Professional Documents
Culture Documents
Secure Routing Protocols and Attacks On Arduino Jeenode: Masaryk University
Secure Routing Protocols and Attacks On Arduino Jeenode: Masaryk University
Secure Routing Protocols and Attacks On Arduino Jeenode: Masaryk University
Faculty of Informatics
Master’s Thesis
Master’s Thesis
i
Acknowledgements
I would like to express my sincere gratitude to my thesis supervi-
sor RNDr. Petr Švenda, Ph.D. for his professional guidance, valuable
advice and feedback provided during my work on this thesis.
iii
Abstract
The thesis is focused on secure routing in wireless sensor networks.
Survey of secure routing protocols is presented, including an eval-
uation from security point of view. Three attacks were selected to
demonstrate possible attack scenarios on secure routing protocols,
utilizing Arduino-based JeeNode devices. The last part of the thesis
aims to port WSNProtectLayer project, the TinyOS library for secure
communication in wireless sensor networks, to Arduino platform.
iv
Keywords
wireless sensor network, Sybil, relay, capture and brute-force, attacks,
WSNProtectLayer
v
Contents
Introduction 1
vii
2.3.1 SIGF . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.2 SEAR . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.3 Conclusion . . . . . . . . . . . . . . . . . . . . . 27
2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3 Selected attacks 31
3.1 Sybil attack . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.1.1 Sybil attack on WSN routing algorithms . . . . . 31
3.1.2 Implementation . . . . . . . . . . . . . . . . . . . 32
3.2 Relay attack . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.2.1 Relay attack on WSN routing algorithms . . . . 35
3.2.2 Implementation . . . . . . . . . . . . . . . . . . . 36
3.3 Capture & brute-force attack . . . . . . . . . . . . . . . . . 39
3.3.1 Attack overview . . . . . . . . . . . . . . . . . . . 39
3.3.2 Implementation . . . . . . . . . . . . . . . . . . . 39
3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5 Evaluation on testbed 53
6 Conclusion 55
6.1 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Bibliography 57
A Data attachment 67
viii
List of Tables
1.1 WSN routing protocol types with examples 5
2.1 Possible outsider attacks on reviewed hierarchical
secure WSN routing protocols 24
3.1 Vulnerability of reviewed protocols to Sybil and relay
attacks 36
4.1 Comparison of selected sensor node hardware 44
ix
List of Figures
3.1 Network state without attacker’s presence 34
3.2 Sybil attack 34
3.3 Relay attack 38
3.4 Capture & brute-force attack 41
4.1 Message sending 47
4.2 Message receiving 48
4.3 Session key establishment 50
xi
Introduction
Wireless sensor networks are a relatively new area of research with
increasing popularity. The idea is to have a highly distributed network
consisting of hundreds, possibly thousands of cheap nodes running on
battery and communicating over radio. Due to limited power source,
most of the research is focused on power efficiency and only after this is
achieved, the security is considered. Computing resources are limited
to prolong the network lifetime by decreasing energy consumption.
Low resources, random geographical distribution and other compli-
cating factors like possible mobility make securing sensor networks a
difficult challenge.
This thesis focuses on message routing in wireless sensor networks
as it is essential for the network security. A survey of routing protocols
is presented in the first part, focusing on supposedly secure ones and
shows that it is nearly impossible to create a perfectly secure routing
protocol while maintaining all WSN characteristics like high number
of low-cost nodes, random distribution, decentralized topology or low
power consumption.
Second part of the thesis discusses three types of attacks, namely
Sybil attack, relay attack and capture and brute-force attack. Their
impact is demonstrated on practical implementation using Arduino-
compatible JeeNode devices.
The last part consists of Arduino port of WSNProtectLayer, TinyOS
library for securing WSN communication. It features message protec-
tion, authenticated broadcast, neighbor discovery with session key
agreement and a simplified CTP protocol.
1
1 Routing in wireless sensor networks
Routing in WSN differs from traditional networks in almost every
aspect. Sensors are often deployed randomly, recognizing their neigh-
bors and possibly location only after being deployed. Once deployed,
they need to be able to create or join the network autonomously. Their
computational power and memory size do not allow for complex
operations like asymmetric cryptography. Nodes in WSN tend to be
battery-powered. This causes reliability issues because every node
eventually runs out of battery, some sooner than others. Sending a
message over radio drains the battery much faster than CPU oper-
ations [1]. Therefore a trade-off between reliability (or security and
other features) and network lifetime must be set. Although single-hop
protocols exist (e.g. single-hop star), most of the WSN routing pro-
tocols are based on multi-hop communication due to the scalability
problem [2]. While the single-hop network topology is a nice solu-
tion for small networks thanks to its simplicity, low latency and small
amount of messages transmitted, range of the single node’s radio is
insufficient when covering area of most of the real-world networks
[3].
Data-centric
The data is always sent from each node to sink. Aggregation may be
performed on intermediate nodes to preserve energy by decreasing
the number of transmissions. Data may be queried by a base station
or sent to the base station on periodic or event basis.
Hierarchical
Hierarchical (cluster-based) routing was introduced to increase energy
efficiency [7]. Nodes form groups, each group contains a leader node
3
1. Routing in wireless sensor networks
Geographic
Geographic (location/position-based) routing protocols in WSN use
node’s location as its identification. This allows nodes to compute
distance and direction of other nodes in the network. Information
about the distance may be used to adjust signal strength to optimal
level to conserve energy.
Multipath-based
The aim of this type of protocols is to reduce data loss probability and
increase reliability by sending all data over multiple paths or dividing
them evenly amongst these paths to balance the load. In the best case,
these paths should not share same nodes or at least links between
them. Even though this approach increases the number of messages
that are transferred, it reduces the number of messages that need to
be retransmitted in case of failure.
QoS-based
QoS-based routing protocols for WSN aim to improve reliability, band-
width, delay, jitter and introduce other features like high priority data,
while still minimizing the energy cost. It is usually handled through a
resource reservation and often includes multipath routing.
These categories are common for every reviewed paper but some
literature lists even more categories (query-based, etc.). A protocol
can fit into more categories. For example, MMSPEED [8] is multipath-
4
1. Routing in wireless sensor networks
1.2.1 Jamming
Basic attack on WSN associated with the physical layer, prevents any
communication on the disturbed channel. In context of routing, this
attack can prevent nodes to discover their neighbors and therefore
establish routing tables. This renders network unusable.
A standard defense mechanism to prevent jamming is spread-spectrum
communication.
5
1. Routing in wireless sensor networks
6
1. Routing in wireless sensor networks
tions, the attacker does not even need to be part of the network or to
understand the traffic, he may simply resend eavesdropped packets
with high transmission power and convince other nodes that he is a
legitimate party.
Basic countermeasure against this class of attacks consists of acknowl-
edgements. If the attacker is too far away to receive a message, he will
not send back the acknowledgement and therefore a node can con-
sider a link broken (not necessarily malicious). This is useless against
the attacker with a highly sensitive receiver. In this case, Needham-
Schroeder-like protocol can be used to verify identity as described by
Karlof and Wagner in [28].
1.2.7 Exhaustion
7
1. Routing in wireless sensor networks
1.2.9 Tampering
Unlike the abovementioned attacks, tampering is a physical kind of
attack. An attacker may be able to recover cryptographic keys or other
sensitive data from a captured node as shown in [31]. Tamper-resistant
nodes may be manufactured but they are costly, which is against WSN
principles. Yet there exist protocols that depend on such property (e.g.
secure CTP protocol described in [32]). This is not a direct attack on
routing protocols but may serve as a way to add malicious node into
an existing network.
Defense against tampering cannot be solved in a software way and
therefore is beyond scope of this thesis.
8
2 Secure routing protocols
All protocols listed in Section 1.1 are insecure. This is a common prop-
erty of many well-known WSN routing protocols. It is partially caused
by the fact that, when initially proposed, performance of sensor de-
vices was low and users were often willing to sacrifice security for
increased network lifetime.
In last few years, the number of WSN applications has been in-
creasing. They are deployed in fields that have high security demands,
like military or healthcare. This implies the need to secure the commu-
nication. Sensors use a wireless radio which makes it easy to capture
or create false traffic and may be distributed in a large area without
physical security. This creates an opportunity for attackers to steal
them, extract data including cryptographic keys or reprogram them.
They possess low resources so the traditional security mechanisms are
useless or at least ineffective in WSNs. Designing a secure routing pro-
tocol for this type of network is relatively new and difficult challenge
that requires trade-offs between the cost and the achieved security.
Overview of attacks on common WSN routing protocols is given
in [28]. It demonstrates that almost all protocols that were not designed
with security in mind are subject to multiple kinds of attacks and
shows the need for the secure ones. It also proposes basic threat model
and security goals for WSN routing protocols.
To prevent these attacks, secure routing protocols were proposed,
most of which are derivatives of existing insecure routing protocols,
mostly those focused on efficiency. Some of the secure routing proto-
cols are described in following sections. These should give a general
overview of the current state of secure routing in WSNs. Many other
protocols exist but are not included in this work due to nature and
scope of this thesis or their unavailability in university information
sources or other free channels (e.g. Secure-CTP).
2.1 Data-centric
Data-centric routing protocols are the most intuitive type. Sensors col-
lect data and route them to single or multiple sinks/base stations (BS).
Data can be queried (e.g. by BS) or sent automatically after a thresh-
9
2. Secure routing protocols
The pairwise key shared with the BS and a global key are predis-
tributed before the deployment. Pairwise keys shared with neighbors
are established after the deployment.
Interest messages from the BS are encrypted by the global key.
Interest packet integrity is achieved by using MAC with the global
key, data packet integrity by using MAC with the pairwise key for
each pair of nodes. A timestamp is used to achieve message freshness.
Sensor nodes are meant to be cheap and therefore not tamper-proof.
In case of physical key extraction, interest packets can be easily forged
by an attacker. Authors did not take this scenario into account.
In general, timestamp is not a good idea in sensor networks as they
might easily get desynchronized.
10
2. Secure routing protocols
2.1.2 SeRINS
11
2. Secure routing protocols
Authenticated routing
One of the usages for SNEP and µTESLA protocols is authenticated
routing that is proposed by their authors. Unlike most of the protocols
designed for WSNs, it is not meant to be energy-efficient which renders
it unusable in battery-powered networks.
This protocol works in rounds. In each round, nodes form a routing
tree. This is useful when the nodes are likely to fail or move. First, BS
broadcasts a beacon for the new round. When the node receives it,
12
2. Secure routing protocols
2.1.4 Conclusion
Three data-centric protocols were presented in this section. They vary
in purpose and quality. ESDDP relies on tamper-proof nodes and
SPINS focuses on protocol building blocks, while it proposes a rout-
ing protocol only as a usage scenario. Overall, SeRINS seem to be the
best option out of these protocols, defending even against insider at-
tacks. Outsider attacks were only executable on SPINS protocol. These
attacks include sinkhole attack, relay attack and selective forwarding
as well as black hole attack.
13
2. Secure routing protocols
based secure routing protocols improve the overall security but most
of them achieve this only under certain circumstances. Majority of
them assume that the sensors are tamper-resistant or do not consider
physical key extraction at all. However, sensors in WSN are meant to
be cheap so they can be deployed in hundreds, possibly thousands.
Protecting them against this type of attack would be expensive, which
makes this assumption unreasonable. None of the LEACH-based pro-
tocols maintain the security of the rest of the network in case of physi-
cal key extraction from a compromised node. In some of the protocols,
this does not compromise the whole network but the significant part
of the network is still affected. This proves that secure protocol must be
designed with security in mind right from the beginning, rather than
adding some degree of security to already existing protocols. This
is the case of the cluster-based protocol described in Section 2.2.10,
which is indeed designed as secure routing protocol from scratch.
There were many attempts to secure LEACH protocol that vary in
design quality considerably. The main goal of this section is to describe
most cited or interesting protocols that aim to improve security as-
pects of hierarchical protocols that standard LEACH protocol does not
handle. Various protocols with different approaches were chosen to
give a general overview of possible solutions and their advantages or
disadvantages. This section, however, does not describe all the LEACH
modifications that aim to increase security. Protocols that do not seem
to increase security or are not properly described (e.g. RLEACH[36])
are also omitted.
14
2. Secure routing protocols
15
2. Secure routing protocols
16
2. Secure routing protocols
from nodes are authenticated by MAC using key shared with BS. CH
cannot verify it but BS does when it reaches it.
The big disadvantage of this protocol is that, if an attacker sends
arbitrary data to a CH, it is forwarded to BS without verification and
when it reaches BS, it is already aggregated so the BS must discard it.
The intruder is then reported to CH. This approach is vulnerable to
DoS attack. DoS can be also achieved by generating a big amount of
requests to join a cluster. Authors claim that reported malicious node
will be excluded from the network but an attacker can choose any ID
(Sybil attack) so he either will not be excluded or may cause exclusion
of every node in the network by stealing identity (blackmail attack).
I agree with authors that S-LEACH secures the network against
selective forwarding, sinkhole attack and HELLO flood attack unless
there are insider attackers. However, it seems to be vulnerable to
identity replication of end nodes and either Sybil or blackmail attack.
2.2.5 SS-LEACH
17
2. Secure routing protocols
18
2. Secure routing protocols
19
2. Secure routing protocols
pre-deployment phase, every node receives its ID, a secret key shared
with BS, a certificate signed by BS and a public key.
Nodes broadcast their ID together with their certificate. They also
listen for others’ IDs and verify certificates. When it is done, they all
send their neighbors table to the BS, encrypted and protected by MAC
with the key shared with BS.
BS creates network topology based on the neighbor information
from nodes and calculates paths. It generates a pairwise key for all
neighboring pairs of nodes based on their IDs and a secret. It then
sends the pairwise key to a node and also the same key, encrypted
with the key that the neighbor shares with the BS, encrypted and
authenticated by MAC, together with the BS certificate. When the
node verifies it, it sends the pairwise key protected by the key that the
neighbor shares with the BS and a nonce to its neighbor as a challenge
and waits for the incremented nonce protected by their pairwise key.
If the node does not receive the response, it reports suspicious node
to the BS. Cluster formation is done by BS. It sends routing paths to
CHs, protected by encryption and MAC. CHs are never neighbors of
each other. The rest of the protocol is similar to LEACH, the difference
is that encryption and MAC are used when sending or forwarding the
data and a new node can join the network in runtime in a similar way
to the node discovery phase.
The overall security looks better than in most of the LEACH-based
secure routing protocols. Relay attack may be possible when attacker
replays the neighbor discovery message, but the impact should not be
critical. The biggest setback of this protocol is the public key cryptog-
raphy that makes it inapplicable to networks with low-end nodes.
20
2. Secure routing protocols
not mentioned. I assume that a pre-shared global key is used for that.
After nodes find all their neighbors, they report the neighbor table
to BS. BS creates a neighbor matrix with multiple paths to each node.
It also calculates pairwise keys for each pair of neighboring nodes
and sends it to them. The confidentiality of these messages was not
mentioned and it seems like they are sent in plaintext.
The protocol is described poorly. MAC is, in most cases, calculated
from original message concatenated with a nonce but the nonce is
not included in the plaintext so the receiving party should not know
it. To solve this, the nonce needs to be included in the message or a
counter may be used. In case of counter, synchronization problems
can occur. The protocol does not mention predistributing this values.
It also does not mention predistributing keys used in the neighbor
discovery phase. This protocol, as described in the paper, should not
work. However, it is possible to make it work with few modifications,
like including nonces in messages. Security would be still questionable,
though.
The security of this protocol does not seem reasonable as the keys
seem to be sent in plaintext. The protocol is not included in the table
with possible attacks (2.1) as I cannot evaluate it based on the paper
only.
21
2. Secure routing protocols
with itself as a root. This is described in [52]. Each L-sensor has also
a backup parent in cluster tree and also backup CH in case of node
failure. Data packets are encrypted and integrity is protected by MAC.
After sending, sensor listens whether the packet was further propa-
gated by its parent. If it was not and retransmission also fails, the node
will switch to its backup parent. Parent forwards it further the same
way. Parent can be either L-sensor or CH. CH is a final destination
within intra-cluster routing. After successful delivery to a CH, data
is aggregated if required and forwarded to the BS. To achieve this,
CH chooses other CHs that are closer to the BS to forward the data.
The choice is made based on a position of clusters. If the cluster lays
between the CH and the BS, CH of this cluster is included in the path.
If any of the intermediate CHs fails, new route is created in a similar
way.
This protocol does not seem to suffer to any security vulnerabilities
in case of outsider attacker. Insider attacks should only affect single
branch in the network. This protocol provides a graceful degradation
and should be still secure enough even if the attacker captures multiple
nodes. Of course, when the majority of the network is compromised,
it cannot stay secure anymore. The only obvious disadvantage of this
protocol is higher cost of H-nodes.
2.2.11 Conclusion
22
2. Secure routing protocols
23
24
Table 2.1: Possible outsider attacks on reviewed hierarchical secure WSN routing protocols
Selective Black HELLO Sink Identity Relay/
2. Secure routing protocols
25
2. Secure routing protocols
SIGF-0
The most energy-efficient protocol of SIGF family. It is completely
stateless and provides only probabilistic defenses against an attack.
The difference between this protocol and IGF is in the selection of the
next-hop candidate. While IGF chooses the first node to reply with
CTS, SIGF-0 collects all the responses and then selects one based on
configurable options. This fixes the CTS rushing attack vulnerability
that IGF suffers to.
SIGF-1
SIGF-1 aims to further defend against selective forwarding, black hole
attack and Sybil attack by keeping information about neighbors. This
information contain the number of messages sent to each neighbor,
number of messages forwarded by the neighbor (obtained by overhear-
ing after transmission), last location of the neighbor and delay between
sending a message to the neighbor and forwarding the message by
the neighbor. Other values are also derived from this information, like
success ratio, location consistency, fairness and performance. All these
values are used to compute node’s reputation. Only nodes with repu-
tation exceeding set threshold may be chosen for message relaying.
26
2. Secure routing protocols
SIGF-2
SIGF-2 adds cryptographic security to SIGF-1 to provide message
authenticity, integrity, confidentiality and freshness. It requires key
establishment protocol. Authors mention LEAP [55] as one of the
possibilities but more options are available. It uses MAC for message
authentication and integrity, message sequence number for freshness
and encryption for confidentiality.
2.3.3 Conclusion
Geographical protocols may be immune to attacks that are based
on forged routing information due to nature of their routing path
selection. However, they tend to be vulnerable to Sybil attacks with
attacker presenting multiple locations as they cannot easily verify
them.
Two protocols were presented, each focusing on the different area.
SIGF protocol family improves IGF routing by eliminating its vulner-
abilities, while SEAR presents a new design of securing data origin
location. Both of them try to increase efficiency when possible and
only use more demanding security features when needed.
The overall security of SIGF family seems to be better than in
hierarchical protocols, with exception of TTSR, but it comes with the
price of positioning system requirement.
27
2. Secure routing protocols
2.4 Conclusion
Multiple secure routing protocols were described in this chapter, most
of which were hierarchical. This uneven distribution is caused by the
fact that many existing protocols are modifications of LEACH protocol.
LEACH is attractive as base protocol for further securing thanks to
its energy efficiency. It is also immune to few attacks unless a sensor
was physically compromised which narrows the number of attacks to
protect from. However, with respect to security, none of the LEACH
modifications were close to best routing protocols that are designed to
be secure in the first place and improve other qualities only if it does
not affect security.
As stated by Karlof and Wagner in [28], confidentiality and fresh-
ness are not responsibilities of the secure routing protocol. Despite
that, most of the secure routing protocols incorporate these features,
sometimes giving them high priority. Although it is a nice feature,
these protocols are often vulnerable to attacks and could rather im-
prove different security aspects, like authentication. Confidentiality
could be added on the higher network layer.
Some protocols strictly focus on defense against single kind of
attacks. For example, HSRBH [59] only protects against black hole
attacks but does not consider other attacks. Some aim to achieve a
sole security goal, like preventing an attacker from determining the
data source, e.g. CASER. Even though these protocols manage to
achieve these goals, their application is restricted to scenarios where
the attacker is unable to launch different kinds of attacks due to reasons
unrelated to routing protocols.
Wood et al. claim that no perfect solution exists for secure routing
protocols. Whether or not this is true, there is not any known yet.
However, there are three outstanding protocols within those described
in this chapter, each belonging to a different category. Unlike the rest
of them, two of these even consider insider attacks and protect from
them with reasonable probability.
Out of all data-centric protocols, SeRINS achieves the highest se-
curity. It is one of two abovementioned protocols that handle insider
attacks. Among hierarchical protocols, TTSR is the most promising
protocol. Like SeRINS, it considers insider attacks but comes with
the price of higher sensor cost as 2% of the nodes need to be tamper-
28
2. Secure routing protocols
29
3 Selected attacks
31
3. Selected attacks
3.1.2 Implementation
To present a basic idea behind Sybil attacks on routing protocols, one
was implemented as a part of this thesis. Overall, three attacks are
presented in this thesis. Because of this and the complexity of secure
routing protocols, the attacked routing protocol is not a secure one.
The chosen routing protocol is a modified CTP.
The difference between this protocol and vanilla CTP lies in parent
selection. While each node has only a single parent in CTP, this modi-
fication lets each sensor keep multiple parents. When the message is
being forwarded or a new message is being sent, the node chooses one
of the parent nodes for the next hop. This can be selected randomly
or in a round-robin manner. Maximum number of nodes and parent
selection method are chosen in compile time.
Even though this protocol does not mean to be secure, similar strate-
gies are used in few secure routing protocols. For example, SeRINS
uses multiple parent nodes with round-robin next-hop-node selec-
tion to protect from selective forwarding. Random node selection is
utilized to hide message originator in the SEAR protocol. However,
this implementation does not attempt to achieve a similar level of
32
3. Selected attacks
33
3. Selected attacks
34
3. Selected attacks
When the WSN routing is targeted, the goal is to convince the network
nodes they are each other’s neighbors, within each other’s radio range.
This may affect the network’s topology. Relay attack on WSN routing
is also called a wormhole attack [60] because it creates a "wormhole"
between two parties, which is able to transfer the data logically faster
(less number of hops).
Relay attack is similar to the man-in-the-middle attack but these
two attacks differ in their goal. Man-in-the-middle attack is executed in
order to modify the data before it reaches its destination but the relay
attack only causes the traffic to be routed through the attacker’s device.
After this is achieved, further attacks can be executed, including man
in the middle attack, selective forwarding/black hole, etc.
Even though a tunnel can be created between any two nodes, with
respect to WSN, the data is usually routed from all the nodes to the
base station. One of the reasonable scenarios is when the topology is
created dynamically by passing a beacon or a distance message in a
data-centric protocol, e.g. CTP.
Even though the message manipulation is not a direct goal of this
attack, it is still a serious threat as it is fairly hard to defend against it.
If the node receives a relayed message, it has no direct way to detect
it. Measuring the latency between sending and receiving of a packet
and comparing it to expected delay might prevent these attacks but
it would require the nodes to be able to determine their position and
a tight time synchronization that is highly impractical or impossible
to implement on such low-level devices. Another way to avoid this
attack is to use a protocol that is immune by its nature. Geographic
routing protocols are good examples. Hierarchical protocols also may
be immune but also may not if the protocol allows to often choose
the same cluster head. In this case, the CH announcement may be
relayed to the whole network which would lead to high amount of
nodes choosing the same node as their CH.
Involving cryptography to form a secure routing protocol does not
always help either. The attacker does not need to know the message
content in many scenarios. This is the case mostly when using relay
attack to execute a selective forwarding or a black hole attack.
35
3. Selected attacks
3.2.2 Implementation
To demonstrate the impact of this kind of attack on routing protocols,
authenticated routing protocol from SPINS protocol suite was imple-
mented together with the attack. This routing is based on µTESLA
authenticated broadcast protocol and is similar to CTP. While CTP
uses distance messages to establish a routing tree, authenticated rout-
ing proposed in SPINS relies on a single repeated message. It works in
rounds identical to µTESLA rounds and uses µTESLA key disclosure
message as a beacon. Thanks to µTESLA, the beacon is provable to
originate in the base station and also to be fresh. To ensure the shortest
path is chosen, only the sender of a first captured beacon is set as a
parent in each node. Authors claim that it is impossible for an attacker
to reroute arbitrary links within the sensor network.
However, apart from the fact that the sender’s identity is not easily
verifiable, this protocol is vulnerable to a relay attack. If the attacker
36
3. Selected attacks
manages to relay the beacon to a node far enough from the BS before
it reaches this node through the legitimate channel, he will convince it
that the message came directly from the BS. The node will seemingly
communicate with the BS and the attacker will be able to launch
further attacks, e.g. selective forwarding. Figure 3.3 shows the protocol
run including the attack.
This specific implementation uses µTESLA key disclosure packets
for beacons and packets with node’s and its parent’s ID as the data
messages. To mark the relayed messages, parent’s ID is substituted.
For a relay tunnel, UDP protocol over standard network was chosen
as an out-of-band channel. Therefore attacker’s devices consist of two
computers running standard OS (e.g. Linux) and two nodes with a
radio for in-band communication.
37
3. Selected attacks
38
3. Selected attacks
3.3.2 Implementation
To perform the attack on protocol, vulnerable protocol is required.
In this case, µTESLA was picked despite being secure when used
properly. To perform brute-force key search, either MAC key or hash
chain key needs to be chosen for the attack. This implementation
meant to perform the attack on each message separately and thus
39
3. Selected attacks
MAC key was chosen. In case of breaking the hash chain, this would be
performed only once per protocol run. To make the key searchable by
brute force, it needs to be short enough. This can be achieved either by
deliberately overwriting part of the key with constants or by choosing
an algorithm with short enough key. RC2 algorithm was chosen as
the second option seems more reasonable, it a has key with variable
size and the implementation is available with public domain license.
Both hash and MAC functions were derived from this algorithm to
save the memory.
The scenario consists of several µTESLA runs, each with message
broadcast from BS. The attacker node captures the message and sends
it to an application running on Linux host. Application finds the key,
modifies the message and computes the new MAC for the modified
data. It is then transferred back to attacker’s node which sends it
further to the network. The whole process takes up to hundreds of
milliseconds while µTESLA round lasts at least few seconds so the
MAC key is still valid with a very high probability. Figure 3.4 depicts
the scenario run.
3.4 Summary
Three attacks on WSN routing were presented, each aiming at different
vulnerability. To emphasize their real-world impact, they were all
implemented, each targeting different vulnerability of the respective
protocol.
The first examined protocol was multipath CTP - modification of
basic CTP using multiple paths to decrease the chance of attacker’s
node being chosen for the next hop in message delivery. This simple
strategy is used in multiple routing protocols. The attack implemen-
tation demonstrates that Sybil attack is an effective way to overcome
this kind of security features.
The second protocol is µTESLA-based authenticated routing from
SPINS protocol suite. Authors designed it to present possible usage sce-
nario for their protocols. It uses µTESLA key announcement messages
as beacons to form a routing tree. Authors claim that the freshness
and origin of the message can be verified by each node, which is a
valid statement, but the relay (wormhole) attack enables the attacker
40
3. Selected attacks
to create a link between arbitrary nodes that are far enough from each
other by relaying the beacon before it arrives in a legitimate way. The
link is then controlled by the attacker that can launch at least black
hole attack even if the traffic is encrypted.
The last example attack is demonstrating the possibility to offload
heavy computation from node to more powerful device like laptop
and is demonstrated on the weakened version of µTesla protocol.Both
hash and MAC functions are based on RC2 encryption algorithm with
a short key. The attack demonstrates laptop-class attacker’s possibility
of breaking security that would not be feasible on sensors themselves
and shows the need to select the right algorithms and their parameters
in such limited environments.
41
4 Arduino port of WSNProtectLayer
[61, Chapter 5] [62]
WSNProtectLayer is a security layer for wireless sensor networks run-
ning TinyOS [63]. It is implemented in nesC, a C-based event-driven
language designed for TinyOS.
WSNProtectLayer substitutes basic send and receive interfaces with
its own, secure variants. It features key distribution, message encryp-
tion and MAC, authenticated broadcast, CTP, phantom routing pro-
tocol and an intrusion detection system. ProtectLayerConfigurator
application handles key predistribution and configuration.
43
4. Arduino port of WSNProtectLayer
As described in above section, the biggest issue was the RAM size.
Original WSNProtectLayer uses more performance-oriented AES im-
plementation while using more precomputed constants that occupy
RAM space. Switching to memory-oriented implementation saved
approximately 250 bytes, which is 1/8 of the whole RAM space. On
the downside, computational-heavy function that is called multiple
times for every sent and received message is not a desired design in
WSN context but the RAM is still more precious.
The whole design was affected by memory limitations. In addition
to AES implementation swap, all the log messages have been removed
as these constants also reside in memory. Some components were
made selectable at compile time to save memory space by removing
44
4. Arduino port of WSNProtectLayer
them if not used. Other adjustments concerning low RAM size were
also made and are discussed in section 4.3.
Regarding key management, it is impossible to keep all keys in
RAM at the same time. As shown later in section 4.4, this library
consumes most of the RAM space while there should be at least some
space for an application using it. This is solved by storing all keys in
EEPROM and only loading them before actually using them. However,
there is a counter assigned to each key. As the frequent writes into
EEPROM memory would wear it out fast, all counters need to be
kept in RAM. As mentioned before, JeeLib limits number of nodes
to 30. However, this is not a real issue considering there are always
two keys associated with every node. Each key being 16 bytes long,
keys occupy 960 out of 1024 bytes of EEPROM memory. Even though
implementation counts on eventually circumventing the JeeLib library
to decrease message overhead, higher number of nodes is therefore
not applicable.
• Base station
• Regular node
45
4. Arduino port of WSNProtectLayer
• Authenticated broadcast
46
4. Arduino port of WSNProtectLayer
47
4. Arduino port of WSNProtectLayer
48
4. Arduino port of WSNProtectLayer
49
4. Arduino port of WSNProtectLayer
50
4. Arduino port of WSNProtectLayer
4.4 Testing
Static analysis was performed using Cppcheck tool and revealed no
issues. Linux part of the base station has been tested on various laptops
running Ubuntu-based operating systems and an ARM-based Orange
Pi Zero with Allwinner H2+ SoC running Armbian. Dynamic analysis
of Linux application has been performed with Valgrind.
Each feature has been tested in separate tests. The implementation
contains three demo applications:
• all nodes perform neighbor discovery and then each node sends
and receives messages to/from other nodes without base sta-
tion involvement,
• nodes form a CTP tree and forward messages to the base station,
Other functionality tests were performed as well but are not part of
the project structure.
In terms of performance, all actions associated with message send-
ing take approximately seven milliseconds. Message reception takes
similar amount of time as it involves the same operations - loading
the key from EEPROM, decryption (which is the same operation as
encryption) and MAC computation. The difference occurs only if the
first attempt fails and another decryption with different counter must
be performed together with MAC verification. This takes shorter time
as the key is already loaded. Number of executions depends on the
counter synchronization window. However, decryption or MAC verifi-
cation failure should not happen if only honest parties are involved as
messages modified by noise are filtered out by JeeLib itself by verifying
message CRC. The attacker could use this to exhaust a battery-powered
node or cause a denial of service but there are still easier ways to do
that.
Regarding the memory limitations, during AES computations
when processing message to be sent, almost 1800 bytes of memory are
consumed, corresponding to 90% of total RAM space. This means that
application using this library can only use something above 200 bytes.
51
4. Arduino port of WSNProtectLayer
52
5 Evaluation on testbed
Attacks presented in chapter 3 and WSNProtectLayer port have been
tested on laboratory testbed[69], wireless sensor network consisting
of JeeLink devices. Compared to tests mentioned in section 4.4, this
network consists of higher number of nodes. However, maximum
distance between two nodes in the network is two hops. This implies
a need to artificially adapt the protocols to enable attacks.
In case of Sybil attack, most of the nodes can receive transmission
directly from a base station. Since Sybil node never imitates a base
station, only a fraction of nodes communicated with a Sybil node.
However, this can still be considered a success.
The relay attack is based on transmitting a packet through a low-
latency channel faster than it would normally propagate through the
network. The attack implementation is designed to work on two sepa-
rate devices, utilizing UDP communication as out-of-band channel.
The channel delay combined with serial communication and retrans-
mission overhead and a low size of the network cause the packet to
reach all nodes in legitimate way faster than through the out-of-band
channel. Therefore, an artificial delay has been introduced to make
an opportunity for the attack. As most of the nodes can communicate
directly with the base station, only a low fraction of nodes was affected
by the attack.
Only the capture and brute-force attack was not affected by a net-
work size since it does not rely on message forwarding. In this case,
the attacker performs key search by brute force for each µTESLA mes-
sage and sends his own packet into the network. All the nearby nodes
receive the message. It is not forwarded by each node to prevent un-
necessary packet loss as the point of the attack is already presented
on most of the nodes.
WSNProtectLayer has been also tested within the testbed. Multi-
ple tests were performed to ensure functionality. Higher packet loss
was observed, compared to previous testing environment involving
lower number of nodes. However, this packet loss seems to be caused
by poor medium access control rather than added security features.
Randomizing message transmissions fixed these problems in all test
cases.
53
6 Conclusion
Routing protocol survey has been presented in first two chapters. It
shows that secure protocols that were derived from insecure ones by
adding security features tend to be vulnerable to various attacks. In
general, protocols designed to be secure right from the beginning offer
significantly better security but tradeoffs, like several tamper-proof
nodes need to be made even in this case. It also shows that there is
no universal panacea for all scenarios and the protocol needs to be
picked that suits the requirements.
In most cases, even if authors of WSN routing protocols name them
"secure", these protocols defend only against selected types of attacks
and do not consider any other threats.
Third chapter presents three attacks on this kind of WSN routing
algorithms. A protocol has been implemented for each attack, uti-
lizing security features from secure routing protocols discussed in
chapter 2. It shows the possibility of attacks even on secure protocols
and demonstrates the impact on practical examples.
The last part is dedicated to Arduino port of WSNProtectLayer
project. The basic functionality has been implemented, taking low
resources into account and thus leaving some advanced features out.
The library has been tested on laboratory testbed in various use case
scenarios.
55
Bibliography
1. MOHAJERZADEH, A. H.; YAGHMAEE, M. H.; YAZDI, H. S.; REZAEE,
A. A. A fair routing protocol using generic utility based approach in
Wireless Sensor Networks. In: 2009 International Conference on Ultra
Modern Telecommunications Workshops. 2009, pp. 1–4. ISSN 2157-0221.
Available from DOI: 10.1109/ICUMT.2009.5345348.
2. KARL, Holger; WILLIG, Andreas. Protocols and Architectures for Wire-
less Sensor Networks. John Wiley & Sons, 2005. ISBN 0470095105.
3. KAUR, Gurwinder. Energy Efficient Topologies For Wireless Sensor
Networks. 2012, vol. 3, pp. 179–192.
4. GOYAL, D.; TRIPATHY, M. R. Routing Protocols in Wireless Sen-
sor Networks: A Survey. In: 2012 Second International Conference on
Advanced Computing Communication Technologies. 2012, pp. 474–480.
ISSN 2327-0632. Available from DOI: 10.1109/ACCT.2012.98.
5. KUMAR SINGH, Shio; P SINGH, M; SINGH, Dharmendra. Routing
Protocols in Wireless Sensor Networks - A Survey. 2010, vol. 1.
6. MATIN, M.A.; ISLAM, M.M. Overview of Wireless Sensor Network. In:
MATIN, Mohammad A. (ed.). Wireless Sensor Networks - Technology
and Protocols. Rijeka: InTech, 2012, chap. 01. Available from DOI:
10.5772/49376.
7. SHARMA, Suraj; JENA, Sanjay Kumar. A Survey on Secure Hierarchi-
cal Routing Protocols in Wireless Sensor Networks. In: Proceedings of
the 2011 International Conference on Communication, Computing &
Security. Rourkela, Odisha, India: ACM, 2011, pp. 146–151. ICCCS
’11. ISBN 978-1-4503-0464-1. Available from DOI: 10.1145/1947940.
1947972.
8. FELEMBAN, E.; LEE, Chang-Gun; EKICI, E. MMSPEED: multipath
Multi-SPEED protocol for QoS guarantee of reliability and. Timeli-
ness in wireless sensor networks. IEEE Transactions on Mobile Com-
puting. 2006, vol. 5, no. 6, pp. 738–754. ISSN 1536-1233. Available
from DOI: 10.1109/TMC.2006.79.
57
BIBLIOGRAPHY
58
BIBLIOGRAPHY
59
BIBLIOGRAPHY
60
BIBLIOGRAPHY
61
BIBLIOGRAPHY
62
BIBLIOGRAPHY
48. KUMAR, S.; JENA, S. SCMRP: Secure cluster based multipath rout-
ing protocol for wireless sensor networks. In: 2010 Sixth Interna-
tional conference on Wireless Communication and Sensor Networks. 2010,
pp. 1–6. Available from DOI: 10.1109/WCSN.2010.5712294.
49. DURRANI, N. M.; KAFI, N.; SHAMSI, J.; HAIDER, W.; ABBSI, A. M.
Secure multi-hop routing protocols in Wireless Sensor Networks: Re-
quirements, challenges and solutions. In: Eighth International Confer-
ence on Digital Information Management (ICDIM 2013). 2013, pp. 41–
48. Available from DOI: 10.1109/ICDIM.2013.6694001.
50. DU, X.; GUIZANI, M.; XIAO, Y.; CHEN, H. H. Two Tier Secure Routing
Protocol for Heterogeneous Sensor Networks. IEEE Transactions on
Wireless Communications. 2007, vol. 6, no. 9, pp. 3395–3401. ISSN
1536-1276. Available from DOI: 10.1109/TWC.2007.06095.
51. DU, Xiaojiang; XIAO, Yang; GUIZANI, Mohsen; CHEN, Hsiao Hwa.
An effective key management scheme for heterogeneous sensor
networks. Ad Hoc Networks. 2007, vol. 5, no. 1, pp. 24–34. ISSN 1570-
8705. Available from DOI: 10.1016/j.adhoc.2006.05.012.
52. KARP, Brad; KUNG, H. T. GPSR: Greedy Perimeter Stateless Rout-
ing for Wireless Networks. In: Proceedings of the 6th Annual Interna-
tional Conference on Mobile Computing and Networking. Boston, Mas-
sachusetts, USA: ACM, 2000, pp. 243–254. MobiCom ’00. ISBN 1-
58113-197-6. Available from DOI: 10.1145/345910.345953.
53. WOOD, Anthony D.; FANG, Lei; STANKOVIC, John A.; HE, Tian.
SIGF: A Family of Configurable, Secure Routing Protocols for Wire-
less Sensor Networks. In: Proceedings of the Fourth ACM Workshop on
Security of Ad Hoc and Sensor Networks. Alexandria, Virginia, USA:
ACM, 2006, pp. 35–48. SASN ’06. ISBN 1-59593-554-1. Available
from DOI: 10.1145/1180345.1180351.
54. HU, Yih-Chun; PERRIG, Adrian; JOHNSON, David B. Rushing At-
tacks and Defense in Wireless Ad Hoc Network Routing Protocols.
In: Proceedings of the 2Nd ACM Workshop on Wireless Security. San
Diego, CA, USA: ACM, 2003, pp. 30–40. WiSe ’03. ISBN 1-58113-769-
9. Available from DOI: 10.1145/941311.941317.
63
BIBLIOGRAPHY
55. ZHU, Sencun; SETIA, Sanjeev; JAJODIA, Sushil. LEAP: Efficient Secu-
rity Mechanisms for Large-scale Distributed Sensor Networks. In:
Proceedings of the 10th ACM Conference on Computer and Communica-
tions Security. Washington D.C., USA: ACM, 2003, pp. 62–72. CCS ’03.
ISBN 1-58113-738-9. Available from DOI: 10.1145/948109.948120.
56. TANG, D.; JIANG, T.; REN, J. Secure and Energy Aware Routing
(SEAR) in Wireless Sensor Networks. In: 2010 IEEE Global Telecom-
munications Conference GLOBECOM 2010. 2010, pp. 1–5. ISSN 1930-
529X. Available from DOI: 10.1109/GLOCOM.2010.5685225.
57. TANG, D.; LI, T.; REN, J. Quantitative security and efficiency analysis
of SEAR in wireless sensor networks. In: 2012 IEEE International
Conference on Communications (ICC). 2012, pp. 944–948. ISSN 1550-
3607. Available from DOI: 10.1109/ICC.2012.6364386.
58. TANG, D.; LI, T.; REN, J.; WU, J. Cost-Aware SEcure Routing (CASER)
Protocol Design for Wireless Sensor Networks. IEEE Transactions
on Parallel and Distributed Systems. 2015, vol. 26, no. 4, pp. 960–973.
ISSN 1045-9219. Available from DOI: 10.1109/TPDS.2014.2318296.
59. YIN, Jian; MADRIA, S. K. A hierarchical secure routing protocol
against black hole attacks in sensor networks. In: IEEE International
Conference on Sensor Networks, Ubiquitous, and Trustworthy Comput-
ing (SUTC’06). 2006, vol. 1. Available from DOI: 10 . 1109 / SUTC .
2006.1636203.
60. HU, Yih-chun; PERRIG, Adrian; B. JOHNSON, David. Wormhole
Detection in Wireless Ad Hoc Networks. 2002.
61. MATYÁŠ, Vashek; ŠVENDA, Petr; STETSKO, Andriy; KLINEC, Dušan;
JURNEČKA, Filip; STEHLÍK, Martin. Securing Cyber-Physical Sys-
tems. WSNProtectLayer: Security Middleware for Wireless Sensor
Networks. Ed. by PATHAN, Al-Sakib Khan. CRC Press, Inc., 2015.
ISBN 1498700985, 9781498700986.
62. CENTRE FOR RESEARCH ON CRYPTOGRAPHY AND SECURITY.
WSNProtectLayer [online] [visited on 2018-05-09]. Available from:
https://github.com/crocs-muni/WSNProtectLayer.
63. LEVIS, P. et al. TinyOS: An operating system for sensor networks. In:
in Ambient Intelligence. Springer Verlag, 2004.
64
BIBLIOGRAPHY
65
A Data attachment
Source code attachment contains following directories:
attacks\ - source code of attack scenarios
Sybil_routing\ - Sybil attack on multipath CTP
Relay_SPINS\ - relay attack on SPINS protocol
CBF\ - capture & brute-force attack
aes\ - AES implementation
rc2\ - RC2 implementation
uTESLA_AES\ - AES-based µTESLA implementation
67