Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures – C. Karlof and D. Wagner Dr. Xiuzhen Cheng Department of Computer Science The

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures – C. Karlof and D. Wagner

Dr. Xiuzhen ChengDepartment of Computer ScienceThe George Washington University

[email protected]://www.seas.gwu.edu/~cheng

04/12/2006 Xiuzhen (Susan) Cheng 2

Outline

Introduction Attacks on Sensor Network Routing Attacks on Specific Sensor Network

Protocols Countermeasures


Outline




Background Sensor Network : Heterogeneous system

consisting of tiny sensors and actuators having some computing elements

Base Station : Point of centralized control Gateway to another network, powerful data

processing unit, or point of human interface More processing capability, memory & power

Aggregation points : Node at which the messages are processed before sending to base station

POWER constrained environment


Sensor N/w vs. Ad-Hoc N/w Similarity : Support Multi-hop networking Differences :

Ad-hoc : Routing between any two nodes Sensor : Supports Specialized communication patterns

Many-to-One One-to-Many Local Communication

Sensor nodes more resource constrained than Ad-hoc nodes

Trust relationship among sensor nodes In-network processing, aggregation, duplication elimination

Larger Scalability


Problem Statement

Network Assumptions Insecure Radio links Malicious node collude to attack the system No tamper resistance on nodes Adversary can access all key material, data,

and code stored on the captured node Trust Requirements

Base stations are trustworthy Aggregation points not necessarily

trustworthy


Problem Statement

Threat Models : 2 types Based on device capability

Mote-class attacker access to few sensor nodes Laptop-class attacker Access to more powerful

devices. Have more battery power, better CPU, sensitive antenna, powerful radio Tx, etc

Based on attacker type / attacker location Outside attacks attacker external to the network Inside attacks Authorized node in the network is

malicious/compromised


Problem Statement Security Goals

Secure routing protocol should guarantee integrity, authenticity, availability of messages in presence of adversaries

Secrecy of application data is must


Outline




Attacks on Sensor Network Routing

Two types of attacks Manipulate user data directly Affect the underlying routing topology

Six categories of attacks


Spoofed, Altered, or Replayed Routing Information

Create routing loops Attract or repel network traffic Extend or shorten source routes Generate false error messages Partition the network Increase end-to-end delay Etc.


Selective Forwarding Blackhole: forward no message

Easier to be detected by neighbors Selectively forward traffic

Suppress traffic originates from some sources but reliably forward others

Hard to be detected Most effective when the attacker is the

routing path How to emulate selective forwarding when not in

the routing path? How to overcome this problem?


Sinkhole Attacks

Lure nearly all traffic from a particular area through a compromised node Making a compromised node look

especially attractive to surrounding nodes w.r.p.t. the routing algorithm By announcing a high-quality route By a notebook attacker Creates a large “sphere of influence”

Makes selective forwarding attack easier


The Sybil attack

A single node presents multiple identities to others Reduce the effectiveness of fault-tolerant

mechanisms Node-disjoint paths

High threat to geographic routing protocols An attacker “can be in more than one place

at once”


Wormholes Two colluding nodes understate their

distance from each other by relaying packets along an out-of-bound channel available only to the attackers

Can be used to create a sinkhole Can be used to exploit routing race

conditions Causing a node to receive certain routing

message while ignore others Can be combined with selective forwarding

and eavesdropping


Hello Flood Attack

Some protocols require that nodes broadcast ‘hello’ packets to advertise themselves

Laptop-class attacker can convince every node that it is their neighbor by transmitting at high power

Can be thought as a one-way, broadcast wormhole


Acknowledgement Spoofing

Some routing algorithms require explicit/implicit link layer ACKs

Adversary can spoof ACKs for control packets and try to convince the sender that a weak link is strong or a dead link is alive; causing packet losses


Outline


Protocols Conclusion and Future Research


TinyOS Beaconing Protocol Description It constructs a ‘Breadth first’

spanning tree rooted at the base station

Base station periodically broadcast route updates

Immediate nodes parent, base station; other nodes parent, from who they receive the first update

Packets travel through the paths along tree


TinyOS Beaconing Attacks Unauthenticated route updates Malicious

node acts as base station Authenticated route updates

Two colluding nodes (laptop-class attacker with one near the base station) form wormhole to direct all traffic through them

Laptop-class attacker use HELLO flood attack every node marks attacker as parent

Mote-class attacker can cause ‘Routing loops’ between two nodes


Directed Diffusion Protocol desc.

Data-centric routing algorithm Base station send the ‘named’ data which is

flooded as ‘interests’ throughout the network ‘Gradients’ are set up to ‘draw’ events (data

matching the interests) Base station positively reinforces high data rates

paths Attacks

Cloning i.e. Replay of interest by the adversary Path influence by reinforcing certain paths

passing through the adversary Selective forwarding and data tampering


Geographic Routing Two protocols:

GPSR (Greedy Perimeter Stateless Routing) GEAR (Geographic and Energy Aware Routing) GPSR is a greedy algorithm, routing packets to a

neighbor that is closest to the destination When greedy forwarding is impossible, GPSR routes

around the perimeter of the void GPSR utilizes only one route, leading to uneven energy

consumption GEAR takes both distance and residual energy as

routing metric Leverage nodes’ positions & explicit geographic packet

destinations to efficiently disseminate queries and route updates

Require exchange of location information


Geographic Routing Attacks Attack : Location information

misrepresented Adversary advertise wrong location info.

so as to place himself in the path Adversary forge location advertisements

creating routing loops In GEAR, energy is also considered

adversary advertise maximum energy (Laptop class attacker again !!)


Geographic Routing Attacks Sybil Attack Routing Loops


Minimum Cost Forwarding A distributed shortest-paths algorithm

Initially each node has cost infinity except the base station whose cost is 0

Beacon flooding from base station to update the cost CN = CM + LN,M

Attacks Is extremely susceptible to sinkhole attacks – an

attacker announces its cost of 0 at anywhere Hello-flood attack by a laptop-class attacker to

disable the whole network


LEACH: Low-Energy Adaptive Clustering Hierarchy

Nodes self-organize into clusters and cluster head can communicate with the base station directly Cluster head rule rotates; its election is

probabilistic-based (residual power and required cluster head percentage)

Cluster head aggregates readings from its cluster members

Node transmission within a cluster is TDMA based

Nodes select its cluster head based on RSSI


LEACH: Attacks

Since RSSI is used to select cluster head, a laptop-class attacker can disable the whole network with the HELLO flood attack

Selective forwarding attack Compromised cluster head


Outline




Countermeasures Outsider attacks vs. Insider attacks

The majority of outsider attacks can be prevented by Secret shared key & Link layer encryption.

Prevents Sybil attacks, Selective forwarding, Sinkhole Ineffective against Wormhole, Hello floods attacks.

Completely ineffective in the presence of insider attacks

Bogus routing information Create sinkholes Selectively forward packets Sybil attacks HELLO floods


Countermeasures Countermeasure to Insider Sybil attacks

Every node shares a unique symmetric key with the base station

A pair of neighbor nodes use the resulting key to implement an authenticated, encrypted link between them.

Base station limits the number of neighbors a node is allowed to have – prevent an insider attacker establishing shared keys with every node in the network.

Not perfect Malicious nodes can still communicating with its verified

neighbors Two or more colluding nodes may attack the network

more powerfully


Countermeasures Countermeasure to

HELLO flood attacks Verify the

bidirectionality of the link between two nodes

How about the adversary have highly sensitive receivers?


Countermeasures Countermeasure to Wormhole, SinkHole

attacks Geographical Routing protocols.

Problems: How to get the location information – attackers may disseminate spoofed location information

Solution: Restrict the structure of topology to eliminate the need for location information by the node. Use fixed topology like square, triangular or Hex Grid structure. However, it also restrict its application.

Suggestions: using multipath routing, and design effective evaluation methods to determine the quality of each routes.


Countermeasures Countermeasure to Selective forwarding

Multipath routing using completely disjoint paths or Braided paths

Allowing nodes dynamically choose a packet’s next hop from a set of possible candidates.

Not enough: add evaluation method to discriminate different routes


Countermeasures Authenticate Broadcast and flooding

Base station is trustworthy. Adversaries must not be able to spoof broadcast

or flooded messages from any base station. HELLO message from neighbor nodes should be

authenticated and impossible to spoof. Attention: authentication should be efficient

– public key cryptography and digital signatures is beyond the capabilities of sensor nodes.

Documents

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures – C. Karlof and D. Wagner Dr. Xiuzhen Cheng Department of Computer Science The