Secure Routing in Wireless Sensor Networks

1
Secure Routing in Wireless Sensor Networks
2
This Paper

• One of the first to examine security on sensor
  networks
• prior work focused on wired and adhoc
• Not an algorithms or systems paper
• Describes
• general attacks on routing
• attacks on specific sensor systems
• some countermeasures
• Also useful as survey of sensor routing protocols

3
Outline

• Context
• Routing attacks
• Protocol attacks
• What next?

4
Security for Sensor Nets

• A larger challenge in sensor nets
• security not priority in protocol design
• mainly optimize for power (CPU / transmissions)
• E2E principle does not apply
• routers need access to data for aggregation
• many to one communication instead of end-to-end
• Result
• Protocols easy to attack and cripple
• Security needs to be built-in at protocol design

5
Context

• Large static sensor networks
• large (100s, 1000s) of low power nodes
• fixed location for their entire lifetime
• focused scenario Berkeley Motes
• 4Mhz CPU, 4KB RAM (data), 40Kbps max b/w
• Connectivity
• base stations powerful pts of central control
• sensors form multi-hop wireless network
• periodic data stream aggregated to BS

6
(No Transcript)
7
Worrying about Power

• Power is 1 concern for sensors
• small power reserves ? 1 duty cycle or less
• radio uses power 103 more than sleep mode
• Other constraints
• minimal CPU, RAM, radio power
• cannot support public-key, source routing or
  distance vector, anything that requires
• May not benefit from Moores law
• strong pressure to use cheaper nodes
• is this a temporary trend? will eventually benefit

8
Assumptions

• Network assumptions
• radio is insecure
• base stations are trust-worthy
• Attackers
• can control/turn nodes, collude
• mote-class vs. laptop-class attackers
• inside vs. outside attackers

9
Outline

• Context
• Routing attacks
• Protocol attacks
• What next?

10
Attacks on Sensor Routing

• Spoofed, altered, replayed routing info
• result routing loops, attract or repel network
  traffic, extend or shorten routes, partition
  network
• Selective forwarding
• drop subset of packets w/o being detected
• (enabled by) Sinkhole attack
• provide or falsely advertise shorter routes
• many to one model makes this easy

11
Routing Attacks II

• Sybil attack
• one node, many (network) identities
• Wormholes
• use out-of-band fast channel to route msgs faster
  than regular network
• exploit out-of-order delivery (race conditions)
• hello flood
• broadcast msg to all nodes (laptop-class)
• disrupt topology construction
• Ack spoofing
• replay link layer acks to misrepresent link
  quality between nodes

12
Understanding Routing Attacks

• Key weakness
• insecure wireless channel (eavesdropping,
  replays)
• unequal transmission power / link quality
• Selective forwarding
• be a sinkhole (concentrate traffic into malicious
  node)
• Enablers (distort view of wireless network)
• wormholes, HELLO flood (leverage transmission
  pwr)
• acknowledgement/route spoofing (distort view of
  links)
• sybil (appear as many nodes at once)

13
Outline

• Context
• Routing attacks
• Protocol attacks
• What next?

14
Protocols Attacks

• TinyOS beaconing
• base station constructs depth first spanning tree
  with itself as root
• Attacks
• w/o authentication anyone can claim 2b BS
• wormhole ? sinkhole attack w/ laptop-class nodes
• HELLO flood ? strand nodes out of range

15
Protocol Attacks II

• Directed diffusion
• BS flood interests for named data
• sensors send data on reverse interest path
• paths reinforced to in/decrease data flow
• Attacks
• flooding is more robust to sinkholes
• once path established, can suppress or clone
  flows using path reinforcements
• can modify in-flight data once its on path

16
Protocol Attacks III

• Geographic routing (GPSR, GEAR)
• use coordinates to route towards destination
• GEAR spreads out path to load-balance
• attack misrepresent location data for sinkhole
  attack
• attack use sybil to surround target node
  (sinkhole)
• Minimum cost forwarding
• each node keeps local cost of reaching BS
• broadcast out msg w/ budget, each hop subtracts
  cost. If budget exceeded, msg dropped
• attack advertise low cost path (can also use
  HELLO)

17
Protocol Attacks IV

• Rumor routing
• send out agent carrying useful events on random
  walk through network w/ TTL
• queries and data both sent out via agents
• attack mishandle agents remove data
• attack send out tendrils with large TTLs
  advertising low cost

18
Protocol Attacks V

• Energy conserving topology maintenance
• GAF nodes placed into grid squares
• occasionally wake to see if theyre needed,
  otherwise sleep
• SPAN coordinators keep connectivity
• nodes occasionally wake to see if they should be
  upgraded to coordinator
• Attacks
• spoof route/discovery msgs to lull nodes to sleep
  ? destroy connectivity

19
Understanding Protocol Attacks

• Inherent tradeoff energy vs. security
• optimizing route vs. susceptibility to attacks
• Attacks
• all leading to sinkhole attack
• manipulate cost function to represent self as
  optimal path
• Is resistance futile?
• flooding ? useful, but high cost
• random walks ? potentially high cost
• key is randomization

20
Outline

• Context
• Routing attacks
• Protocol attacks
• What next?

21
Countermeasures

• Link layer security (shared key auth.)
• costly, but can disable sybil attacks
• useless against compromised nodes (insiders)
• Hello floods
• verify bi-directionality, or authenticate
  identity of neighbors w/ separate protocol
• Use global knowledge
• nodes are static, so learn global map
• scalability enough state to keep info?

22
Intuition

• Tight tradeoff
• energy conservation via optimized paths
• optimization ? manipulation of cost factors
• Avoid
• powerful nodes (they cant be authenticated)
• centralized functionality (same reason)
• What can we use?
• randomization / probabilistic routing?