Introduction to Sensor Networks

Rabie A. Ramadan, PhDCairo University

http://rabieramadan.org rabie@rabieramadan.org

4

Security in WSN

2

3

Security Requirements Availability Data Confidentiality Data Integrity Non-repudiation Authorization and Key Management

4

Security Solution Constraints Lightweight Decentralized Reactive Fault-tolerant

5

Challenges in WSNs

Sensor node hardware, resource constraints

Algos must be energy- and storage-efficient

Nodes operate unattended Adversary can compromise any node

Nodes not tamper-resistant Adversary can compromise any node’s keys

No fixed infrastructure Cannot assume any special-function node in vicinity

No pre-config’ed topology Nodes don’t know neighbours in advance

Communicate in an open medium

Communications are world-readable and world-writeable by

default

Constraints Implications

6

Security design principles Favour computation over communication

• Communication 1000 times more energy-consuming than computation

Favour resilience (tolerance) over absolute security

7

WSN Security Research Fields Routing security Data forwarding security Link layer security Key management . .

Security issues in WSN The discussed applications require communication in WSN to be

highly secure Main security threats in WSN are:

• Radio links are insecure – eavesdropping / injecting faulty information is possible

• Sensor nodes are not temper resistant – if it is compromised attacker obtains all security information

Attacker types:• Mote-class: attacker has access to some number of nodes with similar

characteristics / laptop-class: attacker has access to more powerful devices

• Outside (discussed above) / inside: attacker compromised some number of nodes in the network

Attacks on WSN Main types of attacks on WSN are:

• Spoofed, altered, or replayed routing information• Selective forwarding • Sinkhole attack• Sybil attack• Wormholes• HELLO flood attacks• Acknowledgment spoofing

False routing information Injecting fake routing

control packets into the network, examples: attract / repeal traffic, generate false error messages.

Consequences: routing loops, increased latency, decreased lifetime of the network, low reliability

B A1

A3A2

A4

Example: captured node attracts traffic by advertising shortest path

to sink, high battery power, etc

Selective forwarding Multi hop paradigm is prevalent in WSN It is assumed that nodes faithfully forward received

messages Compromised node might refuse to forward

packets, however neighbors might start using another route

More dangerous: compromised node forwards selected packets

Sinkhole and Sybil attacks Sinkhole attack:

• Idea: attacker creates metaphorical sinkhole by advertising for example high quality route to a base station

• Laptop class attacker can actually provide this kind of route connecting all nodes to real sink and then selectively drop packets

• Almost all traffic is directed to the fake sinkhole• WSN are highly susceptible to this kind of attack because of the

communication pattern: most of the traffic is directed towards sink – single point of failure.

Sybil attack:• Idea: a single node pretends to be present in different parts of the

network. • Mostly affects geographical routing protocols

Wormholes Idea: tunnel packets

received on one part of the network to another

Well placed wormhole can completely disorder routing

Wormholes may convince distant nodes that they are close to sink. This may lead to sinkhole if node on the other end advertises high-quality route to sink

Wormholes (cont.) Wormholes can exploit routing race conditions which

happens when node takes routing decisions based on the first route advertisement

Even encryption can not prevent this attack

Wormholes may be used in conjunction with sybil attack

HELLO flood attack Many WSN routing

protocols require nodes to broadcast HELLO packets after deployment, which is a sort of neighbor discovery based on radio range of the node

Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink

Acknowledgment spoofing Some routing protocols use

link layer acknowledgments Attacker may spoof acks Goals: convince that weak

link is strong or that dead node is alive.

Consequently weak link may be selected for routing; packets send through that link may be lost or corrupted

Overview of Countermeasures Link layer encryption prevents majority of attacks: bogus

routing information, Sybil attacks, acknowledgment spoofing, etc.

This makes the development of an appropriate key management architecture a task of a great importance

Wormhole attack, HELLO flood attacks and some others are still possible: attacker can tunnel legitimate packets to the other part of the network or broadcast large number of HELLO packets

Multi path routing, bidirectional link verification can also be used to prevent particular types of attacks like selective forwarding, HELLO flood

Part One

Secure data aggregation

19

Phase 1: Query dissemination

Sample query: SELECT AVERAGE(temperature) FROM sensorsWHERE floor = 6EPOCH DURATION 30s

20

Phase 2: Data aggregation

aggregate

aggregate

aggregate

Types of aggregation:(1) basic aggregation, (2) data compression, (3) parameter estimation

21

Phase 3: Result verification (optional)

“Did you really report this?”

“Did you really report this?”

“Did you really report this?”

“Did you really report this?”

“Did you really report this?”

“Did you really report this?”

22

Security goals of data aggregation Robustness: Byzantine

corruption of data would not make aggregation result totally meaningless

Confidentiality: To ensure that other than the sink and the sources, no intermediate node should have knowledge of the raw data or the aggregation result

perform averaging1

23

1000

So the average is 251.5… Oh wait a

minute

sources

sinkWhat

the hell am I

aggregating?

What the hell

am I forwardi

ng?

23

Voting

Resource-intensive, only good for mission-critical, small-scale networks

1

1

2

3 300

malicious

malicious

No

No

No

No Yes

“is mean = 61.4 reasonable?”

malicious

Alright, 61.4 is not

reasonable!

24

Interactive proof algo By [Przydatek et al. 2003], algo for proving probabilistically a

given figure is indeed the median of the samples Example for the sake of intuition:

1 2 3 4 5 6

1 Prover must have the samples sorted first

2 Prover tells the verifier median is 3.5 and the no. of samples is 6

3 Verifier asks for the 3rd sample, prover tells the 3rd sample is 3 < 3.5, verifier is happy but still suspicious

4 Verifier asks for the 4th sample, prover tells the 4th sample is 4 > 3.5, verifier is happy but still suspicious

5 Verifier asks for the 1st and 6th sample, prover tells 1st is 1 < 3.5 and 6th is 6 > 3.5, verifier says: “Alright, I’ve sampled enough, median should be 3.5 at high probability”.

Relies on the trustworthiness of thesamples, but how do we make sure?

Key Management Techniques

Eng. Ahmed Ezz

Location verification – SerLoc (Secure Range-independent

localization)

26

What is location verification? Different assumptions from general localization

• What if some malicious nodes lie about their location?• Sample attack scenario

• Claim to be very close to the sink• Attract many packets• Drop some or all of them• Very easy DoS attack especially for geographic routing protocols

28

• Secure Verification of Location Claims[Sastry et al. WISE 2002].

• Location Privacy Privacy-aware Location Sensor Networks [Gruteser et al.

USENIX 2003].• Secure Localization: Ensure robust location estimation

even in the presence of adversaries.SeRLoc: [Lazos and Poovendran, WISE 2004].S-GPS: [Kuhn 2004].SPINE: [Capkun & Hubeaux, Infocom 2005].

Secure Location Services

29

• SeRLoc: SEcure Range-independent LOCalization.

• SeRLoc features• No ranging hardware required.• Decentralized Implementation, Scalable.• Robust against attacks - Lightweight

security.

SeRLoc

30

Locators: Randomly deployed Known Location, OrientationDirectional Antennas

(X1, Y1)(X3, Y3)

(X4, Y4)

(X5, Y5)

(X2, Y2)

N

S

EW

Two-tier network architectureSensors: Randomly deployed, unknown location r

R

Locator range R

Beamwidth θ

θ

Omnidirectional AntennasSensor range r

Locator Sensor

31

Locator Sensor

L1

L4

L3

(0, 0)

s

L3

ROI

The Idea of SeRLoc

• Each locator Li transmits information that defines the sector Si, covered by each transmission.

• Sensor defines the region of intersection (ROI) from all locators it hears.

sLH

iiSROI

1

How SerLoc works Node i claims its location is (x, y) Node i needs to send (x, y) a location verification request

msg to a nearby verifier• A verifier can be a normal sensor node

The verifier sends a random nonce to node i and start the clock

Node i has to immediately return the challenge through both radio and ultrasonic channels

The verifier measures the time for node i returning the challenge and take the difference between the radio & ultrasonic signal propagation. Based on this observation, verify the claimed location

Weakness of SerLoc Requires extra hardware, i.e., ultrasonic channel Innocent victims may respond late due to backlog Not location verification but range verification

Verifier

M’s RealLocation

M’s claimedLocation

sink

Oops... Verifier cannot tellthe difference! Big trouble...

Possible Research Issues Most localization work is mathematical and

evaluated via (high level) simulations• More realistic work is needed

Indoor localization is harder• Look at CodeBlue project at Harvard

Location verification• Can’t trust sensors

Secure localization• Can’t trust anchors