Wireless Sensor Networks:

Attacks and Countermeasures

Physical and Network Layer

Samuel Johnson
 Attacks on Physical Layer

 Jamming
 Tampering

2
 Attacks on Network Layer

 Black hole
 Homing attack
 Sybil attack
 Selective forwarding
 Sinkhole attack
 Wormhole attack
 HELLO flood attack
 Acknowledgement spoofing
 Routing cycles 3
 Physical Layer: Jamming

 Adversary tries to transmit messages in same

frequency band as transmitter thus causing radio
interface, thereby disrupting communication.

Types:
 Constant Jamming: Radio signal is emitted continously.
 Deceptive Jamming: Injects regular packets into the

channels without any gaps between packets.

 Random Jamming: Alternates between sleeping and

Jamming to save power.

 Reactive Jamming: Transmit only when a channel activity

is sensed.
4
 Jamming Countermeasures
 FHSS (Frequency Hopping Spread Spectrum): Sending data
by rapidly switching the carrier signal among many frequency
channels. Complex and costly, thus used only in limited
operations. Used in Bluetooth.
 DSSS (Direct-sequence spread spectrum): It multiplies the
data being transmitted by a "noise" signal. This noise signal is
a pseudorandom sequence of 1 and −1 values, at a frequency
much higher than that of the original signal, thereby spreading
the energy of the original signal into a much wider band.
 Channel Surfing: Nodes that detect themselves as jammed
should immediately switch to another orthogonal channel and
wait for opportunities to reconnect to the rest of the network.
After the jammed nodes lose connectivity, their neighbors, will
discover the disappearance of their jammed neighbor nodes 5
and temporally switch to the new channel to search for them.
 Physical Layer: Tampering
 Refers to physical access and capture of nodes.
 Sensitive information such as share key can be
obtained.
 Boot Strap Loader can be exploited to gain read and
write access to microcontrollers memory.
Types:
 Invasive: Hardware components like chips, ICs
are accessed using specialized hardware.
 Non-invasive: Easier than invasive and requires

less time.

6
 Tampering Countermeasures

 There is no global solution for these attacks!

 Use good password for Bootstrap loader.
 Store data in encrypted fashion in EEPROM
and other flash storage devices.

7
Network Layer Attacks

8
 Black hole attack

 Malicious node/adversary announces itself as a

shortest path.
 Every other nodes routes traffic through it.
 The adversary can then either discard the
incoming packets or save them for analysis

9
 Countermeasures

 Mark the black hole as 'node failure' and reroute.

 Use GPS for route calculation.
 Route using REWARD protocol: If the packet does not
arrive within a specified period of time, the destination
node broadcasts a MISS (material for intersection of
suspicious sets) message. All nodes listed in MISS
message are flagged as suspicious. The transmitter waits
for a predefined time period, transmits the packet changing
the path and broadcasts a SAMBA (suspicious area, mark
a black-hole attack) message. The SAMBA message
provides the location of the black-hole attack.

10
 Selective Forwarding

 It is a variation of black hole attack.

 Effective in multihop networks.
 Malicious nodes may refuse to forward certain
messages and simply drop them.
 If it behaved like a black hole (dropping all
packets), the network may detect it as 'node
failure' and reroute the traffic.

11
 Countermeasures
 Multipath routing in combination with random
selection of paths to destination
 Watchdog: This technique takes advantage of
the wireless shared medium by exploiting the
fact that a node can overhear its neighbouring
nodes forwarding packets to other destinations.
If a node does not overhear a neighbour
forwarding more than a threshold number of
packets, it concludes that the neighbour is a
adversary.

12
 Homing attack

 Attacker analyses network traffic to deduce the

geographic location of critical nodes.
 The nodes can then be physically disabled.

Countermeasures:

 Header Encryption.
 Transmit using minimum power.

13
 Sybil Attack

 Single node identifies as having multiple

identities.
 Can disrupt or unfairness towards distributed
algorithms, routing protocols, data aggregation,
voting.

14
 Countermeasures
 Radio Resource Testing (RRT): Two non-sybil nodes
must be capable of demonstrating that they own more
resource aggregation (like computational power,
storage capacity, network bandwidth, etc) than a
single node.
 Random key pre-distribution which associates the
identity of the node to the keys assigned to it and
validate the keys to see if the node is really who it
claims to be.
 Registration of the node identities at a central base
station.
 Position verification which makes the assumption that
15
the sensor network topology is static.
 Sink hole attack

 Attacker tries to route all traffic through a

compromised node.
 Typically by making the compromised node
look attractive to surrounding node with respect
to the routing algorithm like shorter path or high
quality path.

16
 Countermeasures

 Use routing protocols that verify the

bidirectional reliability of a route with end-to-end
acknowledgements which contain latency and
quality information.
 Geographical routing protocols: Geographic
protocols constructs a topology on demand
using only localized interactions and
information and without initiation from the base
station. Because traffic is naturally routed
towards the physical location of a base station,
it is difficult to attract it elsewhere to create a 17
sink-hole
 Wormhole attack

 Adversary tunnels messages from one part

over a low latency link and replays them in a
different part.
 Usually uses out-of-band channel to tunnel
messages

18
 Countermeasures

 Difficult to detect since they use private out-of-band

channel invisible to the underlying sensor networks.
 Packet leash: Add information into the packet to
restrict its maximum allowed transmission distance. It
requires extreme time synchronization and is thus
infeasible for most sensor networks.
 Geographical routing protocols: Geographic protocols
constructs a topology on demand using only localized
interactions and information and without initiation from
the base station. Because traffic is naturally routed
towards the physical location of a base station, it is
difficult to attract it elsewhere to create a wormhole.
19
 HELLO Flood attack

 HELLO packets are usually used to discover

routes.
 Attacker tries to convince all nodes to choose it
as parent using a powerful radio transmitter.

20
 Countermeasures

 If the attacker has same reception capabilities

as other nodes, HELLO flood can be verified
using the bi-directionality of local links.
 Identity verification protocol using a trusted
base station. An observant base station may be
able to detect a HELLO flood since the
adversary authenticates itself to a large number
of nodes.

21
 Routing Cycles
 Message will go around in circles, possibly forever.
 Attack requires more than one attacker to create loops
in the routing algorithm.
Countermeasure
Multihop routing protocol: Every message in Multihop
contains the number of hops it still has to travel to the
base station. Every node that forwards the message
decreases this number by one. Because a node knows
the number of hops from itself to a destination it will
compare this with the number of hops that is in the
message. If the number of hops in the message is
smaller this may indicate a routing cycle or another 22

error and the message is discarded.