Secure Routing in Wireless Secure Routing in Wireless Sensor NetworksSensor Networks

This PaperThis Paper One of the first to examine security on sensor One of the first to examine security on sensor

networksnetworks prior work focused on wired and adhocprior work focused on wired and adhoc

Not an algorithms or systems paperNot an algorithms or systems paper DescribesDescribes

general attacks on routinggeneral attacks on routing attacks on specific sensor systemsattacks on specific sensor systems some countermeasuressome countermeasures

Also useful as survey of sensor routing protocolsAlso useful as survey of sensor routing protocols

OutlineOutline

ContextContext Routing attacksRouting attacks Protocol attacksProtocol attacks What next?What next?

Security for Sensor NetsSecurity for Sensor Nets A larger challenge in sensor netsA larger challenge in sensor nets

security not priority in protocol designsecurity not priority in protocol design• mainly optimize for power (CPU / transmissions)mainly optimize for power (CPU / transmissions)

E2E principle does not applyE2E principle does not apply• routers need access to data for aggregationrouters need access to data for aggregation

• many to one communication instead of end-to-endmany to one communication instead of end-to-end

ResultResult Protocols easy to attack and crippleProtocols easy to attack and cripple Security needs to be built-in at protocol designSecurity needs to be built-in at protocol design

ContextContext

Large static sensor networksLarge static sensor networks large # (100’s, 1000’s) of low power nodeslarge # (100’s, 1000’s) of low power nodes fixed location for their entire lifetimefixed location for their entire lifetime focused scenario: Berkeley Motesfocused scenario: Berkeley Motes

• 4Mhz CPU, 4KB RAM (data), 40Kbps max b/w4Mhz CPU, 4KB RAM (data), 40Kbps max b/w

ConnectivityConnectivity base stations: powerful pts of central controlbase stations: powerful pts of central control sensors form multi-hop wireless networksensors form multi-hop wireless network periodic data stream aggregated to BSperiodic data stream aggregated to BS

Worrying about PowerWorrying about Power Power is #1 concern for sensorsPower is #1 concern for sensors

small power reserves small power reserves 1% duty cycle or less 1% duty cycle or less radio uses power 10radio uses power 1033 more than sleep mode more than sleep mode

Other constraintsOther constraints minimal CPU, RAM, radio powerminimal CPU, RAM, radio power cannot support: public-key, source routing or distance cannot support: public-key, source routing or distance

vector, anything that requires vector, anything that requires

May not benefit from Moore’s lawMay not benefit from Moore’s law strong pressure to use cheaper nodesstrong pressure to use cheaper nodes is this a temporary trend? will eventually benefitis this a temporary trend? will eventually benefit

AssumptionsAssumptions

Network assumptionsNetwork assumptions radio is insecureradio is insecure base stations are trust-worthybase stations are trust-worthy

Attackers Attackers can control/turn nodes, colludecan control/turn nodes, collude mote-class vs. laptop-class attackersmote-class vs. laptop-class attackers inside vs. outside attackersinside vs. outside attackers

OutlineOutline

ContextContext Routing attacksRouting attacks Protocol attacksProtocol attacks What next?What next?

Attacks on Sensor RoutingAttacks on Sensor Routing

Spoofed, altered, replayed routing infoSpoofed, altered, replayed routing info result: routing loops, attract or repel network result: routing loops, attract or repel network

traffic, extend or shorten routes, partition traffic, extend or shorten routes, partition networknetwork

Selective forwardingSelective forwarding drop subset of packets w/o being detecteddrop subset of packets w/o being detected (enabled by) Sinkhole attack(enabled by) Sinkhole attack

• provide or falsely advertise shorter routesprovide or falsely advertise shorter routes

• many to one model makes this easymany to one model makes this easy

Routing Attacks IIRouting Attacks II Sybil attackSybil attack

one node, many (network) identitiesone node, many (network) identities

WormholesWormholes use out-of-band fast channel to route msgs faster than regular use out-of-band fast channel to route msgs faster than regular

networknetwork exploit out-of-order delivery (race conditions)exploit out-of-order delivery (race conditions)

hellohello flood flood broadcast msg to all nodes (laptop-class)broadcast msg to all nodes (laptop-class) disrupt topology constructiondisrupt topology construction

Ack spoofingAck spoofing replay link layer acks to misrepresent link quality between nodesreplay link layer acks to misrepresent link quality between nodes

Understanding Routing AttacksUnderstanding Routing Attacks Key weaknessKey weakness

insecure wireless channel insecure wireless channel (eavesdropping, replays)(eavesdropping, replays)

unequal transmission power / link qualityunequal transmission power / link quality

Selective forwardingSelective forwarding be a sinkhole (concentrate traffic into malicious node)be a sinkhole (concentrate traffic into malicious node)

Enablers (distort view of wireless network)Enablers (distort view of wireless network) wormholes, HELLO flood (leverage transmission pwr)wormholes, HELLO flood (leverage transmission pwr) acknowledgement/route spoofing (distort view of links)acknowledgement/route spoofing (distort view of links) sybil (appear as many nodes at once)sybil (appear as many nodes at once)

OutlineOutline

ContextContext Routing attacksRouting attacks Protocol attacksProtocol attacks What next?What next?

Protocols Attacks Protocols Attacks

TinyOS beaconingTinyOS beaconing base station constructs depth first spanning base station constructs depth first spanning

tree with itself as roottree with itself as root

AttacksAttacks w/o authentication: anyone can claim 2b BSw/o authentication: anyone can claim 2b BS wormhole wormhole sinkhole attack w/ laptop-class sinkhole attack w/ laptop-class

nodesnodes HELLO flood HELLO flood strand nodes out of range strand nodes out of range

Protocol Attacks IIProtocol Attacks II Directed diffusionDirected diffusion

BS flood “interests” for named dataBS flood “interests” for named data sensors send data on reverse interest pathsensors send data on reverse interest path paths “reinforced” to in/decrease data flowpaths “reinforced” to in/decrease data flow

AttacksAttacks flooding is more robust to sinkholesflooding is more robust to sinkholes once path established, can suppress or clone flows once path established, can suppress or clone flows

using path reinforcementsusing path reinforcements can modify in-flight data once it’s on pathcan modify in-flight data once it’s on path

Protocol Attacks IIIProtocol Attacks III Geographic routing (GPSR, GEAR)Geographic routing (GPSR, GEAR)

use coordinates to route towards destinationuse coordinates to route towards destination GEAR spreads out path to load-balanceGEAR spreads out path to load-balance attackattack: misrepresent location data for sinkhole attack: misrepresent location data for sinkhole attack attackattack: use sybil to surround target node (sinkhole): use sybil to surround target node (sinkhole)

Minimum cost forwardingMinimum cost forwarding each node keeps local each node keeps local cost cost of reaching BSof reaching BS broadcast out msg w/ budget, each hop subtracts broadcast out msg w/ budget, each hop subtracts

cost. If budget exceeded, msg droppedcost. If budget exceeded, msg dropped attackattack: advertise low cost path (can also use HELLO): advertise low cost path (can also use HELLO)

Protocol Attacks IVProtocol Attacks IV

Rumor routingRumor routing send out send out agentagent carrying useful events on carrying useful events on

random walk through network w/ TTLrandom walk through network w/ TTL queries and data both sent out via agentsqueries and data both sent out via agents attackattack: mishandle agents & remove data: mishandle agents & remove data attackattack: send out tendrils with large TTLs : send out tendrils with large TTLs

advertising low costadvertising low cost

Protocol Attacks VProtocol Attacks V Energy conserving topology maintenanceEnergy conserving topology maintenance

GAF: nodes placed into grid squaresGAF: nodes placed into grid squares• occasionally wake to see if they’re needed, occasionally wake to see if they’re needed,

otherwise sleepotherwise sleep SPAN: “coordinators” keep connectivitySPAN: “coordinators” keep connectivity

• nodes occasionally wake to see if they should be nodes occasionally wake to see if they should be upgraded to coordinatorupgraded to coordinator

AttacksAttacks spoof route/discovery msgs to lull nodes to spoof route/discovery msgs to lull nodes to

sleep sleep destroy connectivity destroy connectivity

Understanding Protocol AttacksUnderstanding Protocol Attacks Inherent tradeoff: energy vs. securityInherent tradeoff: energy vs. security

optimizing route vs. susceptibility to attacksoptimizing route vs. susceptibility to attacks

AttacksAttacks all leading to sinkhole attackall leading to sinkhole attack manipulate cost function to represent self as optimal manipulate cost function to represent self as optimal

pathpath

Is resistance futile?Is resistance futile? flooding flooding useful, but high cost useful, but high cost random walks random walks potentially high cost potentially high cost key is randomizationkey is randomization

OutlineOutline

ContextContext Routing attacksRouting attacks Protocol attacksProtocol attacks What next?What next?

CountermeasuresCountermeasures Link layer security (shared key auth.)Link layer security (shared key auth.)

costly, but can disable sybil attackscostly, but can disable sybil attacks useless against compromised nodes (insiders)useless against compromised nodes (insiders)

Hello floodsHello floods verify bi-directionality, or authenticate identity of verify bi-directionality, or authenticate identity of

neighbors w/ separate protocolneighbors w/ separate protocol

Use global knowledgeUse global knowledge nodes are static, so learn global mapnodes are static, so learn global map scalability: enough state to keep info?scalability: enough state to keep info?

IntuitionIntuition

Tight tradeoffTight tradeoff energy conservation via optimized pathsenergy conservation via optimized paths optimization optimization manipulation of cost factors manipulation of cost factors

AvoidAvoid powerful nodes (they can’t be authenticated)powerful nodes (they can’t be authenticated) centralized functionality (same reason)centralized functionality (same reason)

What can we use?What can we use? randomization / probabilistic routing?randomization / probabilistic routing?