Secure Routing in Wireless Sensor
Networks: Attacks and
Countermeasures
Chris Karlof and David Wagner
Key Contributions
Secure routing issues in WSNs


Show how they are different from ad hoc
networks
Introduce two new classes of attacks
 Sinkhole attack
 Hello flood attack
Analyze security aspects of major routing
protocols
Discuss countermeasures & design
considerations for secure routing in WSNs
WSNs vs. Ad Hoc Networks
Multi-hop wireless communications
Ad hoc nets: communication between two
arbitrary nodes
WSNs

Specialized communication patterns
 Many-to-one
 One-to-many
 Local communication


More resource constrained
More trust needed for in-network processing,
aggregation, duplicate elimination
Assumptions
Insecure radio links
Malicious nodes can collude to attack the
WSN
Sensors are not tamper-resistant
Adversary can access all key material, data &
code
Aggregation points may not be trustworthy
Base station is trustworthy
Threat Models
Device capability


Mote class attacker
Laptop class attacker: more energy, more
powerful CPU, sensitive antenna, more radio
power
Attacker type


Outside attacker: External to the network
Inside attacker: Authorized node in the WSN is
compromised or malicious
Security Goals
Secure routing


Support integrity, authenticity, availability of
messages in presence of attack
Data confidentiality
Potential Attacks
Attacks on general WSN routing
Attacks on specific WSN protocols
Attacks on General WSN Routing
Protocols
Spoof, alter, or replay routing info.


Create loops, attack or repel network traffic,
partition the network, attract or repel network
traffic, etc.
Message authentication can partly handle these
issues
Selective forwarding

Malicious node selectively drops incoming packets
Sinkhole attack
Specific to WSNs



All packets are directed to base station
A malicious node advertises a high quality link to
the base station to attract a lot of packets
Enable other attacks, e.g., selective forwarding or
wormhole attack
Sybil attack
A single node presents multiple ID’s to other
nodes
Affect geographic routing, distributed
storage, multi-path routing, topology
maintenance
Wormhole attack
Two colluding nodes
A node at one end of the wormhole
advertises high quality link to the base station
Another node at the other end receives the
attracted packets
Hello flood attack
Specific to WSNs

In some protocols, nodes have to periodically
broadcast “hello” to advertise themselves
 Not authenticated!

Laptop-class attacker can convince it’s a neighbor
of distant nodes by sending high power hello
messages
Acknowledge spoofing
Adversary spoofs ACKs to convince the
sender a weak/dead link support good link
quality
Attacks on Specific Routing Protocols
TinyOS beaconing



Construct a BFS tree rooted at the base station
Beacons are not authenticated
Adversary can take over the whole WSN by
broadcasting beacons
Directed diffusion
Replay interest
Selective forwarding & data tampering
Inject false data
Geographic routing
Adversary can provide false, possibly
multiple, location info.


Create routing loop
GEAR considers energy in addition to location
 Laptop-class attacker can exploit it
Countermeasures
Shared key & link layer encryption


Prevent outsider attacks, e.g., Sybil attacks, selective
forwarding, ACK spoofing
Cannot handle insider attacks
 Wormhole, Hello flood, TinyOS beaconing
Sybil attack



Every node shares a unique secret key with the base station
Create pairwise shared key for msg authentication
Limit the number of neighbors for a node
Hello flood attack


Verify link bidirectionality
Doesn’t work if adversary has very sensitive radio
Countermeasures
Wormhole, sinkhole attack



Cryptography may not help directly
Good routing protocol design
Geographic routing
Geographic routing


Location verification
Use fixed topology, e.g., grid structure
Selective forwarding




Multi-path routing
Route messages over disjoint or Braided paths
Dynamically pick next hop from a set of candidates
Measure the trustworthiness of neighbors
Countermeasures
Authenticated broadcast

uTESLA
Base station floods blacklist


Should be authenticated
Adversaries must not be able to spoof
Towards Resilient Geographic
Routing in WSNs
Ke Liu, Nael Abu-Ghazaleh, KD Kang
Computer Science Dept.
State University of New York at Binghamton
Outline
Background: Geographic Forwarding
Security Threats and Threat Model
Localization and Location Verification
Secure Trust-based Multi-path Routing
Conclusions
Geographic Forwarding
Keep track of neighbors’
locations
Forwarding set is set of
neighbors closer to
destination than self
Pick next hop as a
member of the
forwarding set
Greedy forwarding –
pick closest to
destination
Geographical Forwarding (2)
Local interactions only –
no local state maintained
Can get stuck in voids;
void traversal algorithm
needed (e.g., perimeter
routing)

We don’t consider this
aspect of operation
Threat Model/Assumptions
Two types of nodes:

Anchors:
 Know their location (e.g., using GPS)
 Act as reference points for localization
 Sufficient density to enable localization
 First assume they are trusted; later relax the assumption

Sensor Nodes:
 Can be compromised
 Key pre-distribution to provide cryptographic keys

Confidentiality, authentication, message integrity, can be
supported if needed
Threat Models/Assumptions (2)
GF is different from traditional topology based
routing protocols
We do not consider MAC/physical level
attacks

Orthogonal techniques apply there
Sybil attack (node claiming multiple locations)
are possible
Blackhole, wormhole and selective forwarding
attacks are possible
Location Verification
First contribution of this paper
Each node is responsible for reporting its location
information

Trusted to provide the correct information; no mechanism to
verify using traditional localization approaches
If nodes can falsify their location GF breaks down

Sybil attacks, blackholes, and other attacks easily possible
Location Verification: prevent nodes from lying about
their location
Existing Solution (Sastry et al 2004)
Echo Protocol: Location challenged by verifier
Node responds instantly with ultrasonic pulse


Speed of sound allows estimate of distance
Includes a nonce sent by the verifier
 Prevents early response to appear closer

Argue that delaying response not possible because
it moves node into another verifiers region
Coarse-grained verification (within region)
Requires ultrasound channel
Localization via Triangulation
Lateration is the calculation of position
information based on distance measurements
from three known points (anchors)
2D position requires three distance measurements.
Signal Strength, Time of Arrival, Time Difference of
Arrival, etc.. used to estimate distance
Triangulation measures angle
of arrival
d1
d2
d3
Proposed Solution – Anchors Localize
d1
Protocol
1.
2.
3.
d2
d3
Node transmits localization packet
Anchors receive it concurrently; each anchor estimates
distance to node
Anchors exchange estimates to calculate location
Localization responsibility moved to trusted anchors
Location passed to node with certificate or supplied
by anchors
Limitation: range based localization – range free
localization requires extension
Possible Attacks (1)
Nodes cheat by manipulating the localization
transmission

E.g., in signal power based ranging
 transmit at higher power to appear closer;
 or lower power to appear farther

In TDOA
 Send ultrasonic pulse before RF pulse to appear closer;
 Send RF pulse before ultrasonic to appear further
Defense
d1+dx
d1-dx
d1
d2+dx
d2-dx
d2
d3
d3-dx
d3+dx
Key observation: node will appear closer to, or
further, from all anchors concurrently
Detectable when anchors exchange ranges

Leads to Non-feasible location in all non-trivial anchor
placements
Possible Attacks (2)
Directional antenna version of previous attack

Use directional antenna to send different
localization beacons to each anchor
 Other anchors cannot hear the directional packet
 Falsifying distance to each anchor separately can allow
undetectable (consistent) forgery
Two versions:


Sequential: attacker sends the beacons
sequentially to the different anchors
Concurrent: attacker has multiple radios and can
concurrently forge distances
Defense
Sequential version can be defended by having
anchors be loosely synchronized

Can detect the different time stamps on the
packets received by the different anchors
Concurrent version challenging




A sophisticated attacker with expensive H/W
MAC level authentication?
Moving anchors?
Other sensors detecting inconsistency?
Compromising Anchors
So far, assumed anchors are trusted
If they are compromised


they can assist nodes in falsifying their location
Cause errors in the localization of legitimate nodes
Correctly evaluating location under byzantine failure
is a variant of byzantine quorum


However, unlike classical byzantine quorum, consensus is on
an indirect value (location)
With n anchors in range, can localize correctly if
 3+ceiling((n-3)/2) anchors are not compromised
Can use threshold cryptography or similar
approaches to ensure that a rogue anchor doesn’t
bypass localization process
Possible Attacks
Mobility attack:


Localize and obtain a valid localization certificate
Move to a new location and use the invalid (but
certified) location to do mischief
 Or send the certificate to a proxy node that can use it
Defense:


Have anchors in an area responsible for supplying
certified location
Place time bounds on location validity (energysecurity tradeoff)
Secure Multi-path Routing
Forwarding Misbehavior
Misbehaving nodes can mis-route or
selectively forward packets

Can have valid location estimates
Since GF is completely localized, problem is
difficult to detect

A node has no idea where the packet should be
sent beyond its current next hop
Proposed Solution
Multi-path routing:

Select next hop probabilistically among forwarding
set
 Probability proportional to trust (aka reputation)
Trust estimate is adapted over time

Based on observed behavior of the nodes
How to detect misbehavior?
Detecting Misbehavior/Updating Trust
Trust updated up or down depending on observed
behavior of neighbors
Rebroadcast check

A sending node hears if the next hop forwards it again
 Drop reputation if not

Not fool proof
 Can miss rebroadcast due to collision or fading
 Next hop can pretend to forward the packet to a non-existing
next hop neighbor

(securely building 2-hop neighbor cliques can help here)
Trust consensus

Exchange trust estimates with neighbors among neighbors
that are trustworthy
Summary
Sybil, blackhole and wormhole attacks require
location falsification in GF

Prevented using location verification mechanism
Forwarding misbehavior does not depend on
location falsification


Multi-path routing helps avoid bad paths even
when misbehaving nodes are not known
Building and tracking reputation helps ostracize
misbehaving nodes
Conclusions
Presented a verified localization algorithm for use in GF
in WSNs



Specific to range-based localization
Outlined a number of attacks and their defense
Derived limit for anchor byzantine quorum on location
Presented a preliminary secure routing protocol


Use probabilistically multi-path routing
Track trust estimate to discover and avoid bad paths
Future/Ongoing Work
Extend to range-free localization
Extended to the case with compromised anchors
Extend to void avoidance/face routing
Virtual Coordinate routing


Initialize node coordinates and use them as identifiers and
for routing
Similar to GF, but some unique and more difficult attacks
Explore interaction with localization errors
Evaluate trust-based multi-path routing on motes
Conclusion
WSN security is challenging, relatively new
area of research
#Problems >> #Solutions
Any ideas to address challenges?
Thank you – Any questions?