Elsevier

Ad Hoc Networks

Volume 1, Issues 2–3, September 2003, Pages 293-315
Ad Hoc Networks

Secure routing in wireless sensor networks: attacks and countermeasures

https://doi.org/10.1016/S1570-8705(03)00008-8Get rights and content

Abstract

We consider routing security in wireless sensor networks. Many sensor network routing protocols have been proposed, but none of them have been designed with security as a goal. We propose security goals for routing in sensor networks, show how attacks against ad-hoc and peer-to-peer networks can be adapted into powerful attacks against sensor networks, introduce two classes of novel attacks against sensor networks––sinkholes and HELLO floods, and analyze the security of all the major sensor network routing protocols. We describe crippling attacks against all of them and suggest countermeasures and design considerations. This is the first such analysis of secure routing in sensor networks.

Introduction

Our focus is on routing security in wireless sensor networks. Current proposals for routing protocols in sensor networks optimize for the limited capabilities of the nodes and the application specific nature of the networks, but do not consider security. Although these protocols have not been designed with security as a goal, we feel it is important to analyze their security properties. When the defender has the liabilities of insecure wireless communication, limited node capabilities, and possible insider threats, and the adversaries can use powerful laptops with high energy and long range communication to attack the network, designing a secure routing protocol is non-trivial.

One aspect of sensor networks that complicates the design of a secure routing protocol is in-network aggregation. In more conventional networks, a secure routing protocol is typically only required to guarantee message availability. Message integrity, authenticity, and confidentiality are handled at a higher layer by an end-to-end security mechanism such as SSH or SSL. End-to-end security is possible in more conventional networks because it is neither necessary nor desirable for intermediate routers to have access to the content of messages. However, in sensor networks, in-network processing makes end-to-end security mechanisms harder to deploy because intermediate nodes need direct access to the content of the messages. Link layer security mechanisms can help mediate some of the resulting vulnerabilities, but it is not enough: we will now require much more from our routing protocols, and they must be designed with this in mind.

We present crippling attacks against all the major routing protocols for sensor networks. Because these protocols have not been designed with security as a goal, it is unsurprising they are all insecure. However, this is non-trivial to fix: it is unlikely a sensor network routing protocol can be made secure by incorporating security mechanisms after design has completed. Our assertion is that sensor network routing protocols must be designed with security in mind, and this is the only effective solution for secure routing in sensor networks.

We make five main contributions.

  • We propose threat models and security goals for secure routing in wireless sensor networks.

  • We introduce two novel classes of previously undocumented attacks against sensor networks1––sinkhole attacks and HELLO floods.

  • We show, for the first time, how attacks against ad-hoc wireless networks and peer-to-peer networks [1], [2] can be adapted into powerful attacks against sensor networks.

  • We present the first detailed security analysis of all the major routing protocols and energy conserving topology maintenance algorithms for sensor networks. We describe practical attacks against all of them that would defeat any reasonable security goals. Fig. 1 summarizes our results.

  • We discuss countermeasures and design considerations for secure routing protocols in sensor networks.

Section snippets

Background

We use the term sensor network to refer to a heterogeneous system combining tiny sensors and actuators with general-purpose computing elements. Sensor networks may consist of hundreds or thousands of low-power, low-cost nodes, possibly mobile but more likely at fixed locations, deployed en masse to monitor and affect the environment. For the remainder of this paper we assume that all nodes’ locations are fixed for the duration of their lifetime.

For concreteness, we target the Berkeley TinyOS

Sensor networks vs. ad-hoc wireless networks

Wireless sensor networks share similarities with ad-hoc wireless networks. The dominant communication method in both is multihop networking, but several important distinctions can be drawn between the two. Ad-hoc networks typically support routing between any pair of nodes [4], [5], [6], [7], whereas sensor networks have a more specialized communication pattern. Most traffic in sensor networks can be classified into one of three categories:

  • 1.

    Many-to-one: Multiple sensor nodes send sensor readings

Related work

Security issues in ad-hoc networks are similar to those in sensor networks and have been well enumerated in the literature [8], [9], but the defense mechanisms developed for ad-hoc networks are not directly applicable to sensor networks. There are several reasons for why this is so, but they all relate to the differences between sensor and ad-hoc networks enumerated in the previous section.

Some ad-hoc network security mechanisms for authentication and secure routing protocols are based on

Problem statement

Before diving into specific routing protocols, it helps to have a clear statement of the routing security problem. In the following sections we outline our assumptions about the underlying network, propose models for different classes of adversaries, and consider security goals in this setting.

Attacks on sensor network routing

Many sensor network routing protocols are quite simple, and for this reason are sometimes susceptible to attacks from the literature on routing in ad-hoc networks. Most network layer attacks against sensor networks fall into one of the following categories:

  • spoofed, altered, or replayed routing information,

  • selective forwarding,

  • sinkhole attacks,

  • Sybil attacks,

  • wormholes,

  • HELLO flood attacks,

  • acknowledgement spoofing.


In the descriptions below, note the difference between attacks that try to

Attacks on specific sensor network protocols

All of the proposed sensor network routing protocols are highly susceptible to attack. Adversaries can attract or repel traffic flows, increase latency, or disable the entire network with sometimes as little effort as sending a single packet. In this section, we survey the proposed sensor network routing protocols and highlight the relevant attacks.

Outsider attacks and link layer security

The majority of outsider attacks against sensor network routing protocols can be prevented by simple link layer encryption and authentication using a globally shared key. The Sybil attack is no longer relevant because nodes are unwilling to accept even a single identity of the adversary. The majority of selective forwarding and sinkhole attacks are not possible because the adversary is prevented from joining the topology. Link layer acknowledgements can now be authenticated.

Major classes of

Ultimate limitations of secure multihop routing

An ultimate limitation of building a multihop routing topology around a fixed set of base stations is that those nodes within one or two hops of the base stations are particularly attractive for compromise. After a significant number of these nodes have been compromised, all is lost.

This indicates that clustering protocols like LEACH where cluster-heads communicate directly with a base station may ultimately yield the most secure solutions against node compromise and insider attacks.

Another

Conclusion

Secure routing is vital to the acceptance and use of sensor networks for many applications, but we have demonstrated that currently proposed routing protocols for these networks are insecure. We leave it as an open problem to design a sensor network routing protocol that satisfies our proposed security goals. Link layer encryption and authentication mechanisms may be a reasonable first approximation for defense against mote-class outsiders, but cryptography alone is not enough. The possible

Acknowledgements

We gratefully acknowledge DARPA NEST contract F33615-01-C-1895 for supporting this work.

Chris Karlof is a second year graduate student in the Computer Science Division at the University of California at Berkeley. His research interests include distributed system and network security, side channel attacks, and applications of trustworthy computing.

References (48)

  • Y.-C. Hu, A. Perrig, D.B. Johnson, Packet leashes: a defense against wormhole attacks in wireless networks, in: IEEE...
  • J.R. Douceur, The Sybil attack, in: 1st International Workshop on Peer-to-Peer Systems (IPTPS ’02),...
  • J. Hill, R. Szewczyk, A. Woo, S. Hollar, D. Culler, K. Pister, System architecture directions for networked sensors,...
  • V.D. Park, M.S. Corson, A highly adaptive distributed routing algorithm for mobile wireless networks, in: IEEE INFOCOM...
  • C. Perkins, E. Royer, Ad-hoc on-demand distance vector routing, in: MILCOM ’97 Panel on Ad Hoc Networks,...
  • D.B Johnson et al.

    Dynamic source routing in ad hoc wireless networks

  • C. Perkins, P. Bhagwat, Highly dynamic destination-sequenced distance-vector routing (DSDV) for mobile computers, in:...
  • L Zhou et al.

    Securing ad hoc networks

    IEEE Network Magazine

    (1999)
  • F. Stajano, R.J. Anderson, The resurrecting duckling: security issues for ad-hoc wireless networks, in: Seventh...
  • J. Hubaux, L. Buttyan, S. Capkun, The quest for security in mobile ad hoc networks, in: Proceedings of the ACM...
  • J. Kong, P. Zerfos, H. Luo, S. Lu, L. Zhang, Providing robust and ubiquitous security support for mobile ad-hoc...
  • M.G. Zapata, Secure ad-hoc on-demand distance vector (SAODV) routing, IETF MANET Mailing List, Message-ID:...
  • H. Luo, P. Zefros, J. Kong, S. Lu, L. Zhang, Self-securing ad hoc wireless networks, in: Seventh IEEE Symposium on...
  • J Binkley et al.

    Authenticated ad hoc routing at the link layer for mobile systems

    Wireless Networks

    (2001)
  • B. Dahill, B.N. Levine, E. Royer, C. Shields, A secure routing protocol for ad-hoc networks, Tech. Rep. UM-CS-2001-037,...
  • J Kong et al.

    Adaptive security for multilayer ad-hoc networks

    Wireless Communications and Mobile Computing

    (2002)
  • Y.-C. Hu, D.B. Johnson, A. Perrig, SEAD: secure efficient distance vector routing for mobile wireless ad hoc networks,...
  • Y.-C. Hu, A. Perrig, D.B. Johnson, Ariadne: a secure on-demand routing protocol for ad hoc networks, in: MOBICOM,...
  • S. Basagni, K. Herrin, E. Rosti, D. Bruschi, Secure pebblenets, in: ACM International Symposium on Mobile Ad Hoc...
  • P. Papadimitratos, Z. Haas, Secure routing for mobile ad hoc networks, in: SCS Communication Networks and Distributed...
  • S. Marti, T.J. Giuli, K. Lai, M. Baker, Mitigating routing misbehavior in mobile ad hoc networks, in: Sixth Annual...
  • S. Buchegger, J.-Y.L. Boudec, Nodes bearing grudges: towards routing security, fairness, and robustness in mobile ad...
  • A. Perrig, R. Szewczyk, V. Wen, D. Culler, J. Tygar, SPINS: security protocols for sensor networks, in: Proceedings of...
  • A. Demers, S. Shenker, V. Bhargavan, L. Zhang, Macaw: a media access protocol for wireless lans, in: ACM SigComm ’94,...
  • Cited by (1305)

    • Software-Defined Wireless Sensor Network: A Comprehensive Survey

      2023, Journal of Network and Computer Applications
    View all citing articles on Scopus

    Chris Karlof is a second year graduate student in the Computer Science Division at the University of California at Berkeley. His research interests include distributed system and network security, side channel attacks, and applications of trustworthy computing.

    David Wagner is an Assistant Professor in the Computer Science Division at the University of California at Berkeley. He and his Berkeley colleagues are known for discovering a wide variety of security vulnerabilities in various cellphone standards, 802.11 wireless networks, and other widely deployed systems. In addition, he was a co-designer of one of the Advanced Encryption Standard candidates, and he remains active in the areas of systems security, cryptography, and privacy.

    View full text