Security Issues in Wireless Sensor Networks

Transcription

1 MAGNT Research Report (ISSN ) Vol.2(4):PP Security Issues in Wireless Sensor Networks Anser Ghazaal Ali Alquraishee, Aasim Zafar, Syed Hamid Hasan Information Security Research Group Faculty of Computing and Information Technology, Department of Information Systems King Abdulaziz University, Kingdom of Saudi Arabia Abstract: Sensor Networks have emerged as the next big thing to succeed in the times to come and it posed to dominate the trend of technology, however they bring in their own share of challenges. Most of these network consists of thousands or more of minute sensors that work independently. Limitation of cost availability and the requirement of abundant, undetectable placements would be resultant in small sensor node that have limited resources. We would be focusing on the security aspect of the set of sensors in a network, even though we know that there are a lot many challenges for the sensor networks. In this paper we would also suggest some of the goals for security of sensor networks. Furthermore, since security is a critical issue for the sensor networks being accepted and being used for many software applications, we would also attempt to analyze the threats against the Wireless Sensor Networks, in turn proposing some measure to counter the attacks against the Wireless Sensor Networks. Keywords: Security, Wireless Sensor Networks, Security Mechanism. 1. Introduction Sensor network is referred to a mixed system that combines minute sensors, their actuators with some other computing elements. The range of application that a Wireless Sensor Network [WSN] can be applied to is huge as the low power communication devices and micro sensors are so easily and readily available. Dissimilar to a traditional sensor network, the deployment is done in a dense manner in the remote sensor networks, and thus a large number of sensors are used. The sensors are assigned the task of processing substantial signals, compute and self-configure the network for achieving long lasting, robust and scalable [1]. Actually, the task of local processing is done by the sensor nodes that reduces energy cost by bringing down communications. A hierarchical model based on a cluster would be the most adaptive routing and efficient model for WSN. In the sensor network based on cluster, the formation is an important part in reducing the cost of setting up and maintaining the Sensor network. Denials of attack on security are an important aspect of today s WSNs. WSNs which contain several sensor nodes and actuators are highly distributed. Due to the high distribution only security is very much needed in the network. Discussion is based on security issues and different types of DOS attacks on different layers [2]. 2. Architecture for WSN The typical Wireless Sensor Network consists of the following: - Network manager The responsibility of the Network Manager is to configure the network, schedule inter-device communication (Configure superframes), manage routing table, monitor and report network health. Security manager The overall responsibility of the Security Manager is to generate, store, and manage keys.

2 Access point or Gateway Field Device and Host application communication is enabled by the Gateway. Field devices (Sensor motes) The Field device that is attached to the process, should have the capability to route packets on other devices behalf. In majority of the situations they define the characteristics of the process or equipment responsible for processing, even controlling them at times. The router is one field device, which is special in nature as it doesn t control the equipment or interface with the process, it even doesn t have the process sensors. Fig. 1. Architecture for Wireless Sensor Network 3. Wireless Sensor Network- Security Analysis Attack and defenses, requirements and obstacles being the four main aspects of WSN security. WSNs have attracted much interest of researchers due to their wide applications range. Issues related to security and its challenges have been investigated and the future direction of the research in WSN security explored [3]. To secure channel attacks, algorithms for scalar multiplication can be applied on WSN also. Although physical characteristics of sensor nodes are also to be taken into consideration in terms of power and time consumption. The proposed algorithms are useful in the context that they are not as heavy as most of the security algorithms [4]. Since the WSNs are simple and have limited resources, they are easy targets for a number of attacks, including eavesdropping on the wireless transmission, injecting of bits into the channels, replaying the packets captured before and so on [5]. In order for WSN to be secure, it must support all the security characteristics like availability, authenticity, integrity and confidentiality. There can be a cooperative attack on the network by the phony nodes, with same hardware configuration as the actual nodes, deployed by the attackers. The pseudo nodes can be one of the actual nodes physically captured and reprogrammed by the attacker or may have been purchased by them. In certain scenarios the attacking nodes may utilize high-quality communication links for coordination of such attacks. The legitimate Sensor nodes might not have a robust security (resistant to tampering) and once compromised would easily yield all data, keys and code stored on it. Even though providing resistance to tampering be one of the solutions to protect the physical nodes, it cannot be termed as a complete or generic solution to security. And, if we make the nodes very robust and resistive to tampering, we would end up making the nodes significantly costly, whilst the nodes are supposed to be cost effective in principle. [6] [7] [8] [9]. In-Network processing, Routing Transport and Reliability and Security are identified as research main areas of research and solutions have been obtained using extended Dolev-Yao model. Three

3 complementary WSN applications have been discussed for which the toolbox concept has been used as a supporting framework to backup an integrated security and reliability architecture for medium and large scale WSNs [10]. Application of WSN in environmental, healthcare, biomedical, industrial and intelligent parking has been discussed. Since WSNs are limited to due to power consumption, scalability, topology change and cost, newer technologies are being developed to overcome these so that WSN becomes an integral part of our daily life [11]. Review of various research issues being outlined and research in these issues will yield promising results which will definitely make WSNs more popular. Future predictions are that WSN is going to bring in a revolution in our lives [12]. The attacks on WSN are identified and categorized as: 3.1. Sybil Sybil is an attack where "Multiple identities are illegitimately taken by the malicious device". Through Sybil attack [13], the attacker can "project its presence at multiple places at once this is done by a single node presenting itself to other nodes via different identities, in such a scenario the fault tolerance of schemes like multipath, dispersity [14], and distributed storage [15] is considerably reduced. Even though is very difficult for the attacker to attack in such a manner as to spread the communication of the spectrum and for initializing of frequency hopping each pair of adjacent nodes uses a unique key, yet geographic routing protocol are significantly threatened by the Sybil attack. a) Sybil (Physical Layer) Attack. b) Sybil (Network Layer) Attack c) Voting (Data Link Layer) Attack. d) Data Aggregation.( Data Link Layer) Attack 3.2. Sinkhole (Black hole) Under this attack the attacker makes a compromised node appear more attractive to neighboring nodes in terms of the routing algorithm, thus luring almost all the traffic in the specific area via the compromised node, which in turn creates a metaphorical sinkhole that puts the attacker at the center. Since the application data transmitted through or near this pseudo path can be easily tampered with the sinkhole attack can lead to a lot of other attacks (e.g. selective forwarding). a) Sinkhole (Network Layer) Attack 3.3. Wormhole When the attacker replays a message received in another part of the network at a different place, which is tunneled over a link with low latency, it is called the wormhole attack [16]. The attacker located near the base station can completely disturb routing through a significantly located wormhole. The attacker can also persuade the node which is distant from the base station by multiple hops normally that the wormhole reduces the distance to 1 or 2 hops only. It creates a sinkhole: As the attacker on the opposite side of the wormhole illusions providing of a high-quality/shorter path towards the base station, it is possible that all the traffic around the wormhole would be routed through it as other routes are presumably less attractive. a) Wormhole (Network Layer) Attack 3.4. Mote Class This is also known as Insider Attack. In this scenario the attacker managed to place an authorized node in the network. These may be one of the nodes hacked nodes that runs the illegal code or a pseudo node created by using the sniffed data, code and material from a legitimate node. This pseudo node is actually a laptop Class device used to attack. a) Mote-class Attack.

4 3.5. Hello Flood It is required by a number of protocols for the nodes to have a generic broadcast of the HELLO packets to adjacent nodes so as to establish identification. Thus the receiving node would understand that the sender is within the radio range. However, this understanding can be incorrect, as an attacker under the laptop-class who broadcasts a high power transmission of routing and other information would thus convince the node that the sending node is in vicinity. This would result in the targeted node to start the communication with the attacker presuming it is the legitimate receiver of this information. a) Hello Flood (Network Layer) Attack Manipulation of Routing Information a) Manipulation of Routing Information (Network Layer) Attack Selective Forwarding Under this attack the nodes selectively forward specific messages or drop them completely while acting as back holes. Thus the messages never reach their destinations. However, the drawback of this attack is that the sender node would soon realize that the message was not sent to the recipient and thus it would try with an alternate less attractive route. The selective mode of this attack is more elusive as only part of message is relayed by the black holes thus for any attacker who wishes to distort the message may easily use this method and have very less chances of detection. a) Selective Forwarding (Network Layer) Attack Acknowledgement Spoofing The routing algorithm of a number of sensor networks depends on the explicit or implicit acknowledgement from the link layer. Because of this innate medium of broadcast medium, the attacker can be spoofing the acknowledgement from the link layer for sniffed packets that are meant for adjacent nodes. The aim of this attack is to make the sender nodes believe that the receiving node is in vicinity or even that a disabled/dead node is still alive. a) Acknowledgement spoofing (Link Layer) Attack Cloning a) Cloning (Application Layer) Attack Denial of Service When a network is rendered partially or completely incapable of performing an expected function, such a situation is called DoS (Denial of Service) [17]. a) Jamming (Physical Layer) Attack In order to jam a node the attacker transmits a radio signal which disturbs the radio frequency used by WSN sensors thus the radio channel is Jammed with a signal that produces interruption. b) Tampering.(Physical Layer) Attack The nodes are susceptible to Physical alteration and changes caused by the attacker e.g harm caused by reverse engineering c) Collision (Data Link Layer) Attack d) Exhaustion(Data Link Layer) Attack. e) Unfairness(Data Link Layer) Attack. f) Neglect and Greed.( Network Layer) Attack g) Homing. ( Network Layer) Attack h) Misdirection/ Spoofing.( Network Layer) Attack i) Black Holes. ( Network Layer) Attack j) Flooding. ( Network Layer) Attack k) Flooding. (Transport Layer) Attack l) De-synchronization. (Transport Layer) Attack Interrogation. I. Interrogation (Data Link Layer) Attack.

5 3.12. Impersonation a) Node Replication Attack. It is also known as the Impersonation or the Multiple Identities attack. In this kind of an attack the attacker copies/replicates the node ID of an existing node and adds this phony node to the network. This results in more than 1 node having the same ID which causes packet to be deleted, misrouted or corrupted and might also lead to information related to cryptographic keys be also revealed Eavesdropping a) Eavesdropping and Monitor Attack. This kind of an attack is also known as confidentiality attack. The contents of the communication could easily be identified by the attacker simply listening to it. The susceptibility of the network traffic to eavesdropping and monitoring is known. This can be avoided by having a robust security protocol in place, however the eavesdropping could still lead to attacks as described previously which may be a black hole or a wormhole attack Traffic Analysis a) Traffic Analyses Attack. In cases where it is determined that major traffic is routed through a specific route and the base station is identified then the traffic analysis attack can be forged. In this case once identified the attacker simply needs to hack the base station, which would bring down the entire network Invasive a) Invasive Attack Non-Invasive a) Non-Invasive Attack Laptop Class In this kind of an attack, also known as the Outsider Attack, the attacker does not possess any specific kind of access to the network, instead he has access to a power full device like a laptop or a device that has the capability to overpower the node when the attack is launched. The capability can be a highly sensitive antenna, a radio transmitter with high power, an ultrafast CPU or just extensive battery backup etc. The attacker with a Laptop-class device could jam the all the sensors in the network just by the use of its much powerful transmitter. He may even be able to eves-drop on the complete network by the use of a highly sensitive antenna. The attacker can also have access to a low latency, high bandwidth channel that is not at the disposal of the sensors, making it possible for the attacker to launch a coordinated attack from different sides and various methods. a) Passive Eavesdropping (Laptopclass) Attack b) Traffic Injection (Laptop-class) Attack Attack on Protocols a) Key Management Attack. b) Reputation Assignment Schemes Attack. c) Data Aggregation Attack. d) Time Synchronization Attack. e) Intrusion Detection System Attack. 4. Counter Measures We are now going to discuss some ways to counter the attacks Sybil attack We know that once an illegal node is part of the network we cannot prevent it from taking part in the activities of the network, however for allowing any transactions the identities of the nodes it has compromised are required. With the help of a key shared globally the attacker can pose as any node in

6 the network, even as nodes that do not exists. Thus we must have a verification of identities. Normally it is done through the use of the public cryptographic keys, but a sensor node cannot generate and verify digital signature. However, to have each node share a symmetric unique key with the base station that is trusted, can be a solution. Thus a protocol like Needham-Schroeder can be used by a set of two nodes to have each other's identities verified and establishing shared keys. This key can be used by the neighboring nodes for implementation of an encrypted and authenticated, link amongst themselves. For preventing the attacker to wander around the network and establish a shared key with each node, the number of nodes any node can tie up to can be reasonably limited by the base station, thus sending an error message if this limited is exceeded. This way even if a node is compromised, its communication sphere is limited to the verified adjacent nodes only. It does not mean that there is a ban on communicating with the base station or nodes that are further away from the sender, but it simply means in order to do so the sender must use one of its pre-verified nodes only. Even though. The attacker can still create a wormhole between two nodes and make them believe they are adjacent but it would still not be able to eavesdrop or tamper with the communication between the two nodes Sinkhole and Wormhole attacks Preventing of the sinkhole and Wormhole attack is pretty tough, particularly if the two are combined. It is hard to identify a wormhole as they use an out-of-band, private channel that is invisible for the sensor networks. It is difficult to prevent attacks from Sinkholes in the protocol which uses information that is broadcasted e.g. energy remaining or estimation of the reliability of a link for end-to-end communication while constructing the routing topology as it is difficult to verify this information. Verification of routes minimizing the hopcount for the base stations is easy, yet a wormhole can completely misrepresent the hop-count. If establishing the route is simply dependent on receiving of the packets as in directed diffusion or TinyOS beaconing, it is easy to create a sinkhole since the defender does not have to verify any information. Techniques for detection of wormhole attack is demonstrated in [18], but highly accurate time synchronization is required for it and hence it is not feasible for majority of the sensor network. As we know that it is quite hard to modernize the current protocols equipping them to defend the attack, thus careful designing of routing protocols in such a manner that the sinkholes and wormholes are rendered useless is the best solution HELLO flood attacks The HELLO flood attack can simply be prevented by verifying the capacity of the link to communicate bi-directionally, prior to utilizing that link for any actual communication. The use of protocol for identity verification should sufficiently prevent the HELLO flood attack. The protocol would not verify the bidirectional communication over the link, but with the base station limiting the number of verified neighbors for a node, the combining of wormholes and highly sensitive antennas can be prevented from launching the HELLO flood attack over a large areas of sensor network; even if few of the nodes are compromised Selective forwarding In case a compromised node is adjacent to the base station or the source node, it cannot prevent the node from selectively forwarding packets even though security protocols may completely prevent Sybil attack, wormholes and sinkholes. For countering these attacks we can use multipath

7 routing. A message routed over a many paths that contain completely different nodes and resistant to selective forwarding attack through compromised nodes. But we must consider the fact that to create paths with completely disjoint nodes is not an easy task. Braided paths [19] might have common nodes, but they do not have any common links (i.e. no combination of two nodes is common in the path). By using multiple braided path we might have a probability of being secure from the selective forwarding attack Link layer security and Outsider attack Even though use of a globally shared authentication key for encryption and authentication at the Link layer level can prevent most of the outsider attack on the routing protocols of the sensor networks. Yet, the HELLO Flood and wormhole attack cannot be prevented by the authentication and encryption at the Link layer. As this method can prevent the attacker from intruding the sensor network but it does not prevent the wormhole from posing as a legitimate node, after using the packets/data sniffed over other parts of the network. Or even prevent the legitimate nodes from believing that they are in closer/adjacent to receiving/sending nodes in contrast to reality by simply amplifying the transmitting power of the signal originating from the attacker and reaching the entire network. The security mechanism at the link layer is also useless if we have a compromised node or the attack is launched from inside. The Inside attacks can be launched by HELLO flood broadcasting, Sybil attacks, forwarding packets selectively, bogus routing info being injected into the network, crating sinkholes or spoofing. The insider attacks and wormholes need to be prevented by more advanced security mechanisms. The focus of the counter measures would thus be on these kinds of attacks Leveraging Global Knowledge One of the major issues in making a large network of sensors secure is that fact that such a network is essentially decentralized and self-organized. If the size of the network was limited or it has controlled and structured topology we can leverage on the security mechanisms global knowledge. Let us take into account a 100 node network. If we can assume that the nodes were not compromised while being deployed, then post the formation of the initial topology, every node can send information related to its neighbors and its own location (geographic) to the base stations. Then the topology of the entire network can be mapped by the base stations. In case a node failure or radio interference results in topology change, the information is updated to the base station at regular intervals. If there is a suspicious or drastic change in the topology of the network we may investigate for a compromised node compromise, and act accordingly. Even though Sybil, Sinkhole and wormhole attacks can be prevented using geographic routing, yet trusting of the location information that is broadcasted from the adjacent nodes is an issue. If we have node, that is compromised, situated on the route between the base station and the targeted node, it is certain that all the traffic between them would be diverted to the compromised node. Selection of the next hop from amongst the various qualifying nodes, based on Probability or routing through multiple paths to the base station may help us tackle this issue as well, but it is not the perfect solution. If the path includes or is in the vicinity of a "hole", the attacker may dupe the nodes by posing the most attractive node for routing of traffic. Sufficient restriction topology structure can lead to elimination of the requirement of

8 location advertisement by the nodes, i.e. well known locations of all the nodes Authenticated Flooding and Broadcast Presence of trustworthy base stations, would present the attackers from flooding messages or spoofing broadcast from the base stations. A certain level of asymmetry is required for this: as there is a possibility of any of the nodes being compromised, none of the nodes should be allowed to spoof message from the base stations, still each node must have the capacity to verify the messages. Localized note interaction may utilize authenticated broadcast. A number of protocols require the broadcast HELLO message, for the nodes to its adjacent nodes. It is a must for authenticating these messages and making them impossible to be spoofed upon. The Proposed authenticated broadcasts that are intended to be used in a standard network either make use of digital signature or/and has packet overheads which clearly surpass the network packet length of usual a sensor. The TESLA protocol [20] uses symmetric cryptographic keys and minimum packet over-head for authenticated, efficient Flooding & broadcast. SPIN [21] & gossiping algorithm [22], [23] reduces collision and the cost of messaging that allows the disseminating of the message to each node across the entire network in a robust and probabilistic manner OSI Layer wise threats and Counter Measures We will now discuss the various known attacks and their counter measures based on the different layers of the OSI. Physical Layer: Table 1, describes WSN Threats and their Counter measures pertinent to the Physical Layer. Table 1. Threats and their Counter Measures (Physical Layer) Threat Interference Counter Measure Blacklisting & Channel hopping Jamming Sybil Tampering Blacklisting & Channel hopping Physically Protecting the devices Changing and Protecting the key Data-link Layer: Table 2, describes WSN Threats & their Counter Measures pertinent to Data-Link Layer. Table 2. Threats and their Counter Measures (Data-link Layer) Threat Collision Exhaustion Spoofing Sybil Desynchronization Traffic analysis Eavesdropping Countermeasure Time diversity and CRC Protecting the Network ID along with any information required for device joining. Using different paths for the message re-sending Changing the key regularly Use of different neighbor for synchronizing time Regularly monitor WSN and send dummy packets when network is quite Key protects DLPDU from Eavesdropper Network Layer: Table 3, describes WSN Threats & their Counter Measures pertinent to Network Layer. Threat Table 3. Threats and their Counter Measures (Network Layer) Wormhole Selective forwarding DoS Sybil Traffic Analysis Countermeasure Regularly monitor the network physically and by Source Routing. Using the Packet Leach technique for monitoring. Regularly monitor the network by Source Routing. Protect Network ID and other network specific data. Inspect and protect the network physically. Reset the devices and change the session keys. Regularly monitor WSN and send dummy packets when network is

9 Eavesdropping quite. Protecting NPDU from Eavesdropper through Session keys. 5. Conclusion Security is a critical issue for the sensor networks being accepted and being used for many software applications. Specifically, WSN products in the industry wouldn t be accepted if they do not have security that is robust and fool proof. In the paper above, we analyzed the different threats to the WSN and proposed possible counter measures as solutions to these threats. Mechanism of Link layer authentication and encryption can be considered for reasonably defending the network from the mote class outsider, yet cryptography itself is not sufficient for defending the network against insiders and laptop-class attackers; thus designing the protocols carefully is required as well. References 1. Zou Y, Chakrabarty K. Sensor deployment and target localization based on virtual forces. INFOCOM Twenty- Second Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE, Volume: 2, 2003, pp Singla A, Sachdeva R. Review on Security Issues and Attacks in Wireless Sensor Networks. International Journal of Advanced Research in Computer Science and Software Engineering, ISSN: X, Vol.3, Issue 4, April Chowdhury M, Kader M F, Asaduzzaman. Security Issues in Wireless Sensor Networks: A Survey. International Journal of Future Generation Communication and Netwrking, ISSN: IJFGCN, Vol.6, No 5 (2013), pp Hasan S H, Alquraishee A G A. Scalar Multiplication Algorithms for Wireless Sensor Network. International Journal of Smart Home, Korea. ISSN: , October Zafar A, Iqbal A, Lehri S. Mobile Ad Hoc Network A Research Perspective. in proceedings of INDIACom Sharma S. Energy-efficient Secure Routing in Wireless Sensor Networks. Dept of Computer Science and Engineering, National Institute of Technology Rourkela, Rourkela, Orissa, , India, Boyle D, Newe T. Securing Wireless Sensor Networks: Security Architectures. Journal of Networks, 3 (1), Du X, Chen H. Security in Wireless Sensor Networks. IEEE Wireless Communications, Granjal J, Silva R, Silva J. Security in Wireless Sensor Networks. CISUC UC, Westhoff D, Girao J, Sarma A, Security Solutions for Wireless Sensor Networks. NEC TECHNICAL JOURNAL Vol.1 No.3, Masood S, Zafar A. Challenges in Routing in Wireless Sensor Ad hoc Network. in proceedings of NCCIST Gilbert E P K, Kaliaperumal B, Rajsingh E B. Research Issues in Wireless Sensor Network Applications: A Survey. International Journal of Information and Electronics Engineering, Vol.2 No. 5, September Sharifnejad M, Shari M, Ghiasabadi M, Beheshti S. A Survey on Wireless Sensor Networks Security. SETIT Karlof C, Wagner D. Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures. University of California at Berkeley, 2009.

10 15. Douceur J R. The Sybil Attack. in 1st International Workshop on Peer-to-Peer Systems (IPTPS '02), March Banerjea A. A taxonomy of dispersity routing schemes for fault tolerant real time channels. in Proceedings of ECMAST, vol. 26, 1996, pp Castro M, Liskov B. Practical byzantine fault tolerance. in OSDI: Symposium on Operating Systems Design and Implementation. USENIX Association, Co-sponsored by IEEE TCOS and ACM SIGOPS, Hu Y C, Perrig A, Johnson D B., Wormhole detection in wireless ad hoc networks. Department of Computer Science, Rice University, Tech. Rep. TR01-384, June Ganesan D, Govindan R, Shenker S, Estrin D. Highly-resilient, energyefficient multipath routing in wireless sensor networks. Mobile Computing and Communications Review, vol. 4, no. 5, October Perrig A, Szewczyk R, Wen V, Culler D, Tygar J. SPINS: Security protocols for sensor networks. in Proceedings of Mobile Networking and Computing 2001, Kulik J, Heinzelman W R, Balakrishnan H. Negotiation-based protocols for disseminating information in wireless sensor networks. Wireless Networks, vol. 8, no. 2-3, 2002, pp Lin M J, Marzullo K, Masini S. Gossip versus deterministic flooding: Low message overhead and high reliability for broadcasting on small networks. Tech. Rep. CS , 18, Li L, Halpern J, Haas Z. Gossip-based ad hoc routing. in IEEE Infocom, 2002.