WSN SECURITY CHALLENGES,

ATTACK ANALYSIS

Rituparna Chaki
rchaki@ieee.org
 Security challenges

 Motes of a WSN have limited processing capability and memory; therefore,

computation-intensive, public-key cryptography is unavailable for their use.
 The inability to secure the wireless medium (an issue common to all wireless
networking devices) leaves WSNs vulnerable to the eavesdropping of
traffic, the leaking of data to neighbor networks, the injection of spurious
data into the network, and jamming of the network.
 Deployment of WSNs is often in unsecured, publicly accessible areas, there
exists the possibility of physical tampering and destruction of the devices.
 WSN motes are powered by batteries so power (or energy) conservation is
critical. WSN motes can run at full power for approximately two weeks only.
Such an energy-dependent nature imposes threats in the form of resource
consumption attacks to WSN security

2
 Security Challenges

 Open To All :
A wireless channel is open to everyone. With a radio interface
configured at the same frequency band, anyone can monitor or
participate in communications.
 No security consideration during designing of protocols
Most protocols for WSNs do not include potential
security considerations at the design stage and are known
publicly. Therefore, attackers can easily launch attacks by
exploiting security holes in those protocols.

3
 Resource constrained :
 make it very difficult to implement strong security algorithms on a sensor platform
due to the complexity of the algorithms.
High scalability:
A WSN can scale up to thousands of sensor nodes. These pose the demand
for simple, flexible, and scalable security protocols.
Cost effectiveness?
A stronger security protocol costs more resources on sensor nodes, which can
lead to the performance degradation of applications.
Weak security protocols can be broken easily by attackers and thus pose a
great threat to the sensor networks.
Hostile deployment scenarios:
A WSN is usually deployed in hostile areas without any fixed infrastructure.
Thus, difficult to perform continuous surveillance after network deployment. So, it
may be susceptible to various kinds of attacks

4
 Data Security Requirements

 Confidentiality: This is the basic security service in case of WSN. Here we

have to maintain the secrecy of the data transmitted between the sensor
nodes. As long as the event sensing nodes are not compromised, the
confidentiality of the corresponding data report should not be
compromised due to any other nodes’ compromise including the
intermediate nodes along the report forwarding route. Both the data as well
as the header part may be encrypted.
 Authenticity: Data reports collected by WSNs are usually sensitive and highly
critical, such as in military applications as well as in case of some civilian
applications, and hence, it is critical to ensure the identity of the sensor
nodes by authenticating them. The compromised node can always send the
false / modified messages; the encryption can’t play a vital role here. Every
node should check whether the message has come from a real sender. A
message authentication code (MAC) can be used to authenticate the origin
of the message.

5
 Integrity: Integrity is provided to check that the send message has not been
modified by an intruder. The contents of the message can be deleted or
modified by the attacker. This may be prevented by providing a message
authentication code.
 Data Freshness: Data freshness means the recent data that is up-to-date and
ensures that no old messages have been repeated and then relayed by the
attacker. To solve this problem a nonce, or another time related counter,
can be added into the packet to ensure data freshness.
 Self-Organization: A wireless sensor network is ad hoc in nature and each
node should be independent and flexible enough to organize itself
according to the environment. Due to the Infrastructure less feature, there
are many challenges imposed on the network security in WSN. If self-
organization is lacking in a sensor network, the damage resulting from an
attack or even the risky environment may be devastating.

6
 Time Synchronization:
Time synchronization is an important feature of most of the
sensor network applications. Furthermore, sensors may wish to
compute the end-to-end delay of a packet transmitted between two
sensors. A more collaborative Sensor network may require group
synchronization for tracking applications.
 Secure Localization:
Often, the utility of a sensor network will rely on its ability to
accurately and automatically locate each sensor in the network. A
sensor network designed to locate faults will need accurate location
information in order to locate the exact location of a fault.
Unfortunately, an attacker can easily manipulate no secured location
information by reporting false signal strengths, replaying signals.

7
 Attacks based on capability of
Attacker

 Active/Passive
 Outsider/Insider
 Mote Class/Laptop Class

8
 Active attacks

Disrupt the packets that are destined for other nodes in

the network.
Attackers offer an attractive route to the destination
node. So, the source node can easily choose that path
for packet forwarding. Then the malicious node collects
all the packets and destroys them, drops them, or
forwards them on a false route.
The destination node does not receive the packets sent
by the source node.

9
 Passive attacks

 An attacker does not actively participate in

decreasing the network performance.
It collect the information about the source node, the
destination node, and the route established between
them.
The information is then forwarded to other malicious
nodes that in turn effect attacks like denial of service
(DoS).

10
 Outsider attacks are the attacks from nodes outside a
WSN while insider attacks occur when legitimate
inner nodes of a WSN pertain to unauthorized ways.
To overcome these attacks, we require robustness
against Outsider Attacks, Resilience to Insider
Attacks, Graceful Degradation with Respect to Node
Compromise and Realistic Levels of Security.

11
 Mote-class versus laptop-class a:
 The former consists of an attacker attacking a WSN
by using a few nodes with similar capabilities to the
network nodes; whereas the latter consists of an
adversary that can use more powerful devices (e.g., a
laptop) to attack a WSN. These devices have greater
transmission range, processing power, and energy
reserves than the network nodesttacks

12
Attacks Based on the information
being transmitted

 Interruption
 Interseption
 Modification
 Fabrication
 Replaying

13
Interruption
 Communication link in sensor networks becomes lost or
unavailable. This causes the mal functioning of the service. The
main purpose is to launch denial-of service (DoS) attacks. This is
aimed at all layers of WSN protocol stack.
Interception
 An interception means that some unauthorized party has gained
access to the network ant to its nodes along with the data. An
Example of this type of attacks is node capture attacks. This
threatens message confidentiality. The main purpose is to
eavesdrop on the information carried in the messages. This
operation is usually aimed at the application layer of WSN
protocol stack
14
Modification
 An unauthorized party not only accesses the data but also tampers it. This threatens
message integrity. The main purpose is to confuse or mislead the parties involved in
the communication protocol. This is usually aimed at the network layer and the
application layer of WSN protocol stack, because of the richer semantics of these
layers.
Fabrication
 An unauthorized party inserts spurious data and compromises the trustworthiness of
information. This threatens message authenticity. The main purpose is to confuse or
mislead the parties involved in the communication protocol. This operation can also
facilitate DOS attacks, by flooding the network.
Replaying existing messages
 This operation threatens message freshness. The main purpose of this operation is to
send the same messages again and again or send the old messages on the
communication link, in order to confuse or mislead the parties involved in the
communication protocol that is not time- aware.

15
 Attacks based on Origin of
Information

 Host based/Network Based

16
 Host-based Attacks

 User compromise: This involves compromising the users of a

WSN, e.g. by cheating the users into revealing information such
as passwords or keys about the sensor nodes.
 Hardware compromise: This involves tampering with the
hardware to extract the program code, data and keys stored
within a sensor node. The attacker might also attempt to load its
program in the compromised node.
 Software compromise: This involves breaking the software
running on the sensor nodes. Chances are the operating system
and/or the applications running in a sensor node are vulnerable
to popular exploits such as buffer overflows.
 Network based Attacks

This consists of two types of attacks: layer-specific

attacks, and protocol-specific attacks. It includes the
attacks such as attack on information in transit and
deviating from protocol:
Attacks based upon protocol Stack

19
 Layer-Specific Attacks

Network Layer Transport Layer Application Layer Multilayer

Routing cache poisoning

SYN flooding Malicious code Denial of service
Blackhole
Session hijacking Impersonation
Wormhole
Man-in the-middle
Sleep deprivation

Rushing attack
Eavesdropping

20
 DOS attack

Physical Layer MAC Layer

Intentional Unintentional Intentional Unintentional

(jamming) (Interference) (Masquerading) (Interference)
 Layer Specific Attacks

 An attacker can employ signal jamming at the physical layer,

which disrupts normal communications.
 At the link layer, malicious nodes can occupy channels through
 the capture effect, which takes advantage of the binary
exponential scheme in MAC protocols and prevents other nodes
 from channel access.
 At the network layer, the routing process can be interrupted
through routing control packet modification, selective dropping,
table overflow, or poisoning.
 At the transport and application layers, SYN flooding, session
 hijacking, and malicious programs can cause DoS attacks.

22
Attacks depending on the Technique

Consequence of Attack Attack Techniques

False Source Route, Maximum

Blackhole
Sequence, Rushing

Selfishness &
Packet Dropping
Denial-of-Service

Sleep Deprivation Malicious Flooding

Routing Loop Spoofing

Location Disclosure Cache poisoning

Information Theft Worm Hole

23
 Blackhole Attack

• The malicious node Induces a possible routing link

between attack targeted devices .
• M emits protocol-compliant messages for leading
both S and D to choose such link for their
communications.

24
 B E
C
D
A
S F

25
 Hello Flood Attack

 A node receiving Hello packets may assume that it is

in radio range of the sender.
 A laptop class adversary can send this kind of packet
to all sensor nodes in the network so that they
believe the compromised node belongs to their
neighbors.
 This causes a large number of nodes sending packets
to this imaginary neighbor and thus into oblivion.
26
 Wormhole attack

 Two attackers, connected by a high-speed off-channel

link, are strategically placed at different ends of a
network.

 These attackers then record the wireless data they overhear,

forward the data to each other, and replay the packets at the
other end of the network

27
 B E
C
D
A
S F

M1
M2

Tunnel packets from one part of the network and

replay them in a different part.
28
 SYN flooding attack

Source Sink

The attacker creates a large number of half-opened

Transmission Control Protocol (TCP) connections with a
victim node, but never completes the handshake to fully
open the connection.
 The nodes are allowed to communicate only when the
connection is fully opened. If the connection is half
opened, that prevents any farther communication.

29
 Malicious code attacks

 Caused by viruses, worms, spyware, and Trojan

horses. They can attack both operating systems and
user applications.
 These malicious programs usually can spread them
through the network and cause the computer system
and network to slow down or even be damaged.
 In WAN, an attacker can produce attacks similar to
those of the mobile system of the ad-hoc network.

30
 Viruses, worms, trojans, …

 Code that breaks your security policy.

 Characteristics :
 Attack vector –
• Social engineering- (Make them want to run it)
• Vulnerability exploitation – (Force your way in the system)
• Piggybacking – (Make it run when other programs run)
 Payload - Make use of flaws in software input handling,
eg. Buffer overflow attacks.

31
Identity theft (or MAC spoofing)

 Most wireless systems allow some kind of MAC

filtering to only allow authorized computers with
specific MAC IDs to gain access and utilize the
network.
 However, a number of programs exist that have
network “sniffing” capabilities.
 When a malicious user listen in on network traffic and
identify the MAC address of a computer with network
privileges.

32
Man-in-the-middle in wireless LAN

 Attacker entices computers to log into a device which is

set up as a soft AP (Access Point).
 Once this is done, the hacker connects to a real access
point through another wireless card offering a steady flow
of traffic through the transparent hacking computer to the
real network.
 The hacker can then sniff the traffic. One type of man-in-
the-middle attack relies on security faults in challenge and
handshake protocols to execute a “de-authentication
attack”.

33
 Denial of Service Attack

 A selfish node is not actually keen to attack the other

nodes. It does not want to spend its energy, CPU cycles, or
available network bandwidth to forward packets not of
direct interest to it.
 It expects other nodes to forward packets on its behalf.
The reason behind this is “saving one’s own resource” by
saving of battery power, CPU cycles, or protecting wireless
bandwidth in a certain direction.
 Prevent legitimate users of a service from using that
service

34
Denial of Service Attack

Compute DoS Attack

RatRREQ Occur
N N3 N
N1
2
4
MMSG
False RREQ N5
MMSG
packet
N
0
N
M 6

35
 Denial of Service Attack

 The aftermath of DoS attacks range from crippling

the network performance to completely bringing it
down.
 For an organization that has critical operations like
point of sales, security cameras over wireless
network, surveillance systems etc., any hiccups in the
network can cause severe impact on their business.
 Jamming Attack

 A jamming device or a compromised node relentlessly

transmits radio signals with the intention of blocking
legitimate access to the medium and/or to interfere
with reception at receiving nodes.
 The intention of the attacker is to cause disruption in
the data communion resulting in excessive power
consumption and long waiting times.
 Jamming techniques

 Constant jamming
 Radio signals are emitted continuously with intervals. This
type of jamming causes two things:
 The signals from the jammers keep the medium busy and
therefore transmissions are deferred at the transmitting
node, and/or
 At the receiving node reception is interfered with due to the
signals transmitted by the jammers.
 Deceptive jamming
 Radio signals are continuously transmitted with regular
intervals.
 Counter-jamming

 Avoidance, detection and mitigation.

 Avoid it completely by switching over to a wired medium
or moving the AP and/or devices away from the range of
jamming devices.
 Continuous monitoring to detect any potential malicious
activity by a jammer.
 The mechanism consists of a subset of nodes within a
WLAN, which acts as network monitors and a detection
algorithm at each monitoring node. A quantity is observed
at each monitoring node to detect the presence of
jamming.
 During this training period, the probability of collision
is carefully studied as a long-term average of the ratio
of number of slots in which there was collision over
the total number of slots in training period.
 During the real-time operation of WLAN, the
probability of collision observed is compared with the
learned long-term average from the training period.
When a wireless data network is under attack,
changes will occur in the signal behavior.

40
 Resource exhaustion attacks

 Legitimate clients are denied of the services originally

intended for them.
 A wireless client regularly scans the wireless environment
around to find out the presence of APs in the vicinity by
broadcasting probe requests.
 On receiving a probe request from a client, APs respond to
probe requests by sending out information about their
wireless network to facilitate the client to authenticate and
then associate with them.
 An attacker targets APs by sending out large volumes of
probe requests by faking MAC address in each request
 Probe-request flooding

 This tricks APs to believe that they have been receiving

probe requests from several wireless clients.
 APs are therefore, forced to respond to these requests
which in turn increases processor and memory utilization.
 During the course when legitimate clients send probe
requests, response to such request is delayed.
 Eventually when all the memory and processing resources
are consumed, requests from legitimate clients are no
longer served.
 Authentication flooding

 Attacker sending bursts of request frames to APs,

each holding a spoofed MAC address.
 Each such frame tries to authenticate a client to an
AP.
 When encountered with torrential authentication
requests, AP commits its processor to serve the
requests, allocates memory to maintain state table.
 APs fail to respond to authentication requests coming
from legitimate clients.
 APs also maintain an association table.
 If an attacker has cracked the network password
and/or SSID, several of non–existent clients can be
associated with an AP by spoofing authentication
request followed by an association request.
 This results in over flooding of association table
because there is a limit on the count of client
associations an AP can have.

45
 This is relatively tougher to carry out for an attacker, as
the password and/or SSID of the network has to be
cracked first.
 Even without the knowledge of network password,
authentication flooding can be carried out but APs more or
less remain unperturbed. A failed authentication request
will not result in overflowing of Association table or State
table; it only takes up the processor speed for pre –
processing of requests.
 Strong authentication methods also go a long way in
preventing authentication and association flood attacks.
De-authentication Flooding attack

 Before communication between a client and an AP starts,

the client has to authenticate itself with the AP.
 De-authentication message is part of the whole
authentication process through which client and APs can
request to de-authenticate from each other.
 There is no secure authentication method employed for
this. Therefore an attacker can easily spoof a de-
authentication message.
 An attacker sends a spoofed de-authenticate messages to
an AP with the MAC address of its clients.
De-authentication flooding attack
Multilevel Attacks

 This attack is carried out:

 To capture hidden SSID because sometimes SSID are
cloaked and not broadcasted.
 To capture authentication handshaking between
client(s) and AP.
 To generate ARP frames for carrying out WEP replay
attack.
 To trick clients into connecting to a rogue AP or honey
point AP.
 Sybil & Flooding attack

 Nodes are vulnerable to tampering or physical harm.

 In a Sybil attack, a single node presents multiple
identities to other nodes in the network
 In case of Flooding, many connection requests are
sent until the resources required by each connection
are exhausted or reach a maximum limit.
 Eventually the node’s resources are exhausted and
render it useless.

 De-synchronization attack

 In the de-synchronization attack, the attacker

repeatedly forges the messages to one or both end
points which request transmission of missed frames.
 These messages are again transmitted and if the
attacker maintains a proper timing, it can prevent the
end points from exchanging any useful information.
Path based DoS, Overwhelm attack,
Deluge or reprogram attack

 Path based DoS attack involves sending extra or replayed

packets into the network on the leaf nodes. This occupies the
resources of the entire network and starves the legitimate
traffic.
 In Overwhelm attack, an attacker might attempt to overwhelm
network nodes with sensor stimuli, causing the network to
forward large volumes of traffic to a base station.
 This attack also consumes network bandwidth and drains node
energy.
 In Deluge (reprogram) attack, Network programming system
lets the intruder remotely reprogram nodes.
 Why not Crypto?

 Can’t prevent traffic analysis

 Can’t prevent re-transmitted packets
 Can’t prevent replayed packets
 Can’t prevent delayed packets
 Can’t prevent packets from being jammed
 Can’t prevent malicious insiders, captured nodes
Crypto doesn’t automatically make X secure, where:
 X = network programming
 Attacker could replay old programs
 X = time synchronization
 Attacker could delay beacon packets, propagating wrong timing
 X = routing
 Some attacks on next node
 X = localization
 Attack in three nodes
 X = aggregation
 Attacks after a few more nodes

53
Security Management Schemes

Low-Level
 Key Establishment
 Robustness in Communication
 Secrecy & authentication
 Privacy
 Secure Routing
 Resilience
High Level
 Intrusion Detection
 Secure Group Management
 Key-establishment

 Setting up of the symmetric keys.

 Communication patterns can be unicast, local
broadcast and global broadcast. T
 Node keys, cluster keys and network keys.
The disadvantage of this approach is that there is no
tamper resistance and the attackers can generate all
the keys and break the privacy of the network.
 Secrecy & Authentication

 Cryptography is the standard technique for defense.

 For point-to-point communication, end-to-end
cryptography achieves a high level of security but
requires that keys be set up among all end points and
be incompatible with passive participation and local
broadcast.
 Privacy

 There are many risks to sensor networks like the

illegitimate users accessing the network for
unanticipated usage.
 Providing awareness of the presence of sensor nodes
and data acquisition is particularly important.
 Secure Routing

 Sensor networks should be designed to continue

functioning even in the presence of faults.
 This robustness against physical challenges may
prevent some classes of DoS attacks.
 Resilience to node capture

 Most applications deploy sensors in the locations that

are easily accessible to attackers.
 Some of the defense techniques are Tamper-resistant
packaging, Algorithmic solutions, Hashing technique,
and gathering of multiple redundant views of the
environment to cross check them for consistency.
 Secure group management

 Important to establish trusted communication.

 the formation of secure groups in sensor network
with a low communication complexity and provide an
efficient solution to maintain such multicast group is
important.
 In-network data aggregation and analysis can be
performed by groups of nodes.
 Intrusion detection

 An intrusion can be defined as a set of activities that

can lead to an illegitimate access or alteration of
information in a certain system.
 Intrusion Detection Systems monitor the networks,
detect any possible intrusions and send the alert
message to the user.
 Secure Data Aggregation

 The data collected from the individual nodes is

aggregated at the base station.
 The compromised nodes can be used to inject false
data that leads to incorrect aggregates being
computed at the base station.
 All aggregation locations must be secured.

63
64