Wireless Security in the Real World: Using Physical Properties to Mitigate Wormhole Attacks SIGNET Seminar University of Delaware 15 September 2004 David Evans (work with Lingxuan Hu) University of Virginia Computer Science
2 Computing is Entering Real World Desktop PC Protected Box Narrow Interface 1 Machine per User- Admin Sensor Network Unprotected Nodes Wide Interface Thousands of Nodes per Admin
3 …this Changes Security Desktop PC Access Control Perimeters Authenticity Sensor Network Resource Consumption Integrity, Survivability Resilience
4 Challenges in Sensor Networks Vulnerable communication channels Physically vulnerable devices Limited energy No (or little) established infrastructure Depend on other nodes to accomplish anything
5 New Opportunities Embedded in an environment –Physical properties of the environment constrain reality (space) –Inertia: it takes time for things to change Quantity –Many redundancies
6 This Talk Two protocols for sensor networks: –Secure neighbor discovery protocol that uses space and quantity. –Localization protocol that uses space, time and quantity. L. Hu and D. Evans. Using Directional Antennas to Prevent Wormhole Attacks. NDSS L. Hu and D. Evans. Localization for Mobile Sensor Networks. MobiCom 2004.
7 Wormhole Attacks
8 Wormhole Attack S D A B C Attacker needs a transceivers at two locations in the network, connected by a low latency link Attacker replays (selectively) packets heard at one location at the other location X Y Pirate image by Donald Synstelien
9 Beacon Routing Nodes select parents based on minimum hops to base station
10 Wormhole vs. Beacon Routing X Y Wormhole attack disrupts network without needing to break any cryptography! [Karlof and Wagner, 2003] [Hu, Perrig, Johnson 2003]
Fraction of Routes to Base Station Disrupted Position of Endpoint (x,x) Base Station at Corner Base Station at Center Wormhole Impact A randomly placed wormhole disrupts ~5% of links A single wormhole can disrupt 40% of links (center)
12 Previous Solution: Use Arrival Time “Leashes” constrain distance packet can travel Geographical leashes: nodes know their location –Sender includes its location and send time in packet –Receiver checks distance to sender Temporal leashes: tightly synchronized clocks –Sender sets expiration time when sending packet Drawback: requires clock synchronization or accurate localization Yih-Chun Hu, Perrig and Johnson. INFOCOM 2003
13 Our Approach Use directional information –Directional antennas can identify direction of sender Exploit simple physical properties of space Cooperate with neighbors (in different locations) to validate legitimacy of other nodes No clock synchronization or location information required
14 Directional Antennas Model based on [Choudhury and Vaidya, 2002] General benefits: power saving, less collisions North Aligned to magnetic North, so zone 1 always faces East Omnidirectional Transmission Directional Transmission from Zone 4
15 Assumptions Legitimate nodes can establish secure node-node links (all critical messages are authenticated) Network is fairly dense Nodes are stationary Most links are bidirectional (unidirectional links cannot be established) Transmissions are perfect wedges (relaxed later) Nodes are aligned perfectly (relaxed later)
16 Protocol Idea Wormhole attack depends on a node that is not nearby convincing another node it is Verify neighbors are really neighbors –Directional consistency Only accept messages from verified neighbors
17 Directional Neighbor Discovery A 1. A RegionHELLO | ID A Sent by all antenna elements (sweeping) 2. B AID B | E K BA (ID A | R | zone (B, A)) Sent by zone (B, A) element, R is nonce 3.A BR Checks zone is opposite, sent by zone (A, B) B zone (B, A) = 4 is the antenna zone in which B hears A
A B zone (B, A[Y]) = 1 zone (A, B [X]) = 1 False Neighbor: zone (A, B) should be opposite zone (B, A) Detecting False Neighbors X Y
19 A B zone (B, A[Y]) = 4 zone (A, B [X]) = 1 Undetected False Neighbor: zone (A, B) = opposite of zone (B, A) Not Detecting False Neighbors X Y Directional neighbor discovery prevents 1/6 of false direct links…but doesn’t prevent disruption
20 Observation: Cooperate! Wormhole can only trick nodes in particular locations Verify neighbors using other nodes Based on the direction from which you hear the verifier node, and it hears the announcer, can distinguish legitimate neighbor
21 Verifier Region v zone (B, A) = 4 zone (V, A) = A verifier must satisfy these two properties: 1. Be heard by B in a different zone: zone (B, A) ≠ zone (B, V) otherwise V could be through wormhole 2. B and V hear A in different zones: zone (B, A) ≠ zone (V, A) otherwise A could have tricked V too zone (B, A) = 4 zone (B, V) = 5 (one more constraint will be explained soon)
22 V Verified Neighbor Discovery 1. A RegionAnnouncement, done through sequential sweeping 2. B AInclude nonce and zone information in the message 3. A BCheck zone information and send back the nonce A B 4. INQUIRY | ID B | ID A | zone (B, A) 5. ID V | E KBV (ID A | zone (V, B)) Same as before 4. B RegionRequest for verifier to validate A 5. V BIf V is a valid verifier, sends confirmation 6. B AAccept A as its neighbor and notify A
Verifier Analysis v B A Region 1 Region 2 X Y Wormhole cannot trick a valid verifier: zone (V, A [Y]) = 5 zone (A, V [X]) = 1 Not opposites: verification fails
24 Connectivity y (meters) x (meters) Established all links Established some links (but not all) Disconnected Verified Protocol, Density = 3 (Directional Density = 9.7)
25 Worawannotai Attack v B A Region 1 Region 2 X V hears A and B directly A and B hear V directly But, A and B hear each other only through repeated X
26 Preventing Attack 1. zone (B, A) zone (B, V) 2. zone (B, A) zone (V, A) 3. zone (B, V) cannot be both adjacent to zone (B, A) and adjacent to zone (V, A)
27 Cost Analysis Communication Overhead –Minimal –Establishing link keys typically requires announcement, challenge and response –Adds messages for inquiry, verification and acceptance Connectivity –How many legitimate links are lost because they cannot be verified?
28 Lose Some Legitimate Links Link Discovery Probability Node Distance ( r ) Verified Protocol Strict Protocol (Preventing Worawannotai Attack) Network Density = Node Distance ( r ) 0 Verified Protocol Strict Protocol (Preventing Worawannotai Attack) Network Density = 3
29 …but small effect on connectivity and routing Average Path Length Omnidirectional Node Density Strict Protocol Trust All Verified Protocol Network density = 10 Verified protocol: 0.5% links are lost no nodes disconnected Strict protocol: 40% links are lost 0.03% nodes disconnected
30 Dealing with Error Ratio Maximum Directional Error Degree Lost Links, Strict Protocol Lost Links, Verified Protocol Disconnected Nodes, Strict Protocol Disconnected Nodes, Verified Protocol Maximum Directional Error Degree Lost Links, Strict Protocol Lost Links, Verified Protocol Disconnected Nodes Network Density = 10 Network Density = 3 Even with no control over antenna alignment, few nodes are disconnected
31 Vulnerabilities Attacker with multiple wormhole endpoints –Can create packets coming from different directions to appear neighborly Magnet Attacks –Protocol depends on compass alignment of nodes Antenna, orientation inaccuracies –Real transmissions are not perfect wedges
32 Moral An attacker with few resources and no crypto keys can substantially disrupt a network with a wormhole attack Mr. Rogers was right: “Be a good neighbor” –If you know your neighbors, can detect wormhole –Need to cooperate with your neighbors to know who your legitimate neighbors are
33 Roadmap Use directional information to defeat wormhole attacks –Simple properties of space –Cooperation of nodes But…most sensor nodes don’t have directional antennas –Rest of the talk: Location Determination
34 Location Determination Important for many sensor network applications Approaches: –Nodes can determine their locations directly (GPS) Too expensive for many applications –Nodes determine their locations indirectly by using information received from a few seed nodes that know their locations
35 Localization Error and Routing GPSR Routing Slide from Qing Cao. Details in Qing Cao and Tarek Abdelzaher, A Scalable Logical Coordinates Framework for Routing in Wireless Sensor Networks. RTSS 2004 Karp and Kung. MobiCom 2000
36 Our Approach: Monte Carlo Localization Take advantage of mobility: –Moving makes things harder…but provides more information –Properties of time and space limit possible locations; cooperation from neighbors Adapts an approach from robotics localization Frank Dellaert, Dieter Fox, Wolfram Burgard and Sebastian Thrun. Monte Carlo Localization for Mobile Robots. ICRA 1999.
37 Scenarios NASA Mars Tumbleweed Image by Jeff Antol Nodes moving, seeds stationary Nodes and seeds moving Nodes stationary, seeds moving
38 MCL: Initialization Initialization: Node has no knowledge of its location. L 0 = { set of N random locations in the deployment area } Node’s actual position
39 MCL Step: Predict Node’s actual position Predict: Node guesses new possible locations based on previous possible locations and maximum velocity, v max Filter Filter: Remove samples that are inconsistent with observations Seed node: knows and transmits location r
40 Prediction p(l t | l t-1 ) =c if d(l t, l t-1 ) < v max 0 if d(l t, l t-1 ) ≥ v max Assumes node is equally likely to move in any direction with any speed between 0 and v max.
41 Filtering If you don’t hear a seed, but one of your neighbors hears it, must be within distance (r, 2r] of that seed’s location. If you hear a seed, must (likely) be with distance r of the seed’s location
42 Resampling Use prediction distribution to create enough sample points that are consistent with the observations.
43 Recap: Algorithm Initialization: Node has no knowledge of its location. L 0 = { set of N random locations in the deployment area } Iteration Step: Compute new possible location set L t based on L t-1, the possible location set from the previous time step, and the new observations. L t = { } while (size ( L t ) < N ) do R = { l | l is selected from the prediction distribution } R filtered = { l | l where l R and filtering condition is met } L t = choose ( L t R filtered, N )
44 Parameters Effect accuracy and convergence time: –Speed of nodes and seeds –Density of nodes and seeds Tradeoff memory and accuracy: –Number of samples maintainted Movement: –Control should help; interdependence hurts
45 Convergence Node density n d = 10, seed density s d = 1 The localization error converges in first steps Estimate Error ( r ) Time (steps) v max =.2r, s max =0 v max =r,s =0 v max =r,s =r
46 Speed Helps and Hurts Increasing speed increases location uncertainty ̶ but provides more observations Estimate Error ( r ) v max ( r distances per time unit) s d =1,s min =0,s max =v s d =1,s max =s min =r s d =2,s max =v s d =2,s max =s min =r Node density n d = 10
Estimate Error ( r ) Seed Density MCL Centroid Amorphous Seed Density n d = 10, v max = s max =.2r Better accuracy than other localization algorithms Centroid: Bulusu, Heidemann and Estrin. IEEE Personal Communications Magazine. Oct Amorphous: Nagpal, Shrobe and Bachrach. IPSN 2003.
48 Samples Maintained Estimate Error ( r ) Sample Size ( N ) s d =1,v max =s =.2r s d =1,v max =s =r s d =2,v max =s =.2r s d =2,v max =s =r 1.1 n d = 10 Good accuracy is achieved with only 20 samples (~100 bytes)
49 Radio Irregularity n d = 10, s d = 1, v max = s max =.2 r Insensitive to irregular radio pattern Estimate Error ( r ) Degree of Irregularity ( r varies ± dr ) MCL Centroid Amorphous
50 Motion n d =10, v max = s max = r Adversely affected by consistent group motion Estimate Error ( r ) Maximum Group Motion Speed ( r units per time step) s d =.3 s d =1 s d = Estimate Error ( r ) Time Random, v max = s max =.2 r Area Scan Random, v max =0, s max =.2 r Scan Stream and Currents Random Waypoint vs. Area Scan Controlled motion of seeds improves accuracy
51 Recap MCL: –Maintain set of samples representing possible locations –Filter out impossible locations based on observations from direct and indirect seeds Achieves accurate localization cheaply But…what about security? Caveat: this is the speculative part of the talk!
52 Attacks on Localization Interfere with seed locations –Overload GPS signal Inject bogus seed announcements –Need to authenticate announcements Replay attacks (including wormhole) –Ranging information –Physical challenges
53 MCL Advantages Filtering –Bogus seeds filter out possible locations Direct –Does not require long range seed-node communication Mobile –Nodes expect to hear announcements from different seeds over time Historical –Current sample set reflects history of previous observations
54 Prevent Bogus Announcements Pairwise authentication: assumes nodes preloaded with pairwise keys for each seed 1. S region ID S Broadcast identity 2. N S E K NS (R N ) | ID N Send nonce challenge 3. S N E K NS (R N | L S ) Respond with location Nonce prevents standard replays, but not wormhole attacks
55 “Expensive” Defense Distance Bounding –Light travels 1 ft per nanosecond (2-4 cycles on modern PC!) –Need special hardware to instantly respond to received bits Use distance bounding to perform secure multilateration Prove node encounters Brands and Chaum, EUROCRYPT 1993 Capkun and Hubaux, 2004 Capkun, Buttyan and Hubaux, 2003
56 “Cheap” Defense: Multiple Location Speculation As long as one legitimate seed announcement is received, worst an attacker can do if filter out all possible locations: denial of service attack Maintain multiple possible locations instead of giving up when observations are inconsistent Current work: –Can we design routing protocols that work well with multiple locations?
57 Conclusion Computing is moving into the real world: –Rich interfaces to environment –No perimeters Simple properties of physical world are useful: –Directional consistency can prevent wormhole attacks –Space and time can be used to achieve accurate localization cheaply
58 Thanks! Students: Lingxuan Hu, Chalermpong Worawannotai Nathaneal Paul, Jinlin Yang, Joel Winstead Funding: NSF ITR, NSF CAREER, DARPA SRS For more information and paper links: