Measures Worm Hole and Sink Hole Attacks
Sink holes are difficult to defend in protocols which use advertised information like energy information and hop count. Hop count can be verified, however energy and TinyOs beaconing is difficult to defend.
Best solution is to design protocols where above attacks are meaningless

31. Counter Measures
Protocols that construct topology initiated by base station are susceptible to attacks
Geographic protocols that construct topology on demand using localized interactions and not from base stations are good solutions.
In geographic routing since proximity is a factor artificial link to sink hole is not possible because they may not fall in the normal radio range.

32. Counter Measures
Geographic routing is secure against worm hole, sink hole, and Sybil attacks, but the remaining problem is that the location advertisement must be trusted.
Probabilistic selection of next hop from several advertisement can reduce the problem
Restricting the structure of the topology can eliminate the problem by eliminating advertisement. For example nodes can arrange itself in square, triangular, etc., So that every node can derive its neighbors

33. Counter Measures Selective Forwarding
Multi-path routing can be used to avoid this attacks.
Messages routed over n paths whose nodes are completely disjoint is an effective solution
Creating this kind of path may be difficult .
Probabilistic selection of next hop can add to security.
One example of Multi-path is braided path. They can have common nodes but not common links. This can provide probabilistic protection

34. Counter Measures Authenticated Broadcast & flooding digital signatures
symmetric-key cryptography
delayed key disclosure and one –way key chains constructed with publicly computable cryptographically secure hash function
Replay attack is not possible key is used only once.
A base station is considered to be trustworthy. Broadcasts from base station must be authenticated. The authentication methods are discussed above.

35. Limitations of Multi-Hop Routing
If nodes within one or two hops near the base station are
compromised then the network will be completely down
Protocols like leach which forms clusters and where cluster heads communicate directly with base station may yield a secure solution.
LEACH is considered to be more secure because motes organize themselves to clusters and they choose a cluster head to communicate directly with base station. Also since the cluster and cluster head is not the same every time there is a probabilistic protection

36. Conclusion
Secure routing is vital to the acceptance and use of sensor networks.
Current protocols are insecure
Careful protocol design is needed as a sensor mote cannot do complex cryptographic computations

37. References
[1 ]Ian F. Akyildiz, Weilian Su, Yogesh Subramaniam, and Erdal Cayirci (2002, August). A Survey on Sensor Networks. Retrieved August 26, 2003
[2]Charlermek Intanagonwiwat, Ramesh Govindan, and Deborah Estrin.
Directed Diffusion:A Scalable and Robust Communication Paradigm
for Sensor Networks /Estrin_mobicom00.pdf Retrieved August 20, 2003
[3] Chris Karlof, David Wagner, Secure Routing in Wireless Sensor Networks: Attacks and Counter Measures

38. Thank You!!!!!
Questions???????????