Secure Routing in Sensor Networks: Attacks and

Countermeasures

First IEEE International Workshop on Sensor Network Protocols and Applications

5/11/2003

Chris Karlof and David WagnerUniversity of California at Berkeley

Security in sensor networks

Security is critical Military apps Building monitoring Burglar alarms Emergency response

Yet security is hard Wireless links are inherently

insecure Resource constraints Lossy, low bandwidth

communication Lack of physical security

Our contributions

Threat models and security goals New attacks against sensor network routing

protocols Detailed security analysis of 15 routing protocols

Countermeasure suggestions

Base stations and sensor nodes Low overhead protocols Specialized traffic patterns In-network processing These differences necessitate

new secure routing protocols

Routing in sensor networks

base station

sensor node

Secure routing goals and threat models

Security goals: Confidentiality: messages are secret Integrity: messages are not tampered with Availability

In-network processing makes end-to-end security hard

Link layer security still possible Need to consider compromised nodes

(insiders) and resourceful attackers

Attacks

TinyOS Beaconing

Attack: Bogus routing information

Bogus routing information can cause havoc

Example: spoof routing beacons and claim to be base station

Lessons:

• Authenticate routing info

• Trust but verify

Attack: HELLO floods Assumption: the sender of a

received packet is within normal radio range

False! A powerful transmitter could reach the entire network

Can be launched by insiders and outsiders

Lesson: Verify the bidirectionality of links

Attack: Wormholes Tunnel packets

received in one part of the network and replay them in a different part

Can be launched by insiders and outsiders

Lesson: Avoid routing race conditions

Attack: Sybil attack

An adversary may present multiple identities to other nodes

Lesson: Verify identities

A

B

Protocols analyzed

Protocol Relevant attacksTinyOS beaconing Bogus routing information, selective forwarding, sinkholes,

Sybil, wormholes, HELLO floods

Directed diffusion and multipath variant

Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods

Geographic routing (GPSR,GEAR)

Bogus routing information, selective forwarding, Sybil

Minimum cost forwarding Bogus routing information, selective forwarding, sinkholes, wormholes, HELLO floods

Clustering based protocols (LEACH,TEEN,PEGASIS)

Selective forwarding, HELLO floods

Rumor routing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes

Energy conserving topology maintenance

Bogus routing information, Sybil, HELLO floods

All insecure

Countermeasures

We have countermeasure suggestions and design considerations

See paper for details

Conclusions

End-to-end security is limited in sensor networks

Link layer security is importantIt is not enoughDesign time security

Questions?

Extra Slides

Countermeasures

Access control with link layer crypto Globally shared key outsiders Per link keys insiders Authenticated broadcast and flooding

Verify neighbors’ identities Prevents Sybil attack

Verify bidirectionality of links Prevents HELLO floods

Multipath and probabilistic routing Limits effects of selective forwarding

Countermeasures (cont.)

Wormholes are difficult to defend against Can be launched by insiders and outsiders Defenses exist for outsiders, but are not cheap Best solution avoid routing race conditions Geographic routing protocols hold promise

Nodes near base stations are attractive to compromise Overlays

Why is this a problem?

Wireless security has been spotty WEP/802.11b GSM

Secure routing mechanisms for ad-hoc wireless networks are not necessarily applicable Too much functionality any-to-any routing Not enough functionality sensor nets are often

app. specific Too much overhead public key cryptography

Wormhole attacks A wormhole is created when

an adversary tunnels packets received in one part of the network and replays them in a different part.

Exploits routing race conditions

Enables other attacks Can be launched by insiders

and outsiders