1. Secure Routing in wireless sensor networks: attacks and countermeasures
Chris Karlof and David Wagner
University of California at Berkeley
1st IEEE International Workshop on Sensor Network Protocols and Applications, 2003
발표: 장준혁, 최준철

2. Contents Introduction: wireless sensor network Problem statement
Attacks on sensor network routing
Attacks on specific sensor network protocols
Countermeasures
Conclusion

3. Wireless Sensor Network(WSN)
Applications
Fire monitoring, protecting wild animals, military purpose
Deployment
Sensing
Network construction
Data aggregation
Restricted resources
Environments(assumptions)
Base station
Global information
Transmission range
Mobility
Sink
Node
Sensor Field
Resource constraints Sensor Node

4. Sensor Node <Mica mote> <Power consumption> Component Spec
Processor
4 MHz 8-bit CPU OS
TinyOS
RAM
4 KB
Storage
512 KB flash memory
Radio
916 MHz, 40Kbps
Range of a few dozen meters
Power supply
AA battery
Sensors
Optional
<Mica mote>
CPU
Consumption
Active
5.5 mA
Sleep
100 배 이상 적음
Radio
Consumption
Receiving
4.8 mA
Transmit
12 mA
Sleep
5 uA
<Power consumption>

5. Sensor Network Routing
Power consumption dominates network lifetime
Mostly, sensor nodes are not repaired or reused
2 weeks ~ a few years
How many messages are used?
= How long does the network alive?
 Sensor routing protocols
Flooding, proactive(DSDV), reactive(AODV), clustering(LEACH)
The routing protocols are not designed for security and traditional methods are hard to use
This paper suggests
Threat models and security goals
Countermeasures
Design consideration

6. WSN vs. Ad-hoc Wireless Networks
DIP2010F
WSN vs. Ad-hoc Wireless Networks
Similarity
Support Multi-hop networking
Differences
Sensor : Supports Specialized communication patterns
Many-to-One
One-to-Many
Local Communication
Sensor nodes more resource constrained than Ad-hoc nodes
Public key cryptography not feasible
Higher level of trust relationship among sensor nodes
In-network processing, aggregation, duplication elimination
Duty cycle

7. Problem Statement Trust Requirements Threat Models
DIP2010F
Problem Statement
Trust Requirements
Insecure Radio links
Base station(trusted), nodes(untrusted)
None tamper resistant
Adversary can access all key, data, code
Threat Models
Based on device capability
Mote-class attacker / Laptop-class attacker
Based on attacker type/location
Outside attacks / Inside attacks

8. Security Goal Responsibility Outsider adversaries Insider adversaries
DIP2010F
Security Goal
Responsibility
Link layer: Integrity, authenticity, and confidentiality
Routing protocol: Availability
Application: replay attack
Outsider adversaries
Conceivable to achieve these goals
Insider adversaries
These goals are not fully attainable -> Graceful degradation

9. Attack Model Spoofed, altered, or replayed routing information
DIP2010F
Attack Model
Spoofed, altered, or replayed routing information
Selective forwarding
Sinkhole attacks**
Sybil attacks
Wormholes attacks
HELLO flood attacks**
Acknowledgement spoofing
Attacker wants to:
Steal information through the data flows
Break the functionality of the sensor network

10. Attack Model Spoofed, altered or replayed routing information
DIP2010F
Attack Model
Spoofed, altered or replayed routing information
May be used for loop construction, attracting or repelling traffic, extend or shorten source route
Selective forwarding
A malicious node behaves like a black hole
Refuse to forward certain messengers, selective forwarding packets or simply drop them
Sinkhole attacks
Attacker creates metaphorical sinkhole
by advertising for example high quality
route to a base station
Almost all traffic is directed to the fake sinkhole B A1 A3 A2 A4

11. Attack Model The Sybil Attack Wormholes
DIP2010F
Attack Model
The Sybil Attack
Forging of multiple identities - having a set of faulty entities represented through a larger set of identities.
Significant threat to location aware routing protocols
An adversary node can be in more than one place at once
Wormholes
Tunneling of messages over alternative low-latency links,
e.g. confuse the routing protocol, create sinkholes. etc.
그림: 애드 혹(Ad Hoc) 네트워크에서의 위치정보 기반의 웜홀(Wormhole) 탐지 기법, 이규호 외, 정보과학회, 2006

12. Attack Model HELLO flood attack Acknowledgement spoofing
DIP2010F
Attack Model
HELLO flood attack
An attacker sends or replays a routing protocol’s HELLO packets with more energy
Acknowledgement spoofing
Spoof link layer acknowledgement to trick other nodes to believe that a link or node is either dead or alive

13. Attacks on specific protocols
DIP2010F
Attacks on specific protocols
TinyOS beaconing
Directed Diffusion
Geographic routing

14. Attacks on specific protocols
DIP2010F
Attacks on specific protocols
TinyOS beaconing
Base station broadcast Route update(beacon) periodically, Nodes received the update and mark the base station as parent and broadcast it
Breadth First Spanning Tree rooted at a base station
Routing updates are not authenticated

15. Attacks on TinyOS protocols
DIP2010F
Attacks on TinyOS protocols
Spoofing a routing update
Bogus and replayed routing information (such like “I am station”) send by an adversary can easily pollute the entire network
Routing loops can easily be created by mote-class adversaries

16. Attacks on TinyOS protocols
DIP2010F
Attacks on TinyOS protocols
Wormhole / Sinkhole attack
Two colluding powerful laptop-class nodes, one near the base station and one near the targeted area
The first node forwards routing updates through worm hole
The second node create sinkhole by rebroadcasting the routing update in the targeted area

17. Attacks on TinyOS protocols
DIP2010F
Attacks on TinyOS protocols
HELLO flood attack
Broadcast a routing update loud enough to reach the entire network by using a powerful transmitter
Every node marks the adversary as its parent
Most nodes will be likely out of normal radio range

18. Attacks on TinyOS protocols
DIP2010F
Attacks on TinyOS protocols
HELLO flood attack
Broadcast a routing update loud enough to reach the entire network by using a powerful transmitter
Every node marks the adversary as its parent
Most nodes will be likely out of normal radio range

19. Attacks on specific protocols
DIP2010F
Attacks on specific protocols
Directed diffusion
A data-centric routing algorithm for drawing information out of a sensor network

20. Attacks on Directed diffusion protocols
DIP2010F
Attacks on Directed diffusion protocols
Suppression
Cloning
Path influence
Selective forwarding and data tempering

21. Attacks on specific protocols
DIP2010F
Attacks on specific protocols
Geographic Routing
GPSR (Greedy Perimeter Stateless Routing)
Greedy forwarding routing each packet to the neighbor closest to the destination
GEAR (Geographic and Energy Aware Routing)
GEAR weighs the choice of the next hop by both remaining energy and distance from the target

22. Attacks on Geographic Routing protocols
DIP2010F
Attacks on Geographic Routing protocols
Sybil Attack
Surrounding each target using non-existent nodes by using Sybil attack. Adversary maximizes chances for placing herself on the path of data flow
Forge location advertisements
Advertise her location in a way to place herself on the path of a known flow
Forge other node’s location to create routing loops

23. Countermeasures Authentication and encryption
DIP2010F
Countermeasures
Authentication and encryption
Prevents the majority of outsider attacks
False routing information, selective forwarding, sinkhole attacks, sybil attacks, ACK spoofing
Can’t prevent to tunnel or amplify legitimate message
Wormhole attacks, HELLO flood atacks
Can’t prevent insider attacks

24. Countermeasures Insider attacks
DIP2010F
Countermeasures
Insider attacks
Using a globally shared key allows an insider to masquerade as any node
Verifing identities might be done using Public key cryptography, but this is beyond the capabilities of sensor nodes
Share a unique symmetric key with a trusted base station
Two nodes verify each other by using some protocol and establish a shared key
Using that key, pair of noes can implement authenticated and encrypted link between them
Base station reasonably limit the number of neighbors

25. Countermeasures Wormhole and Sinkhole attacks
DIP2010F
Countermeasures
Wormhole and Sinkhole attacks
These are very difficult to defend since detecting and verifying is extremely difficult
Difficult to retrofit existing protocols with defenses against these attack
Best solution is to carefully design routing protocols
Geographic routing protocol
Resistant to wormhole and sinkhole attacks
Do not construct topology with initiation. Construct on demand
Difficult to create a sinkhole and easy to detect wormhole

26. Countermeasures Selective Forwarding
DIP2010F
Countermeasures
Selective Forwarding
Multipath routing can be used to counter these types of selective forwarding attacks
Messages routed over n paths whose nodes are completely disjoint are completely protected against selective forwarding attacks involving at most n compromised nodes
Allowing nodes to dynamically choose a packet’s next hop probabilistically from a set of possible candidates

27. DIP2010F
Conclusion
Currently proposed routing protocols for sensor networks are insecure
Link layer encryption and authentication, multipath
routing, identity verification, bidirectional link
verification and authenticated broadcast is important
Cryptography is not enough for insiders and laptopclass
adversaries, careful protocol design is needed as
well