Secure Routing in Wireless Sensor

Networks: Attacks and

Countermeasures
Chris Karlof and David Wagner

Key Contributions
Secure routing issues in WSNs

Show how they are different from ad hoc

networks
Introduce two new classes of attacks
Sinkhole attack
Hello flood attack

Analyze security aspects of major routing

protocols
Discuss countermeasures & design
considerations for secure routing in WSNs

WSNs vs. Ad Hoc Networks

Multi-hop wireless communications
Ad hoc nets: communication between two
arbitrary nodes
WSNs

Specialized communication patterns

Many-to-one
One-to-many
Local communication

More resource constrained

More trust needed for in-network processing,
aggregation, duplicate elimination

Assumptions
Insecure radio links
Malicious nodes can collude to attack the
WSN
Sensors are not tamper-resistant
Adversary can access all key material, data &
code
Aggregation points may not be trustworthy
Base station is trustworthy

Threat Models
Device capability

Mote class attacker

Laptop class attacker: more energy, more
powerful CPU, sensitive antenna, more radio
power

Attacker type

Outside attacker: External to the network

Inside attacker: Authorized node in the WSN is
compromised or malicious

Security Goals
Secure routing

Support integrity, authenticity, availability of

messages in presence of attack
Data confidentiality

Potential Attacks
Attacks on general WSN routing
Attacks on specific WSN protocols

Attacks on General WSN Routing

Protocols
Spoof, alter, or replay routing info.

Create loops, attack or repel network traffic,

partition the network, attract or repel network
traffic, etc.
Message authentication can partly handle these
issues

Selective forwarding

Malicious node selectively drops incoming packets

Sinkhole attack
Specific to WSNs

All packets are directed to base station

A malicious node advertises a high quality link to
the base station to attract a lot of packets
Enable other attacks, e.g., selective forwarding or
wormhole attack

Sybil attack
A single node presents multiple IDs to other
nodes
Affect geographic routing, distributed
storage, multi-path routing, topology
maintenance

Wormhole attack
Two colluding nodes
A node at one end of the wormhole
advertises high quality link to the base station
Another node at the other end receives the
attracted packets

Hello flood attack

Specific to WSNs

In some protocols, nodes have to periodically

broadcast hello to advertise themselves
Not authenticated!

Laptop-class attacker can convince its a neighbor

of distant nodes by sending high power hello
messages

Acknowledge spoofing
Adversary spoofs ACKs to convince the
sender a weak/dead link support good link
quality

Attacks on Specific Routing Protocols

TinyOS beaconing

Construct a BFS tree rooted at the base station

Beacons are not authenticated
Adversary can take over the whole WSN by
broadcasting beacons

Directed diffusion
Replay interest
Selective forwarding & data tampering
Inject false data

Geographic routing
Adversary can provide false, possibly
multiple, location info.

Create routing loop

GEAR considers energy in addition to location
Laptop-class attacker can exploit it

Countermeasures
Shared key & link layer encryption

Prevent outsider attacks, e.g., Sybil attacks, selective

forwarding, ACK spoofing
Cannot handle insider attacks
Wormhole, Hello flood, TinyOS beaconing

Sybil attack

Every node shares a unique secret key with the base station
Create pairwise shared key for msg authentication
Limit the number of neighbors for a node

Hello flood attack

Verify link bidirectionality

Doesnt work if adversary has very sensitive radio

Countermeasures
Wormhole, sinkhole attack

Cryptography may not help directly

Good routing protocol design
Geographic routing

Geographic routing

Location verification
Use fixed topology, e.g., grid structure

Selective forwarding

Multi-path routing
Route messages over disjoint or Braided paths
Dynamically pick next hop from a set of candidates
Measure the trustworthiness of neighbors

Countermeasures
Authenticated broadcast

uTESLA

Base station floods blacklist

Should be authenticated
Adversaries must not be able to spoof

Towards Resilient Geographic

Routing in WSNs
Ke Liu, Nael Abu-Ghazaleh, KD Kang
Computer Science Dept.
State University of New York at Binghamton

Outline
Background: Geographic Forwarding
Security Threats and Threat Model

Localization and Location Verification

Secure Trust-based Multi-path Routing
Conclusions

Geographic Forwarding
Keep track of neighbors
locations
Forwarding set is set of
neighbors closer to
destination than self
Pick next hop as a
member of the
forwarding set
Greedy forwarding
pick closest to
destination

Geographical Forwarding (2)

Local interactions only
no local state maintained
Can get stuck in voids;
void traversal algorithm
needed (e.g., perimeter
routing)

We dont consider this

aspect of operation

Threat Model/Assumptions
Two types of nodes:

Anchors:
Know their location (e.g., using GPS)
Act as reference points for localization
Sufficient density to enable localization
First assume they are trusted; later relax the assumption

Sensor Nodes:
Can be compromised
Key pre-distribution to provide cryptographic keys

Confidentiality, authentication, message integrity, can be

supported if needed

Threat Models/Assumptions (2)

GF is different from traditional topology based
routing protocols
We do not consider MAC/physical level
attacks

Orthogonal techniques apply there

Sybil attack (node claiming multiple locations)

are possible
Blackhole, wormhole and selective forwarding
attacks are possible

Location Verification
First contribution of this paper
Each node is responsible for reporting its location
information

Trusted to provide the correct information; no mechanism to

verify using traditional localization approaches

If nodes can falsify their location GF breaks down

Sybil attacks, blackholes, and other attacks easily possible

Location Verification: prevent nodes from lying about

their location

Existing Solution (Sastry et al 2004)

Echo Protocol: Location challenged by verifier
Node responds instantly with ultrasonic pulse

Speed of sound allows estimate of distance

Includes a nonce sent by the verifier
Prevents early response to appear closer

Argue that delaying response not possible because

it moves node into another verifiers region

Coarse-grained verification (within region)

Requires ultrasound channel

Localization via Triangulation

Lateration is the calculation of position
information based on distance measurements
from three known points (anchors)
2D position requires three distance measurements.
Signal Strength, Time of Arrival, Time Difference of
Arrival, etc.. used to estimate distance
Triangulation measures angle
of arrival

d1
d2
d3

Proposed Solution Anchors Localize

d1

Protocol
1.
2.

3.

d2
d3

Node transmits localization packet

Anchors receive it concurrently; each anchor estimates
distance to node
Anchors exchange estimates to calculate location

Localization responsibility moved to trusted anchors

Location passed to node with certificate or supplied
by anchors
Limitation: range based localization range free
localization requires extension

Possible Attacks (1)

Nodes cheat by manipulating the localization
transmission

E.g., in signal power based ranging

transmit at higher power to appear closer;
or lower power to appear farther

In TDOA
Send ultrasonic pulse before RF pulse to appear closer;
Send RF pulse before ultrasonic to appear further

Defense
d1+dx

d1-dx
d1

d2+dx

d2-dx

d2
d3
d3-dx

d3+dx

Key observation: node will appear closer to, or

further, from all anchors concurrently
Detectable when anchors exchange ranges

Leads to Non-feasible location in all non-trivial anchor

placements

Possible Attacks (2)

Directional antenna version of previous attack

Use directional antenna to send different

localization beacons to each anchor
Other anchors cannot hear the directional packet
Falsifying distance to each anchor separately can allow

undetectable (consistent) forgery

Two versions:

Sequential: attacker sends the beacons

sequentially to the different anchors
Concurrent: attacker has multiple radios and can
concurrently forge distances

Defense
Sequential version can be defended by having
anchors be loosely synchronized

Can detect the different time stamps on the

packets received by the different anchors

Concurrent version challenging

A sophisticated attacker with expensive H/W

MAC level authentication?
Moving anchors?
Other sensors detecting inconsistency?

Compromising Anchors
So far, assumed anchors are trusted
If they are compromised

they can assist nodes in falsifying their location

Cause errors in the localization of legitimate nodes

Correctly evaluating location under byzantine failure

is a variant of byzantine quorum

However, unlike classical byzantine quorum, consensus is on

an indirect value (location)
With n anchors in range, can localize correctly if
3+ceiling((n-3)/2) anchors are not compromised

Can use threshold cryptography or similar

approaches to ensure that a rogue anchor doesnt
bypass localization process

Possible Attacks
Mobility attack:

Localize and obtain a valid localization certificate

Move to a new location and use the invalid (but
certified) location to do mischief
Or send the certificate to a proxy node that can use it

Defense:

Have anchors in an area responsible for supplying

certified location
Place time bounds on location validity (energysecurity tradeoff)

Secure Multi-path Routing

Forwarding Misbehavior
Misbehaving nodes can mis-route or
selectively forward packets

Can have valid location estimates

Since GF is completely localized, problem is

difficult to detect

A node has no idea where the packet should be

sent beyond its current next hop

Proposed Solution
Multi-path routing:

Select next hop probabilistically among forwarding

set
Probability proportional to trust (aka reputation)

Trust estimate is adapted over time

Based on observed behavior of the nodes

How to detect misbehavior?

Detecting Misbehavior/Updating Trust

Trust updated up or down depending on observed
behavior of neighbors
Rebroadcast check

A sending node hears if the next hop forwards it again

Drop reputation if not

Not fool proof

Can miss rebroadcast due to collision or fading
Next hop can pretend to forward the packet to a non-existing
next hop neighbor

(securely building 2-hop neighbor cliques can help here)

Trust consensus

Exchange trust estimates with neighbors among neighbors

that are trustworthy

Summary
Sybil, blackhole and wormhole attacks require
location falsification in GF

Prevented using location verification mechanism

Forwarding misbehavior does not depend on

location falsification

Multi-path routing helps avoid bad paths even

when misbehaving nodes are not known
Building and tracking reputation helps ostracize
misbehaving nodes

Conclusions
Presented a verified localization algorithm for use in GF
in WSNs

Specific to range-based localization

Outlined a number of attacks and their defense
Derived limit for anchor byzantine quorum on location

Presented a preliminary secure routing protocol

Use probabilistically multi-path routing

Track trust estimate to discover and avoid bad paths

Future/Ongoing Work
Extend to range-free localization
Extended to the case with compromised anchors
Extend to void avoidance/face routing
Virtual Coordinate routing

Initialize node coordinates and use them as identifiers and

for routing
Similar to GF, but some unique and more difficult attacks

Explore interaction with localization errors

Evaluate trust-based multi-path routing on motes

Conclusion
WSN security is challenging, relatively new
area of research
#Problems >> #Solutions
Any ideas to address challenges?

Thank you Any questions?