A Survey of Secure Location
Schemes in Wireless Networks
- 2010/5/21
Outline


Introduction
Secure Location Schemes






Location Verification
Range-independent Scheme (SeRLoc)
Base Station Assisted Secure Localization
Detect Compromised Beacon Nodes
Defeat Non-cryptographic Attacks
Summary
2/35
Location & Identity in Wireless Networks

Application



Network


Location Based Service (LBS)  privacy issues
Solution: legal framework, k-anonymity, etc.
Geographical routing, location based access control
Physical Layer

Location could be used to detect source spoofing attacks
(in wireless networks)
3/35
Wireless Sensor Network (WSN)

WSN





Have mission-critical tasks
Sensor nodes: low cost,
limited resource,
multifunctional
Usually has one BS
Prone to failure, easy to be
compromised
Location matters

The location of sensors is a
critical input to many higherlevel networking tasks [5]
4/35
Localization in WSN

Techniques:



GPS
Ultrasound
Radio (RF)


Usually has Beacon nodes


RSSI, ToA, TDoA, AoA, etc.
With known locations and sending beacon signals
Security issues:


Location discovery in hostile environments
Attacker could masquerade or compromise beacon nodes,
or perform replay attacks
5/35
Threat Model

(Internal) dishonest or compromised nodes



(External) malicious nodes



Can authenticate itself (to other sensor nodes)
Report false position
Can not authenticate itself (as an honest nodes)
Can perform timing attack (delaying or speeding-up)
Other attacks

PHY-layer attack
6/35
Examples
Masquerade beacon node
Compromised
beacon node
Replay attack
(locally replay or through wormhole)
7/35
Taxonomy
Secure Location
w/ beacon nodes
Localization:
• Location Verification
• Range-independent
localization
• Base Station Assisted
w/o beacon nodes
Attack Detection:
• Detect Compromised
Beacon Nodes
• Defeat Noncryptographic Attacks
8/35
Location Verification
(Location-based Access Control)


In-region verification
Roles:

Claimants & Verifiers
C: I’m at some location l
V
C
R
Region of interest

Method:

Distance bounding techniques

Upper bound the distance of one device to another (dishonest)
device
[1] N. Sastry, U. Shankar, and D. Wanger, “Secure Verification of Location Claims,” in Proc. ACM
Workshop Wireless Security, 2003, pp. 1-10.
9/35
Location Verification
(Location-based Access Control)
• A simplified case
Echo Protocol: (secure, lightweight)
. p (prover)
(why sound?)

More complex cases:



c: light speed
s: sound speed
Consider processing/transmission delay,
Consider non-uniform regions,
Consider multiple verifiers
10/35
Distance Enlargement Attacks
(MMSE: Min. Mean Square Estimate)


Distance bounding – vulnerable to distance enlargement
attacks but not to distance reduction attacks
Propose VM (Verifiable Multi-lateration)

Also relies on distance bounding (at least 3 verifiers)
T: set of verifiers that
form triangles around
u (claimant)
[2] S. Capkun and J.-P. Hubaux, “Secure Positioning of Wireless Devices with Application to
Sensor Networks,” in Proc. INFOCOM, 2005, vol. 3, pp. 1917-1928.
11/35
Detection of Distance Enlargement Attack
u’
Enlarging db1 is impossible
12/35
SPINE (Secure Positioning In sensor
NEtwork)


SPINE: a system for secure positioning of a network of
sensors, that is based on VM
x: # of compromised nodes (c)
Possible Attacks: (Attacker-x-y)
y: # of malicious nodes (m)
13/35
SPINE (Secure Positioning In sensor
NEtwork) (cont’d)

Operate in 2 phases:


Sensors measure distance bounds to their neighbors
Central authority compute sensors’ positions (according to
the distance bounds)
(Verify db(s), then compute positions based on verified db(s))
(Positioning is also based on MMSE)
BDV (Basic Distance Verification)
14/35
SPINE (Secure Positioning In sensor
NEtwork) (cont’d)

Effectiveness:

The effectiveness of this system depends on the number of
node neighbors (node density) and on the number and the
distribution of the reference nodes (verifiers)
15/35
Taxonomy
Secure Location
w/ beacon nodes
Localization:
• Location Verification
• Range-independent
localization
• Base Station Assisted
w/o beacon nodes
Attack Detection:
• Detect Compromised
Beacon Nodes
• Defeat Noncryptographic Attacks
16/35
Range-Independent Localization

Motivation:




Goal:


Distance measure is vulnerable
Do not count on distance measure to infer the sensor
location
Secure localization ≠ location verification
Decentralized, resource efficiency, robust
Contributions:



Propose SeRLoc, a range-independent localization scheme
Propose security mechanism for SeRLoc
Evaluate the performance of SeRLoc
[3] L. Lazos and R. Poovendran, “SeRLoc: Secure Range-Independent Localization for
Wireless Sensor Networks,” in Proc. ACM Workshop Wireless Security, 2004, pp. 21-30.
17/35
SeRLoc

Concept:



Locators use sectored antennas (with range R)
A sensor can identify the region it resides by computing the
overlap between all the sectors it resides
Then estimates its location at the center of gravity of the
overlapping region
18/35
Secure SeRLoc

Encryption:



Locator ID authentication:



To protect the localization information, encrypt all beacons
transmitted from locators
Sensors and locators share a global symmetric key K0
Use one-way hash chains to provide locator ID auth.
Each sensor has a table containing {IDi , Hn(PWi)} of each
locator
Storage issues
19/35
Threat Analysis


Authors analyze (1) wormhole attacks and (2) Sybil
attack and compromised sensors
Analyze the vulnerabilities of other 3 rangeindependent localization schemes

Dv-hop, Amorphous localization, APIT
20/35
Taxonomy
Secure Location
w/ beacon nodes
Localization:
• Location Verification
• Range-independent
localization
• Base Station Assisted
w/o beacon nodes
Attack Detection:
• Detect Compromised
Beacon Nodes
• Defeat Noncryptographic Attacks
21/35
Base Station Assisted Approaches

Contribution:



New approach, relies on a set of covert base stations
Enables secure localization with a broad spectrum of localization
techniques (ultrasound, RF, etc)
Covert Base Station (CBS):



Known position
Passively listen to the on-going communication
Could be hidden or mobile base station
broadcast
nonce
PBS
nonce
sensor
(PBS: Public Base Station)
PBS
PBS
CBS
measure TDoA and compute
sensor’s position
[4] S. Capkun, M. Cagalj, and M. Srivastava, “Secure Localization with Hidden and Mobile
Base Stations,” in Proc. INFOCOM, 2006.
22/35
1. Infrastructure-centric
Positioning with
Hidden Base Stations

TDoA:
Position a source by finding
the intersection of multiple hyperboloids.
 Pros: does not require communication from BSs and mobile
nodes


Security analysis:



TDoA drawback: using directional antennas, attackers could
cheat BSs
Δ: tolerant size (also means the size of attacker’s guessing space)
T: signal propagation time + node processing time
23/35
2. Node-centric
Positioning with
Hidden Base Stations


Node compute its position,
then verified by CBS
Node-centric:


Attacker might spoofs node’s position and then cheats on the
position verification mechanism
CBS again verify the reported position by distance measure
24/35
3. Secure Positioning
with Mobile Base
Stations
25/35
Taxonomy
Secure Location
w/ beacon nodes
Localization:
• Location Verification
• Range-independent
localization
• Base Station Assisted
w/o beacon nodes
Attack Detection:
• Detect Compromised
Beacon Nodes
• Defeat Noncryptographic Attacks
26/35
Detecting Malicious Beacon Nodes

Motivation:


Goal:



None of previous techniques can work properly when some
of the beacon nodes are compromised
Try to detect and remove compromised beacon nodes
Ensure correct location discovery
Approach:



Detect malicious beacon signals
Detect replayed beacon signals to avoid false positive
Revoke malicious beacon nodes
[6] D. Liu, P. Ning, and W. Du, “Detecing Malicious Beacon Nodes for Secure Location
Discovery in Wireless Sensor Networks,” in Proc. ICDCS, 2005, pp. 609-619.
27/35
Detecting Malicious Beacon Signals

Idea:



Use beacon node (known location) to detect other beacon nodes
Locations of beacon nodes must satisfy the measurements (of
their locations) derived from their beacon signals
Method:
Note: to mislead the
location estimation, the
attacker has to make
the estimated distance
inconsistent with the
calculated one.
(By request & reply)
28/35
Filtering Replayed Beacon Signals
(Goal: avoid False Positive)

Malicious signal ≠ this node is malicious !


 Replay through a wormhole attack



Due to replay attack
Detect this attack by checking the measured distance and the
radio communication range
If within the communication range, go to next step (locally replay)
 Locally replayed beacon signals


Detect extra delay by measuring RTT between two neighbors
RTT measure in a real setup (does NOT consider the impacts of
MAC protocol or any processing delay)


Extra delay  larger than RTTmax
(Assumption required) authenticated and unicasted beacon signal !!
29/35
Revoke Malicious Beacon Nodes

Use the base station to further remove malicious
beacon nodes from the network



Each beacon node shares a unique random key with BS
Beacon nodes can report the detecting results to BS
securely
BS evaluates the suspiciousness of each beacon nodes


BS Maintains alert counters and report counters
This mechanism requires more beacon nodes and
incurs more communication overhead
30/35
Taxonomy
Secure Location
w/ beacon nodes
Localization:
• Location Verification
• Range-independent
localization
• Base Station Assisted
w/o beacon nodes
Attack Detection:
• Detect Compromised
Beacon Nodes
• Defeat Noncryptographic Attacks
31/35
Focus on Non-cryptographic Attacks

Non-cryptographic attacks (physical attacks)



Propose a general attack detection model




Such as signal attenuation and amplification
Degrade the performance of localization Algo.
Based on this model, analyze two broad localization
approaches (Multi-lateration based & signal strength based)
The attack detection mainly depends on statistical
significance testing
Other test statistics are also discussed
Conduct trace driven evaluations

Using an 802.11 network and an 802.15.4 (ZigBee) network
[5] Y. Chen, W. Trappe, and R. P. Martin, “Attack Detection in Wireless Localization,” in Proc.
INFOCOM, 2007.
32/35
Models



Linear attack model on RSS
Conduct Exp. in two real
office buildings
Detection model:



Statistical significance
testing
Define test statistic T, null
hypothesis H0, and its
acceptance region Ω
Metrics:


Detection Rate
ROC curve
33/35
Reference
[1] N. Sastry, U. Shankar, and D. Wanger, “Secure Verification of Location
Claims,” in Proc. ACM Workshop Wireless Security, 2003, pp. 1-10.

UC Berkeley
[2] S. Capkun and J.-P. Hubaux, “Secure Positioning of Wireless Devices with
Application to Sensor Networks,” in Proc. INFOCOM, 2005, vol. 3, pp. 19171928.

EPFL Switzerland
[3] L. Lazos and R. Poovendran, “SeRLoc: Secure Range-Independent
Localization for Wireless Sensor Networks,” in Proc. ACM Workshop
Wireless Security, 2004, pp. 21-30.

Univ. of Washington
[4] S. Capkun, M. Cagalj, and M. Srivastava, “Secure Localization with Hidden
and Mobile Base Stations,” in Proc. INFOCOM, 2006.
34/35
Reference
[5] Y. Chen, W. Trappe, and R. P. Martin, “Attack Detection in Wireless
Localization,” in Proc. INFOCOM, 2007.

Rutgers Univ.
[6] D. Liu, P. Ning, and W. Du, “Detecing Malicious Beacon Nodes for Secure
Location Discovery in Wireless Sensor Networks,” in Proc. International
Conf. Distributed Computing Systems (ICDCS), 2005, pp. 609-619.

NCSU, Syracuse Univ.
[7] D. Liu, P. Ning, and W. Du, “Attack-Resistant Location Estimation in Sensor
Networks,” in Proc. International Symposium Information Processing Sensor
Networks (IPSN), 2005, pp. 99-106.
[8] L. Fang, W. Du, and P. Ning, “A Beacon-less Location Discovery Scheme for
Wireless Sensor Networks,” in Proc. INFOCOM, 2005.
[9] W. Du, L. Fang, and P. Ning, “LAD: Localization Anomaly Detection for
Wireless Sensor Networks,” in Proc. IEEE International Parallel Distributed
Processing Symposium (IPDPS), 2005, pp. 41a-41a.
35/35