Secure routing in wireless sensor networks: attacks and countermeasures
Introduction
Our focus is on routing security in wireless sensor networks. Current proposals for routing protocols in sensor networks optimize for the limited capabilities of the nodes and the application specific nature of the networks, but do not consider security. Although these protocols have not been designed with security as a goal, we feel it is important to analyze their security properties. When the defender has the liabilities of insecure wireless communication, limited node capabilities, and possible insider threats, and the adversaries can use powerful laptops with high energy and long range communication to attack the network, designing a secure routing protocol is non-trivial.
One aspect of sensor networks that complicates the design of a secure routing protocol is in-network aggregation. In more conventional networks, a secure routing protocol is typically only required to guarantee message availability. Message integrity, authenticity, and confidentiality are handled at a higher layer by an end-to-end security mechanism such as SSH or SSL. End-to-end security is possible in more conventional networks because it is neither necessary nor desirable for intermediate routers to have access to the content of messages. However, in sensor networks, in-network processing makes end-to-end security mechanisms harder to deploy because intermediate nodes need direct access to the content of the messages. Link layer security mechanisms can help mediate some of the resulting vulnerabilities, but it is not enough: we will now require much more from our routing protocols, and they must be designed with this in mind.
We present crippling attacks against all the major routing protocols for sensor networks. Because these protocols have not been designed with security as a goal, it is unsurprising they are all insecure. However, this is non-trivial to fix: it is unlikely a sensor network routing protocol can be made secure by incorporating security mechanisms after design has completed. Our assertion is that sensor network routing protocols must be designed with security in mind, and this is the only effective solution for secure routing in sensor networks.
We make five main contributions.
- •
We propose threat models and security goals for secure routing in wireless sensor networks.
- •
We introduce two novel classes of previously undocumented attacks against sensor networks1––sinkhole attacks and HELLO floods.
- •
We show, for the first time, how attacks against ad-hoc wireless networks and peer-to-peer networks [1], [2] can be adapted into powerful attacks against sensor networks.
- •
We present the first detailed security analysis of all the major routing protocols and energy conserving topology maintenance algorithms for sensor networks. We describe practical attacks against all of them that would defeat any reasonable security goals. Fig. 1 summarizes our results.
- •
We discuss countermeasures and design considerations for secure routing protocols in sensor networks.
Section snippets
Background
We use the term sensor network to refer to a heterogeneous system combining tiny sensors and actuators with general-purpose computing elements. Sensor networks may consist of hundreds or thousands of low-power, low-cost nodes, possibly mobile but more likely at fixed locations, deployed en masse to monitor and affect the environment. For the remainder of this paper we assume that all nodes’ locations are fixed for the duration of their lifetime.
For concreteness, we target the Berkeley TinyOS
Sensor networks vs. ad-hoc wireless networks
Wireless sensor networks share similarities with ad-hoc wireless networks. The dominant communication method in both is multihop networking, but several important distinctions can be drawn between the two. Ad-hoc networks typically support routing between any pair of nodes [4], [5], [6], [7], whereas sensor networks have a more specialized communication pattern. Most traffic in sensor networks can be classified into one of three categories:
- 1.
Many-to-one: Multiple sensor nodes send sensor readings
Related work
Security issues in ad-hoc networks are similar to those in sensor networks and have been well enumerated in the literature [8], [9], but the defense mechanisms developed for ad-hoc networks are not directly applicable to sensor networks. There are several reasons for why this is so, but they all relate to the differences between sensor and ad-hoc networks enumerated in the previous section.
Some ad-hoc network security mechanisms for authentication and secure routing protocols are based on
Problem statement
Before diving into specific routing protocols, it helps to have a clear statement of the routing security problem. In the following sections we outline our assumptions about the underlying network, propose models for different classes of adversaries, and consider security goals in this setting.
Attacks on sensor network routing
Many sensor network routing protocols are quite simple, and for this reason are sometimes susceptible to attacks from the literature on routing in ad-hoc networks. Most network layer attacks against sensor networks fall into one of the following categories:
- •
spoofed, altered, or replayed routing information,
- •
selective forwarding,
- •
sinkhole attacks,
- •
Sybil attacks,
- •
wormholes,
- •
HELLO flood attacks,
- •
acknowledgement spoofing.
In the descriptions below, note the difference between attacks that try to
Attacks on specific sensor network protocols
All of the proposed sensor network routing protocols are highly susceptible to attack. Adversaries can attract or repel traffic flows, increase latency, or disable the entire network with sometimes as little effort as sending a single packet. In this section, we survey the proposed sensor network routing protocols and highlight the relevant attacks.
Outsider attacks and link layer security
The majority of outsider attacks against sensor network routing protocols can be prevented by simple link layer encryption and authentication using a globally shared key. The Sybil attack is no longer relevant because nodes are unwilling to accept even a single identity of the adversary. The majority of selective forwarding and sinkhole attacks are not possible because the adversary is prevented from joining the topology. Link layer acknowledgements can now be authenticated.
Major classes of
Ultimate limitations of secure multihop routing
An ultimate limitation of building a multihop routing topology around a fixed set of base stations is that those nodes within one or two hops of the base stations are particularly attractive for compromise. After a significant number of these nodes have been compromised, all is lost.
This indicates that clustering protocols like LEACH where cluster-heads communicate directly with a base station may ultimately yield the most secure solutions against node compromise and insider attacks.
Another
Conclusion
Secure routing is vital to the acceptance and use of sensor networks for many applications, but we have demonstrated that currently proposed routing protocols for these networks are insecure. We leave it as an open problem to design a sensor network routing protocol that satisfies our proposed security goals. Link layer encryption and authentication mechanisms may be a reasonable first approximation for defense against mote-class outsiders, but cryptography alone is not enough. The possible
Acknowledgements
We gratefully acknowledge DARPA NEST contract F33615-01-C-1895 for supporting this work.
Chris Karlof is a second year graduate student in the Computer Science Division at the University of California at Berkeley. His research interests include distributed system and network security, side channel attacks, and applications of trustworthy computing.
References (48)
- Y.-C. Hu, A. Perrig, D.B. Johnson, Packet leashes: a defense against wormhole attacks in wireless networks, in: IEEE...
- J.R. Douceur, The Sybil attack, in: 1st International Workshop on Peer-to-Peer Systems (IPTPS ’02),...
- J. Hill, R. Szewczyk, A. Woo, S. Hollar, D. Culler, K. Pister, System architecture directions for networked sensors,...
- V.D. Park, M.S. Corson, A highly adaptive distributed routing algorithm for mobile wireless networks, in: IEEE INFOCOM...
- C. Perkins, E. Royer, Ad-hoc on-demand distance vector routing, in: MILCOM ’97 Panel on Ad Hoc Networks,...
- et al.
Dynamic source routing in ad hoc wireless networks
- C. Perkins, P. Bhagwat, Highly dynamic destination-sequenced distance-vector routing (DSDV) for mobile computers, in:...
- et al.
Securing ad hoc networks
IEEE Network Magazine
(1999) - F. Stajano, R.J. Anderson, The resurrecting duckling: security issues for ad-hoc wireless networks, in: Seventh...
- J. Hubaux, L. Buttyan, S. Capkun, The quest for security in mobile ad hoc networks, in: Proceedings of the ACM...
Authenticated ad hoc routing at the link layer for mobile systems
Wireless Networks
Adaptive security for multilayer ad-hoc networks
Wireless Communications and Mobile Computing
Cited by (1305)
Secure opportunistic routing in 2-hop IEEE 802.15.4 networks with SMOR
2024, Computer CommunicationsLSTM-NV: A combined scheme against selective forwarding attack in event-driven wireless sensor networks under harsh environments
2023, Engineering Applications of Artificial IntelligenceSoftware-Defined Wireless Sensor Network: A Comprehensive Survey
2023, Journal of Network and Computer Applications
Chris Karlof is a second year graduate student in the Computer Science Division at the University of California at Berkeley. His research interests include distributed system and network security, side channel attacks, and applications of trustworthy computing.
David Wagner is an Assistant Professor in the Computer Science Division at the University of California at Berkeley. He and his Berkeley colleagues are known for discovering a wide variety of security vulnerabilities in various cellphone standards, 802.11 wireless networks, and other widely deployed systems. In addition, he was a co-designer of one of the Advanced Encryption Standard candidates, and he remains active in the areas of systems security, cryptography, and privacy.