Download Security In Wireless Sensor Networks

Security in Wireless Sensor
Networks
Adrian Perrig, John Stankovic,
and David Wagner
Overview
• WSN security: Too many problems... A number of solutions...
Enough?
• Survey Paper: outlines security issues, discusses some existing
solutions, and suggests possible research directions
• Issues include:
– key establishment
– secrecy
– authentication
– privacy
– denial-of-service attacks  More info in a later set of slides
– secure routing  More info in a later set of slides
– node capture
• Also discuses some sample security services for wireless sensor
networks
Problems Applying Traditional Network Security
Techniques
• Sensor devices are limited in their energy,
computation, and communication capabilities
• Sensor nodes are often deployed in open
areas, thus allowing physical attack
• Sensor networks closely interact with their
physical environments and with people,
posing new security problems
Key Establishment and Trust
• Sensor devices have limited computational power,
making public-key cryptographic primitives too
expensive in terms of system overhead.
• Simplest solution is a network-wide shared key
– problem: if even a single node were compromised, the secret
key would be revealed, and decryption of all network traffic
would be possible
• Slightly better solution:
– use a single shared key to establish a set of link keys, one
per pair of communicating nodes, then erase the networkwide key
– problem: does not allow addition of new nodes after initial
deployment
Key Establishment (continued)
• Bootstrapping keys using a trusted base
station
– Each node needs to share only a single key
with the base station and set up keys with
other nodes through the base station
– The base station becomes a single point of
failure
• Utilize tamper-resistant packaging for the base
station, reducing the threat of physical attack
• Most existing work assumes base station is safe
– Good assumption???
Random-key pre-distribution protocols
• Large pool of symmetric keys is chosen
• Random subset of the pool is distributed to each sensor node
• To communicate, two nodes search their pools for a common key
– If they find one, they use it to establish a session key
– Not every pair of nodes shares a common key, but if the keyestablishment probability is sufficiently high, nodes can
securely communicate with sufficiently many nodes to obtain
a connected network
• No need to include a central trusted base station
• Disadvantage: Attackers who compromised sufficiently many
nodes could also reconstruct the complete key pool and break
the scheme
Secrecy and Authentication
• We need cryptography as protection against
eavesdropping, injection, and modification of packets
• Trade-offs when incorporating cryptography into
sensor networks:
– end-to-end cryptography achieves a high level of security but
requires that keys be set up among all end points and be
incompatible with passive participation and local broadcast
– link-layer cryptography with a network-wide shared key
simplifies key setup and supports passive participation and
local broadcast, but intermediate nodes might eavesdrop or
alter messages
Hardware vs. Software Cryptography
• Hardware solutions are generally more efficient, but
also more costly ($)
• University of California, Berkeley, implementation of
TinySec incurs only an additional 5%–10%
performance overhead using software-only methods
– Most of the overhead is due to increases in packet size
– Cryptographic calculations have little effect on latency or
throughput, since they can overlap with data transfer
– Hardware reduces only the computational costs, not packet
size
• Thus, software-only techniques are sufficient (or
reasonable to be more careful)
Privacy
• Issues
–
–
–
–
Employers might spy on their employees
Shop owners might spy on customers
Neighbours might spy on each other
Law enforcement agencies might spy on
public places
• Technological improvements will only
worsen the problem
– Devices will get smaller and easier to
conceal
– Devices will get cheaper, thus surveillance
will be more affordable
Privacy (continued)
• Sensor networks raise new threats that are
qualitatively different from what private citizens
worldwide faced before
– Sensor networks allow data collection, coordinated analysis,
and automated event correlation
– Networked systems of sensors can enable routine tracking of
people and vehicles over long periods of time
– EZ Pass + OnStar == Big Brother?
• Suggested ways of approaching solution include a mix
of:
– Societal norms
– New laws
– Technological responses
Robustness to Denial of Service
• Simple form: Radio jamming
• Sophisticated form: Transmit while a
neighbor is also transmitting or continuously
generating a request-to-send signal
• Possible solution (when the jamming affects
only a portion of the network):
– Detect the jamming
– Map the affected region
– Route around the jammed area
Secure Routing
• Proper routing and forwarding are essential for
communication in sensor networks
• Injection attacks
– Transmit malicious routing information into the network
resulting in routing inconsistencies
– Authentication might guard against injection attacks, but
some routing protocols are vulnerable to replay by the
attacker of legitimate routing messages
• Sensor network routing protocols are particularly
susceptible to node-capture attacks
– Compromise of a single node could be enough to take over the
entire network or prevent any communication within it
Resilience to Node Capture
• In traditional computing, physical security is often
taken for granted
• Sensor nodes, by contrast, are likely to be placed in
open locations
– Attacker might capture sensor nodes
– Extract cryptographic secrets
– Modify programs/Replace them with malicious nodes
• Tamper-resistant packaging may be one defense, but
it’s expensive
Algorithmic Solutions
to Node Capture
• Attempt to build networks that operate
correctly even in the presence of nodes that
might behave in an arbitrarily malicious way
– Replicate state across the network and use
majority voting to detect inconsistencies
– Gather redundant views of the environment and
crosscheck them for consistency
• Most challenging problems in sensor network
security
– We are far from a complete solution
Network Security Services
• So far, we’ve explored low-level security
primitives for securing sensor networks.
• Now, we consider high-level security
mechanisms.
– Secure group management
– Intrusion detection
– Secure data aggregation
Secure Group Management
• Protocols for group management are
required to
– securely admit new group members
– support secure group communication
• Outcome of group computation must be
authenticated to ensure it comes from a
valid group
• Any solution must also be efficient in
terms of time and energy
Intrusion detection
• In wired networks, traffic and computation are typically
monitored and analyzed for anomalies at various
concentration points
– expensive in terms of the network’s memory and energy
consumption
– hurts bandwidth constraints
• Wireless sensor networks require a solution that is fully
distributed and inexpensive in terms of communication,
energy, and memory requirements
• In order to look for anomalies, applications and typical
threat models must be understood
• It is particularly important for researchers and
practitioners to understand how cooperating adversaries
might attack the system
• The use of secure groups may be a promising approach for
decentralized intrusion detection
Secure Data Aggregation
• One benefit of a wireless sensor network is the fine-grain
sensing that large and dense sets of nodes can provide
• The sensed values must be aggregated to avoid
overwhelming amounts of traffic back to the base station
• Depending on the architecture of the network, aggregation
may take place in many places
– All aggregation locations must be secured
• If the application tolerates approximate answers, powerful
techniques are available
– Randomly sampling a small fraction of nodes and checking
that they have behaved properly supports detection of
many different types of attacks
Conclusions
• Constraints and open environments of wireless sensor
networks make security for these systems challenging.
• Several properties of sensor networks may provide
solutions.
– architect security into these systems from the
outset (they are still in their early design stages)
– exploit redundancy, scale, and the physical
characteristics of the environment in the solutions
– build sensor networks so that they can detect and
work around some fraction of their nodes which are
compromised
Future Research Areas
• Securing wireless communication links against
– Eavesdropping
– Tampering
– Traffic analysis
– Denial of service
• Resource constraints
• Asymmetric protocols
– Most of the computation done at base station
• Public-key cryptographic systems
– How to make efficient on low-end devices?
• Working around the lack of physical security
– redundancy
– knowledge about the physical environment
Denial of Service in
Sensor Networks
Anthony D. Wood
and John A. Stankovic
Why Security?
• Battlefield
• Disasters
– Protect the location and status of casualties from
unauthorized disclosure, particularly if the disaster relates
to ongoing terrorist activities
• Public safety
– False alarms about chemical, biological, or environmental
threats could cause panic or disregard for warning systems.
An attack on the system’s availability could precede a real
attack on the protected resource
• Home healthcare
– Because protecting privacy is paramount, only authorized
users can query or monitor the network. These networks can
also form critical pieces of an accident-notification chain,
thus they must be protected from failure
DENIAL OF SERVICE THREAT
• A DoS attack is any event that diminishes or
eliminates a network’s capacity to perform its
expected function
• Hardware failures, software bugs, resource
exhaustion, environmental conditions, or their
combination
• Intentional Attack
Adversary Capability
• Physically damaged or manipulated node
– May be less powerful than a normally functioning
node
• Subverted nodes (or added ones)
– Interact with the network only through software
– As powerful as other nodes
• Immensely more powerful adversaries
– Existing wired network with virtually unlimited
computational and energy resources possible
Attacks on Physical Layer
• Jamming
– Defenses
• Spread-spectrum
• Region mapping: Less expensive
• Tampering
– Defenses: Tamper-proofing, hiding
Link Layer Attacks
• Collision
– Use error-correcting codes
• Exhaustion
– Rate limitation
• Unfairness
– Small frames
Network and Routing Attacks
• Neglect and greed
– Redundancy, probing
• Traffic analysis
– Encryption: enough? Maybe not
• Misdirection
– Egress filtering, authorization, monitoring
• Black holes
– Authorization, monitoring, probing,
redundancy
Neglect and Greed
• Neglect
– Drops packets arbitrarily
• Greed
– Gives undue priority to it’s own messages
• Use multiple paths and/or redundant
messages to mitigate these effects.
Traffic Analysis
• Geographic forwarding allows attacker to
figure out where important nodes are
• Encrypting headers as well as content might
alleviate this issue
• Cryptographic means may not help when the
communication pattern is many-to-one
– Just watch traffic intensity
– INSENS [ICDCS ‘03]
Misdirection
• Diverting traffic away from intended
destination
– Targets the sender
• Misdirecting many flows in one direction
– Targets an arbitrary victim (receiver)
• Defense
– Egress Filtering
• Verification of source addresses
• Legitimately generated from below?
Black Holes
• Distance-vector-based protocol weakness
• Nodes advertise zero-cost routes to every
other node.
• Fixes:
– Authorization
– Monitoring
• Watchdog the next hop transmission of your packets by
neighbors [Mobicom ’00]
– Probing
• Send periodic messages across topology to test for
blackout regions
– Redundancy
Transport Layer DoS
• Flooding
– Client puzzles
• Make the adversary commit resources
• Only useful if the adversary has limited
resources
• Desynchronization
– Authentication
PROTOCOL VULNERABILITIES to
DoS
Analyzing these vulnerabilities helps
show why developers should consider
DoS susceptibility at design time.
Adaptive Rate Control – MAC Protocol
by Woo & Cull
• Give preference to route-through traffic
– This preserves the network’s investment in packets
that may have already traversed many hops
• Makes flooding attacks more effective
– High bandwidth packet streams that an adversary
generates will receive preference
– Thus, the network gives preference to malicious
traffic
RAP
• Real-time communication architecture
– Geographic forwarding
– Velocity monotonic scheduling (VMS) policy
• Originator of message sets deadline and
destination
– VMS layer computes velocity based on time
to deadline and distance remaining
RAP Vulnerability
• Flood with high velocity packets
– Set destination at long distance
• Possibly outside the network
• Intermediate node adversary could lower the
velocity of route through traffic
– Causes deadline misses
• If relying on a synchronized clock, attacking
that mechanism could cause another node to
always drop
– Protecting clock synchronization is a challenging
yet important problem by itself
Secure Routing in Wireless Sensor
Networks: Attacks and
Countermeasures
Chris Karlof and David Wagner
Key Contributions
• Secure routing issues in WSNs
– Show how they are different from ad hoc
networks
– Introduce two new classes of attacks
• Sinkhole attack
• Hello flood attack
• Analyze security aspects of major routing
protocols
• Discuss countermeasures & design
considerations for secure routing in WSNs
WSNs vs. Ad Hoc Networks
• Multi-hop wireless communications
• Ad hoc nets: communication between two
arbitrary nodes
• WSNs
– Specialized communication patterns
• Many-to-one
• One-to-many
• Local communication
– More resource constrained
– More trust needed for in-network processing,
aggregation, duplicate elimination
Assumptions
• Insecure radio links
• Malicious nodes can collude to attack
the WSN
• Sensors are not tamper-resistant
• Adversary can access all key material,
data & code
• Aggregation points may not be
trustworthy
• Base station is trustworthy
Threat Models
• Device capability
– Mote class attacker
– Laptop class attacker: more energy, more
powerful CPU, sensitive antenna, more radio
power
• Attacker type
– Outside attacker: External to the network
– Inside attacker: Authorized node in the
WSN is compromised or malicious
Security Goals
• Secure routing
– Support integrity, authenticity, availability
of messages in presence of attack
– Data confidentiality
Potential Attacks
• Attacks on general WSN routing
• Attacks on specific WSN protocols
Attacks on General WSN Routing
Protocols
• Spoof, alter, or replay routing info.
– Create loops, attack or repel network
traffic, partition the network, attract or
repel network traffic, etc.
– Message authentication can partly handle
these issues
• Selective forwarding
– Malicious node selectively drops incoming
packets
Sinkhole attack
• Specific to WSNs
– All packets are directed to base station
– A malicious node advertises a high quality
link to the base station to attract a lot of
packets
– Enable other attacks, e.g., selective
forwarding or wormhole attack
Sybil attack
• A single node presents multiple ID’s to other
nodes
• Affect geographic routing, distributed
storage, multi-path routing, topology
maintenance
Wormhole attack
• Two colluding nodes
• A node at one end of the wormhole
advertises high quality link to the base
station
• Another node at the other end receives
the attracted packets
Hello flood attack
• Specific to WSNs
– In some protocols, nodes have to periodically
broadcast “hello” to advertise themselves
• Not authenticated!
– Laptop-class attacker can convince it’s a neighbor
of distant nodes by sending high power hello
messages
Acknowledge spoofing
• Adversary spoofs ACKs to convince the
sender a weak/dead link support good
link quality
Attacks on Specific Routing Protocols
• TinyOS beaconing
– Construct a BFS rooted at the base station
– Beacons are not authenticated
– Adversary can take over the whole WSN by
broadcasting beacons
Directed diffusion
• Replay interest
• Selective forwarding & data tampering
• Inject false data
Geographic routing
• Adversary can provide false, possibly
multiple, location info.
– Create routing loop
– GEAR considers energy in addition to
location
• Laptop-class attacker can exploit it
Countermeasures
• Shared key & link layer encryption
– Prevent outsider attacks, e.g., Sybil attacks, selective
forwarding, ACK spoofing
– Cannot handle insider attacks
• Wormhole, Hello flood, TinyOS beaconing
• Sybil attack
– Every node shares a unique secret key with the base station
– Create pairwise shared key for msg authentication
– Limit the number of neighbors for a node
• Hello flood attack
– Verify link bidirectionality
– Doesn’t work if adversary has very sensitive radio
Countermeasures
• Wormhole, sinkhole attack
– Cryptography may not help directly
– Good routing protocol design
– Geographic routing
• Geographic routing
– Location verification
– Use fixed topology, e.g., grid structure
• Selective forwarding
–
–
–
–
Multi-path routing
Route messages over disjoint or Braided paths
Dynamically pick next hop from a set of candidates
Measure the trustworthiness of neighbors
Countermeasures
• Authenticated broadcast
– uTESLA
• Base station floods blacklist
– Should be authenticated
– Adversaries must not be able to spoof
Conclusions
• WSN security is challenging, new area
of research
• #Problems >> #Solutions
• Any ideas to address a problem?