Some Security Challenges for Mesh Networks

1
Some Security Challenges for Mesh Networks

• Jean-Pierre Hubaux
• EPFL
• Switzerland
• Joint work with Imad Aad, Naouel Ben Salem,
  Levente Buttyan, Srdjan Capkun, Markus Jakobsson,
  and Maxim Raya
• Funded by the MICS/Terminodes project,
  www.mics.org

2
Some Security Challenges for Mesh
NetworksOutline

• Preventing greedy behavior at the MAC layer
• Secure positioning
• Cooperation between nodes

3
1. Preventing greedy behavior at the MAC layer
Cheater
Well-behaved node
Well-behaved node
4
IEEE 802.11 MAC Brief reminder
5
Misbehavior techniques NAV
6
Misbehavior techniques DIFS
7
Misbehavior techniques Frame scrambling
8
Misbehavior techniques Backoff
9
Solution 1

• Detection and handling of MAC layer misbehavior
  in wireless networks (Kyasanur and Vaidya, DSN
  2003)
• Idea the receiver assigns backoff values to the
  sender
• Detection compares expected and observed
  backoffs
• Correction assigns penalty to the cheater

10
Solution 2

• DOMINO (Raya, Hubaux, and Aad, MobiSys 2004)
• Idea monitor the traffic and detect deviations
  by comparing average values of observed users
• Detection tests number of retransmissions,
  backoff,
• Features
• Full standard compliance
• Needs to be implemented only at the Access Point
• Applicable to all CSMA/CA-based protocols
• Simple and efficient
• The operator decides the amount of evidence
  required before taking action (in order e.g. to
  prevent false positives)
• http//domino.epfl.ch
• Game-theoretic studyM. Cagalj, S. Ganeriwal, I.
  Aad and J.-P. Hubaux"On Cheating in CSMA/CA
  Networks" Technical report No. IC/2004/27,
  February 2004

11
Components of DOMINO
Detection test
Cheating method
Comparison of the declared and actual NAV values
Oversized NAV
Comparison of the idle time after the last ACK
with DIFS
Transmission before DIFS
Number of retransmissions
Frame scrambling
Maximum backoff the maximum should be close to
CWmin - 1
Backoff manipulation
Actual backoff
Consecutive backoff
12
DOMINO performance (ns-2 simulation)
Setting uplink UDP traffic 7 well-behaved
stations 1 cheating station each point
corresponds to 100 simulations of 10s each
confidence int 95
13
2. Secure positioning

• Being able to securely verify positions of
  devices can enable
• Location-based access control
• Detection of displacement of valuables
• Detection of stealing
• Monitoring and enforcement of policies (e.g.,
  traffic monitoring)
• Location-based charging

• In multi-hop networks
• Secure routing
• Secure positioning
• Secure data harvesting (sensor networks)

14
Distance measurement by Time of Flight (ToF)
- Based on the speed of light (RF, Ir)
tr
ts
ts
dABm(tr-ts)c
dABm(tr-ts-tprocB)c/2
tr
B
A
(A and B are synchronized - ToF)
(A and B are NOT synchronized Round trip ToF)
- Based on the speed of sound (Ultrasound)
tr(RF)
ts
ts
tr(US)
B
A
ts
dABm(tr(RF)-tr(US))s
15
Attacks on RF and US ToF-based techniques
- Dishonest device cheat on the time of sending
(ts) or time of
reception (tr)
- Malicious attacker 2 steps
1. Overhear and jam
tr
ts
ts
dABm(tr-ts)c
B
A
(A and B are assumed to be synchronised)
M
2. Replay with a delay ?t
tr?t
ts
ts?t
B
dABm(tr?t-ts)c
M
gt dABmgtdAB
16
Summary of possible attacks on distance
measurement
Dishonest nodes
Malicious attackers
RSS (Received Signal Strength) Distance enlargement and reduction Distance enlargement and reduction
Ultrasound Time of Flight Distance enlargement and reduction Distance enlargement and reduction
Radio Time of Flight Distance enlargement and reduction Distance enlargement only
17
Secure positioning

• Goals
• preventing a dishonest node from cheating about
  its own position
• preventing a malicious attacker from spoofing
  the position of an honest node
• Our proposal Verifiable Multilateration

18
Distance Bounding (RF)

• Introduced in 1993 by Brands and Chaum to
  prevent the Mafia fraud attack

NBS
ts
tr
A
BS
dreal db (tr-ts)c/2 (dbdistance
bound)
19
Distance bounding characteristics
Dishonest nodes
Malicious attackers

• RF distance bounding
• nanosecond precision required, 1ns 30cm
• UWB enables clock precision up to 2ns and 1m
  positioning indoor and outdoor (up to 2km) with
  RF ToF
• US distance bounding
• millisecond precision required,1ms 35cm
• distance bounding can be enabled with 802.11 and
  US

RSS Distance enlargement and reduction Distance enlargement and reduction
US ToF Distance enlargement and reduction Distance enlargement and reduction
RF ToF Distance enlargement and reduction Distance enlargement only
RF Distance Bounding Distance enlargement only Distance enlargement only
US Distance Bounding Distance enlargement only Distance enlargement and reduction
20
Verifiable Multilateration (Trilateration)
BS3
A
BS2
(x,y)
Verification triangle
y
x
BS1
Distancebounding
21
Verifiable Multilateration (properties 1/2)
- a node located within the triangle cannot prove
to be at another position within the triangle
except at its true position.
- a node located outside the triangle formed by
the verifiers cannot prove to be at any position
within the triangle
- a malicious attacker cannot spoof the position
of a node such that it seems that the node is at
a position different from its real position
within the triangle
- a malicious attacker cannot spoof the position
of a node such that it seems that it is located
at a position within the triangle, if the node is
outside the triangle
22
Verifiable Multilateration (properties 2/2)
- a node can show (by distance enlargement) that
it is positioned outside the triangle
- an attacker can always show that the node is
positioned outside the triangle
The same holds in 3-D, with a triangular pyramid
instead of a triangle

• Srdjan Capkun and Jean-Pierre HubauxSecuring
  position and distance verification in wireless
  networks     Technical report EPFL/IC/2004-43,
  May 2004
• Srdjan Capkun and Jean-Pierre HubauxSecure
  Positioning in Sensor Networks     Technical
  report EPFL/IC/2004-44, May 2004

23
3. Cooperation between nodes

• Multi-hop mesh networks represent a new and
  promising paradigm, but

Why would intermediate nodes bother to relay
packets forthe benefit of other nodes?

• No incentive ? the network does not work
• V. Srinivasan, P. Nuggehalli, C. Chiasserini, and
  R. Rao, Infocom 2003
• M. Felegyhazi, L. Buttyan, and J. P. Hubaux, PWC
  2003

• Autonomous multi-hop networks

R. Mahajan, M. Rodrig, D. Wetherhall, and J.
Zahorjan, Encouraging Cooperation in Multi-Hop
Wireless Networks, Technical Report
CSE-04-06-01, Univ. of Washington, June 2004
24
Incentive techniques other scenarios

• Multi-hop networks with sporadic access to the
  backbone

S. Zhong, Y. R. Yang, and J. Chen, Sprite A
Simple, Cheat-Proof, Credit-Based System for
Mobile Ad Hoc Networks, INFOCOM 2003

• Multi-hop networks with permanent access to the
  backbone

Backbone

• Systematic paymentN. Ben Salem, L. Buttyán,
  J.-P. Hubaux and  M. Jakobsson, "A Charging and
  Rewarding Scheme for Packet Forwarding in
  Multi-hop Cellular Networks", MobiHoc 2003

• Solution based on lottery ticketsM. Jakobsson,
  J.-P. Hubaux and L. Buttyan, "A Micro-Payment
  Scheme Encouraging Collaboration in
  Multi-HopCellular Networks", Financial Crypto
  2003

25
Conclusion

• Mesh networks must be secured prior to any
  commercial deployment
• A number of research results from the security of
  wireless (ad hoc) networks can be used or
  adapted, notably
• To prevent greedy behavior
• To secure positioning
• To stimulate cooperation between nodes
• There are more challenges, in particular
• Preventing denial of service attacks
• Stimulation of the network deployment