1. Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures – C. Karlof and D. Wagner Dr. Xiuzhen Cheng Department of Computer Science The George Washington University cheng@gwu.edu http://www.seas.gwu.edu/~cheng

2. 04/12/2006Xiuzhen (Susan) Cheng2 Outline  Introduction  Attacks on Sensor Network Routing  Attacks on Specific Sensor Network Protocols  Countermeasures

3. 04/12/2006Xiuzhen (Susan) Cheng3 Outline  Introduction  Attacks on Sensor Network Routing  Attacks on Specific Sensor Network Protocols  Countermeasures

4. 04/12/2006Xiuzhen (Susan) Cheng4 Background  Sensor Network : Heterogeneous system consisting of tiny sensors and actuators having some computing elements  Base Station : Point of centralized control Gateway to another network, powerful data processing unit, or point of human interface More processing capability, memory & power  Aggregation points : Node at which the messages are processed before sending to base station  POWER constrained environment

5. 04/12/2006Xiuzhen (Susan) Cheng5 Sensor N/w vs. Ad-Hoc N/w  Similarity : Support Multi-hop networking  Differences : Ad-hoc : Routing between any two nodes Sensor : Supports Specialized communication patterns  Many-to-One  One-to-Many  Local Communication Sensor nodes more resource constrained than Ad-hoc nodes Trust relationship among sensor nodes  In-network processing, aggregation, duplication elimination Larger Scalability

6. 04/12/2006Xiuzhen (Susan) Cheng6 Problem Statement  Network Assumptions Insecure Radio links Malicious node collude to attack the system No tamper resistance on nodes Adversary can access all key material, data, and code stored on the captured node  Trust Requirements Base stations are trustworthy Aggregation points not necessarily trustworthy

7. 04/12/2006Xiuzhen (Susan) Cheng7 Problem Statement  Threat Models : 2 types  Based on device capability Mote-class attacker  access to few sensor nodes Laptop-class attacker  Access to more powerful devices. Have more battery power, better CPU, sensitive antenna, powerful radio Tx, etc  Based on attacker type / attacker location Outside attacks  attacker external to the network Inside attacks  Authorized node in the network is malicious/compromised

8. 04/12/2006Xiuzhen (Susan) Cheng8 Problem Statement  Security Goals Secure routing protocol should guarantee integrity, authenticity, availability of messages in presence of adversaries Secrecy of application data is must

9. 04/12/2006Xiuzhen (Susan) Cheng9 Outline  Introduction  Attacks on Sensor Network Routing  Attacks on Specific Sensor Network Protocols  Countermeasures

10. 04/12/2006Xiuzhen (Susan) Cheng10 Attacks on Sensor Network Routing  Two types of attacks Manipulate user data directly Affect the underlying routing topology  Six categories of attacks

11. 04/12/2006Xiuzhen (Susan) Cheng11 Spoofed, Altered, or Replayed Routing Information  Create routing loops  Attract or repel network traffic  Extend or shorten source routes  Generate false error messages  Partition the network  Increase end-to-end delay  Etc.

12. 04/12/2006Xiuzhen (Susan) Cheng12 Selective Forwarding  Blackhole: forward no message Easier to be detected by neighbors  Selectively forward traffic Suppress traffic originates from some sources but reliably forward others Hard to be detected  Most effective when the attacker is the routing path How to emulate selective forwarding when not in the routing path? How to overcome this problem?

13. 04/12/2006Xiuzhen (Susan) Cheng13 Sinkhole Attacks  Lure nearly all traffic from a particular area through a compromised node Making a compromised node look especially attractive to surrounding nodes w.r.p.t. the routing algorithm  By announcing a high-quality route  By a notebook attacker  Creates a large “sphere of influence” Makes selective forwarding attack easier

14. 04/12/2006Xiuzhen (Susan) Cheng14 The Sybil attack  A single node presents multiple identities to others Reduce the effectiveness of fault-tolerant mechanisms  Node-disjoint paths High threat to geographic routing protocols  An attacker “can be in more than one place at once”

15. 04/12/2006Xiuzhen (Susan) Cheng15 Wormholes  Two colluding nodes understate their distance from each other by relaying packets along an out-of-bound channel available only to the attackers  Can be used to create a sinkhole  Can be used to exploit routing race conditions Causing a node to receive certain routing message while ignore others  Can be combined with selective forwarding and eavesdropping

16. 04/12/2006Xiuzhen (Susan) Cheng16 Hello Flood Attack  Some protocols require that nodes broadcast ‘ hello ’ packets to advertise themselves  Laptop-class attacker can convince every node that it is their neighbor by transmitting at high power  Can be thought as a one-way, broadcast wormhole

17. 04/12/2006Xiuzhen (Susan) Cheng17 Acknowledgement Spoofing  Some routing algorithms require explicit/implicit link layer ACKs  Adversary can spoof ACKs for control packets and try to convince the sender that a weak link is strong or a dead link is alive; causing packet losses

18. 04/12/2006Xiuzhen (Susan) Cheng18 Outline  Introduction  Attacks on Sensor Network Routing  Attacks on Specific Sensor Network Protocols  Conclusion and Future Research

19. 04/12/2006Xiuzhen (Susan) Cheng19 TinyOS Beaconing Protocol Description  It constructs a ‘ Breadth first ’ spanning tree rooted at the base station  Base station periodically broadcast route updates  Immediate nodes  parent, base station; other nodes  parent, from who they receive the first update  Packets travel through the paths along tree

20. 04/12/2006Xiuzhen (Susan) Cheng20 TinyOS Beaconing Attacks  Unauthenticated route updates  Malicious node acts as base station  Authenticated route updates  Two colluding nodes (laptop-class attacker with one near the base station) form wormhole to direct all traffic through them Laptop-class attacker use HELLO flood attack  every node marks attacker as parent Mote-class attacker can cause ‘ Routing loops ’ between two nodes

21. 04/12/2006Xiuzhen (Susan) Cheng21 Directed Diffusion  Protocol desc.  Data-centric routing algorithm Base station send the ‘ named ’ data which is flooded as ‘ interests ’ throughout the network ‘ Gradients ’ are set up to ‘ draw ’ events (data matching the interests) Base station positively reinforces high data rates paths  Attacks  Cloning i.e. Replay of interest by the adversary Path influence by reinforcing certain paths passing through the adversary Selective forwarding and data tampering

22. 04/12/2006Xiuzhen (Susan) Cheng22 Geographic Routing  Two protocols : GPSR (Greedy Perimeter Stateless Routing) GEAR (Geographic and Energy Aware Routing) GPSR is a greedy algorithm, routing packets to a neighbor that is closest to the destination When greedy forwarding is impossible, GPSR routes around the perimeter of the void GPSR utilizes only one route, leading to uneven energy consumption GEAR takes both distance and residual energy as routing metric  Leverage nodes ’ positions & explicit geographic packet destinations to efficiently disseminate queries and route updates  Require exchange of location information

23. 04/12/2006Xiuzhen (Susan) Cheng23 Geographic Routing Attacks  Attack : Location information misrepresented  Adversary advertise wrong location info. so as to place himself in the path Adversary forge location advertisements creating routing loops In GEAR, energy is also considered  adversary advertise maximum energy (Laptop class attacker again !!)

24. 04/12/2006Xiuzhen (Susan) Cheng24 Geographic Routing Attacks  Sybil Attack  Routing Loops

25. 04/12/2006Xiuzhen (Susan) Cheng25 Minimum Cost Forwarding  A distributed shortest-paths algorithm Initially each node has cost infinity except the base station whose cost is 0 Beacon flooding from base station to update the cost  C N = C M + L N,M  Attacks Is extremely susceptible to sinkhole attacks – an attacker announces its cost of 0 at anywhere Hello-flood attack by a laptop-class attacker to disable the whole network

26. 04/12/2006Xiuzhen (Susan) Cheng26 LEACH: Low-Energy Adaptive Clustering Hierarchy  Nodes self-organize into clusters and cluster head can communicate with the base station directly Cluster head rule rotates; its election is probabilistic-based (residual power and required cluster head percentage) Cluster head aggregates readings from its cluster members Node transmission within a cluster is TDMA based Nodes select its cluster head based on RSSI

27. 04/12/2006Xiuzhen (Susan) Cheng27 LEACH: Attacks  Since RSSI is used to select cluster head, a laptop-class attacker can disable the whole network with the HELLO flood attack  Selective forwarding attack Compromised cluster head

28. 04/12/2006Xiuzhen (Susan) Cheng28 Outline  Introduction  Attacks on Sensor Network Routing  Attacks on Specific Sensor Network Protocols  Countermeasures

29. 04/12/2006Xiuzhen (Susan) Cheng29 Countermeasures  Outsider attacks vs. Insider attacks The majority of outsider attacks can be prevented by Secret shared key & Link layer encryption.  Prevents Sybil attacks, Selective forwarding, Sinkhole  Ineffective against Wormhole, Hello floods attacks. Completely ineffective in the presence of insider attacks  Bogus routing information  Create sinkholes  Selectively forward packets  Sybil attacks  HELLO floods

30. 04/12/2006Xiuzhen (Susan) Cheng30 Countermeasures  Countermeasure to Insider Sybil attacks Every node shares a unique symmetric key with the base station A pair of neighbor nodes use the resulting key to implement an authenticated, encrypted link between them. Base station limits the number of neighbors a node is allowed to have – prevent an insider attacker establishing shared keys with every node in the network.  Not perfect Malicious nodes can still communicating with its verified neighbors Two or more colluding nodes may attack the network more powerfully

31. 04/12/2006Xiuzhen (Susan) Cheng31 Countermeasures  Countermeasure to HELLO flood attacks Verify the bidirectionality of the link between two nodes  How about the adversary have highly sensitive receivers?

32. 04/12/2006Xiuzhen (Susan) Cheng32 Countermeasures  Countermeasure to Wormhole, SinkHole attacks Geographical Routing protocols.  Problems: How to get the location information – attackers may disseminate spoofed location information  Solution: Restrict the structure of topology to eliminate the need for location information by the node. Use fixed topology like square, triangular or Hex Grid structure. However, it also restrict its application. Suggestions: using multipath routing, and design effective evaluation methods to determine the quality of each routes.

33. 04/12/2006Xiuzhen (Susan) Cheng33 Countermeasures  Countermeasure to Selective forwarding Multipath routing using completely disjoint paths or Braided paths Allowing nodes dynamically choose a packet ’ s next hop from a set of possible candidates.  Not enough: add evaluation method to discriminate different routes

34. 04/12/2006Xiuzhen (Susan) Cheng34 Countermeasures  Authenticate Broadcast and flooding Base station is trustworthy. Adversaries must not be able to spoof broadcast or flooded messages from any base station. HELLO message from neighbor nodes should be authenticated and impossible to spoof.  Attention: authentication should be efficient – public key cryptography and digital signatures is beyond the capabilities of sensor nodes.