Using Directional Antennas to Prevent Wormhole Attacks

Lingxuan Hu, David Evans

Jason BuckinghamCSCI 7143: Secure Sensor NetworksNovember 2, 2004

Wormhole Attacks

Wireless links are inherently vulnerable to eavesdropping and message injection…

So, the attacker controls two powerful nodes that are located several hops away from each other

Because they are powerful, the two nodes can actually communicate directly

The attacker forwards packets through a high quality out-of-band link and replays them on the other end

Wormhole Attacks (cont.)

Causes routing problems, and enables DOS attacks to be set up

Has impact on nodes beyond just X and Y’s neighbors

ROUTE REQUEST messages to set up best route from A to B

Wormhole Attacks in Sensor Networks

In sensor networks, most communication is directed from nodes to a base station

An intelligent attacker can use this information to create a devastating wormhole attack.

Directional Antennas - Benefits Allow transmissions in a particular direction; thus a

higher degree of the spatial medium can be used at once (theoretically fewer collisions when transmitting)

Transmission range is usually longer and thus more energy efficient (fewer hops needed)

Steered versus Switched Antennas: Steered antennas provide a high degree of accuracy but are too

expensive Switched antennas allow one of several fixed directional

antennas to be selected using a switch. They are less precise but much cheaper.

Directional information can be used to limit wormhole attacks!

Antenna Model

Each node has an antenna with N zones Each zone has a conical radiation pattern, spanning an

angle of 2π/N radians When idle, a node listens in omni mode When a message is received, it determines which zone

it received the message in, and uses that zone to communicate with the sender

Zone 1 always faces east (achieved by magnetic needle)

Assumptions & Notation

All non-wormhole links are bidirectional Secure links are available between each pair of nodes A, B, C Legitimate Nodes X, Y Wormhole Endpoints zone & ^zone (if zone=1, then ^zone=4) Zone(A, B) indicates the zone in which node A hears

node B neighbors(A, zone) indicates all nodes within one hop of

node A in direction zone

Directional Neighbor Discovery Protocol A node that initiates the protocol is called

the announcer Observation:

relies on all nodes having the same zone orientation

Directional Neighbor Discovery Protocol (cont) A->Region HELLO | IDA

The announcer A broadcasts a HELLO message by sequentially sweeping through each antenna in the antenna array

N->A IDN | EKNA (IDA | R | zone (N, A)) All nodes that hear A’s HELLO reply with information including

what zone they heard A’s message in A->N R

A decrypts the message and verifies the ID field, and verifies that it heard the reply from the opposite zone that N heard A. If correct, A adds N to its neighbor set and sends the decrypted challenge nonce back to N. Upon receiving the correct nonce, N adds A to its neighbor list as well.

Consequences A node only listens to messages from established neighbors Problems: Attacker can mislead A &

C to believing they are neighbors

On average, 1/6 of links between the two regions will be accepted through the wormhole

Establishing a single wormhole link may be enough!

Verified Neighbor Discovery Protocol A valid verifier V for the link A <-> B must satisfy

two properties zone(B,A) ≠ zone (B,V) This ensure that A & V are in

different locations (they cannot be coming through a single wormhole)

zone(B,A) ≠ zone (V,A) Node B and V hear node A from different directions. A wormhole can only deceive nodes in one direction.

These properties basically mean that A, B, and V cannot be in a line

Verified Neighbor Discovery Protocol (cont) Same first three steps as before N -> Region INQUIRY | IDN | IDA | zone(N,A)

All neighbor nodes that heard the initial HELLO message broadcast an inquiry in all directions except the received direction and its opposite.

V->N IDV | EKNV (IDA | zone (V,N)) Nodes that receive the inquiry and satisfy verifier properties

respond with an encrypted message N must receive at least one verifier response to continue.

If it does, it accepts A as a neighbor and then sends N->A IDN | EKAN (IDA | ACCEPT)

After receiving acceptance message, announcer A adds N to its neighbor set

Example – verifiers for A<->B C cannot act as a verifier since

zone(B,A) = zone(C,A)

Node D can act as a verifier: (zone(B,A) = 4) ≠ (zone(B,D) = 5) (zone(D,A) = 3) ≠ (zone(B,A) = 4)

Wormhole cannot convince D and A to accept each other as neighbors because:

(zone(D,A) = 3) ≠ (^zone(A,D) = 1)

Problems! What’s wrong with the previous protocol??

Susceptible to the Worawonnatai attack!

Worawannotai Attack

Only succeeds if the victim nodes are unable to communicate directly, but are close enough to have a verifier that can hear both nodes

This means A and B must be more than r distance apart, but less than 2r cos(π / 6) = r sqrt(3)

New Verifier Requirements

zone(B,A) ≠ zone (B,V) zone(B,A) ≠ zone (V,A) zone(B,V) cannot be both adjacent to

zone(B,A) and adjacent to zone(V,A) The shaded areas cannot contain any

verifiers if A and B are further than r distance apart

Discussion

These protocols are only effective if an adversary has only two endpoints. If he has as many endpoints as there are zones, he can surround one node with N endpoints and establish a wormhole attack.

Protocol overhead is minimal. Normal link discover requires node announcement, challenge, and response. This protocol only adds messages for inquiry, verification, and acceptance.

Magnet attacks? They discuss magnets as a possible, but impractical, way of getting around the protocol.

Analysis

What if legitimate nodes cannot find a verifier?Loss of a valid linkNodes near the edge of the network are

especially vulnerable to this problemThe probability of this happening is inversely

proportional to the density of the network

Analysis (cont)

Using the Verified Neighbor Discovery Protocol, with an average of 3 omni directional neighbors and 9.72 neighbors within unidirectional transmission range, 14% of links are lost and 1.3% of nodes become completely isolated.

Under the Strict Neighbor Discovery Protocol, 58% of links are lost and 5.3% of nodes are completely disconnected.

Figure 10 above shows the impact of distance between two nodes on their likelihood of establishing a link.

Figure 11 below shows the impact of the protocols on network routing (average path length)

Directional Errors

Caused by small differences in node orientation, antenna alignment and gain, and transmission irregularities.

A node lying near the boundary of two adjacent zones may wind up in the wrong zone and thus this link would be lost.

Potential Attack: Magnets?

Conclusion

Directional antennas are less expensive than many localization mechanisms that also offer resistance to wormhole attacks

Communication overhead is minimal Minimal loss of network connectivity