Secure routing in wireless sensor network: attacks and countermeasures

Presenter: Haiou Xiang

Author: Chris Karlof, David Wagner

Appeared at the First IEEE International Workshop on Sensor Network Protocols and Applications, May 11, 2003

Contribution

• Propose threat models and security goals for secure routing in wireless sensor networks

• Introduce seven attack techniques, including two novel attacks, sinkhole and HELLO floods.

• Present the detailed security analysis of all major routing protocols.

• Discuss countermeasures and design considerations for security routing protocols

Background

• What is sensor network?

Outside Network

Base station

Sensor nodeEvent

Aggregation node

Background

• The properties of sensor network– Sensor Node:

• Lower-power, Lower-bandwidth, shorter-range• Multihop wireless network

– Aggregation node:• Eliminate the redundancy, saving energy

– Base station (Sink)• More powerful than sensor nodes

Background

• Security limitation: UC berkeley lab: Mica mote

– Limit Power• Power: Two AA batteries• Only two weeks at full power

– Limit memory and computational power• 4MHz 8-bit CPU, 4KB RAM, 512KB flash memor

y

Attacks on sensor network routing

Spoofed, altered, or replayed routing information

• Behavior:– Create routing loops, attract or repel network

traffic, extend or shorten source routes

• Goal:– Generate false error messages, partition the

network, increase end-to-end latency

Example

Selective forwarding

• Behavior:– Malicious nodes may refuse to forward

certain messages and simply drop them, ensuring that they are not propagated any further.

• Goal:– Attempt to include herself on the actual path

of the data flow

Example

Outside Network

Base station

Sensor nodeEvent

Aggregation node

Malicious node

Drop

Acknoledgement spoofing

• Behavior– Spoof link layer acknowledgments for

“overheard” packet addressed to neighboring nodes

• Goal– Convincing the sender that a weak link is

strong or that a dead or disabled node is alive

– Enable selecting forward attack

Example

Outside Network

Base station

Sensor nodeEvent

Aggregation node

Malicious node

Lost

bad node

Sinkhole attacks

• Behavior– Making a compromised node look especially

attractive to surrounding nodes

• Goal– Lure nearly all the traffic from a particular

area through a compromised node, create a metaphorical sinkhole with the adversary at the center

– Enable selecting forward attack

Example

Sinkhole attack

Wormholes

• Behavior– Tunnel messages received in one part of

network over a low-latency link and replays them in a different part

• Goal:– May be able to completely disrupt routing if

an adversary situated close to a base station– Enable sinkhole attack– Exploit routing race condition

Example

Sybil attack

• Behavior– A single node presents multiple identities to

other nodes in the network

• Goal:– Significantly reduce the effectiveness of fault-

tolerant schemes

Example

HELLO flood attack

• Behavior– A laptop-class attacker broadcasting routing

or other information with large enough transmission power could convince every node in the network that the adversary is its neighbor

• Goal– Enable wormhole attack by broadcasting

wormholes

Example

Summary of attack

Countermeasures

Outsider attacks and link layer security

• Solution:– Global share key: link layer encryption and

authentication

• Limitation: ineffective– Wormhole and HELLO flood attack– Insider attack or compromised node

Sybil attack

• Solution– Every node share a unique symmetric key with base

station– Two node establish a shared key and verify each

other’s identity– Base station limit the number of neighbors around a

node– When a node is compromised, it is restricted to

communicating only with its verified neighbors

• Limitation– Adversary can still use a wormhole to create an

artificial link between two nodes to convince them

HELLO flood attacks

• Solution:– Verify the bidirectionality of a link before takin

g meaningful action– Every node authenticate each of its neighbor

s with an identity verification protocol using a trusted base station

Wormhole and sinkhole attacks

• Solution– Design routing protocols which avoid routing

race conditions and make these attacks less meaningful

• Geographic routing protocols: construct a topology on demand using only localized interactions and information

Selective forwarding

• Solution:– Multipath routing: message routed over n pat

hs whose nodes are completely disjoint – Nodes dynamically choose a packet’s next h

op probabilistically from a set of possible candidates

• Limitation:– Completely disjoint paths is difficult to create

Countermeasure summary

Attacks Countermeasure

Outersiders,

Sybil,

HELLO floods,

ACKs spoofing

Link-layer encryption and authentication, multipath routing,

identity verification,

bidirectional link verification,

authenticated broadcast

Sinkhole attack

wormhole attack

Geographic routing protocols

Strength

• Demonstrate current routing protocols for wireless sensor networks are insecure

• Provide several countermeasures to against attacks: link layer encryption and authentication and so on

Questions?