Abstract—Wireless sensor networks (WSN’s) are an emerging technology that show great promise for domestic and military applications. However, due the constrained amount of resources available on sensor nodes (power consumption, memory/storage, and processing power) traditional wireless networking security solutions are not feasible. The intent of this paper is to review the security threats, challenges, and proposed security mechanism in WSN’s.
CONTENTS
1. INTRODUCTION
2. WIRELESS SENSOR NETWORKS BACKGROUND REVIEW
2.1 SENSOR NETWORK PROTOCOL STACK
3. TECHNICAL DISCUSSION
3.1 FEASIBILITY OF BASIC SECURITY SCHEMES IN WSN’S
3.2 SECURITY THREATS IN WIRELESS SENSOR NETWORKS
3.3 ATTACKS IN WIRELESS SENSOR NETWORKS
3.4 EXISTING SECURITY SOLUTIONS
4. CONCLUSION AND AREAS OF POSSIBLE FUTURE WORK
5. REFERENCES
Introduction
Recent advances in wireless communication and electronics have made possible the development of low-cost, low-power sensor nodes. Sensor nodes are small independent systems which cooperatively monitor physically or environmental parameters over a specific geographic area to solve at least one common application.
A wireless sensor network WSN is a group of hundreds to thousands of sensor nodes connected to each other through short range wireless links, used as an infrastructure to forward the collected information to the centralized authority over a base station [1]. The development of wireless sensor networks was originally motivated by military applications such as target tracking, surveillance, communications, and reconnaissance [2] [6].
Providing security in sensor networks is not an easy task [3], the major challenge for employing a security scheme in wireless sensor networks is created by the size of sensors, the processing power, memory and type of task expected from the sensors [2].
This paper gives an overview of WSN, and then it moves on talking about cryptography, steganography and other fundamentals of network security and their applicability to address security issues in wireless sensor networks. The paper examines different types of threats and attacks against WSN’S, and reviews some of the proposed schemes concerning security in WSN. Lastly, the conclusions and future areas of possible work are given, as well as the trends toward the research in wireless sensor networks security.
WIRELESS SENSOR NETWORKS
Wireless sensor network is an emerging technology used on a large scale to monitor real-time events in complex environments. These networks are composed of a large number of sensor nodes that are densely deployed either inside the phenomena or very close to it [6]. Sensor nodes are usually scattered in a sensor field as shown in Fig.1. Each of these sensor nodes has the capabilities to collect and route data back to the sink.
Figure 1 – Sensor nodes scattered in a sensor field
Data is routed back to the sink and the end user over multihop wireless paths [9]. The sink may communicate with the task manager node via Internet or satellite. The design of the sensor network as described by Fig. 1 is influenced by many factors, including:
• Fault tolerance: the system should be robust against node failure (lack of power, physical destruction, or environmental interference, etc). The failure of sensor nodes should not affect the overall task of the sensor network. Fault tolerance is the ability to sustain sensor network functionalities without any interruption due to sensor node failures [8].
• Scalability: The system should support a large number of sensor nodes. Depending on the application, the number of sensor nodes can vary from a few hundred to the order of thousands.
• Production costs: The system should use low cost devices since the network comprises of hundreds to thousands of sensor nodes [8].
• Transmission media: In a multihop sensor network, communicating nodes are linked by wireless mediums. These links can be done by radio, infrared, or optical media. To enable global operation of these networks, the chosen transmission medium must be available worldwide [6].
• Power consumption: Sensor node life span shows a strong dependence on battery lifetime. In a multihop ad hoc sensor network, each node plays the dual role of data originator and data router. The malfunctioning of a few nodes can cause significant topological changes and might require rerouting of packets and reorganization of the network. Hence, power conservation and power management take on additional importance [6].
• Security: the node should support the following [6] [8] [5]:
a. Access Control: to prevent unauthorized attempts to access the node.
b. Message Integrity: to detect and prevent unauthorized changes to the message.
c. Confidentiality: to guarantee that sensor node should encrypt messages.
d. Replay Protection: to assure that sensor node should provide protection against an adversary reusing an authentic packet for gaining confidence/network access.
A sensor node is made up of four basic components, as shown in figure 2: a sensing unit, a processing unit, a transceiver unit, and a power unit. They may also have supplementary application-dependent components such as a location finding system, power generator, and mobilizer.
Figure 2 – Components of a sensor node
Sensing units are usually composed of two subunits: sensors and analog-to-digital converters (ADCs). The analog signals produced by the sensors based on the observed phenomenon are converted to digital signals by the ADC, and then fed into the processing unit. The processing unit, which is generally associated with a small storage unit, manages the procedures that make the sensor node collaborate with the other nodes to carry out the assigned sensing tasks. A transceiver unit connects the node to the network.
One of the most important components of a sensor node is the power unit. Power units may be supported by power scavenging units such as solar cells. There are also other subunits that are application-dependent. Most of the sensor network routing techniques and sensing tasks require knowledge of location with high accuracy. Thus, it is common that a sensor node has a location finding system [6]. Apart from size, there are some other stringent constraints for sensor nodes. These nodes must [7] consume extremely low power, operate in high volumetric densities, have low production cost, be dispensable and autonomous, operate unattended, and be adaptive to the environment.
SENSOR NETWORK PROTOCOL STACK
The protocol stack, as shown in figure 3, consists of the physical layer, data link layer, network layer, transport layer, application layer, power management plane, mobility management plane, and task management plane.
Figure 3 – Sensor networks protocol stack
Physical layer: The physical layer is responsible for frequency selection, carrier frequency generation, signal detection, modulation, and data encryption. It also addresses the needs of simple but robust modulation, transmission, and receiving techniques.
Data link layer: The data link layer is responsible for the multiplexing of data streams, data frame detection, medium access and error control. It ensures reliable point-to-point and point-to-multipoint connections in a communication network [6].
Network layer: Special multihop wireless routing protocols between the sensor nodes and the sink node are needed. The networking layer of sensor networks is usually designed according to the following principles [6]:
a. Power efficiency is always an important consideration.
b. Sensor networks are mostly data-centric.
c. Data aggregation is useful only when it does not hinder the collaborative effort of the sensor nodes.
d. An ideal sensor network has attribute-based addressing and location awareness.
Transport layer: This layer is especially needed when the system is planned to be accessed through the Internet or other external networks.
Application layer: Although many application areas for sensor networks are defined and proposed, potential application layer protocols for sensor networks remain as an open research issue. Three possible application layer protocols are [6]: Sensor Management Protocol (SMP), Task Assignment and Data Advertisement Protocol (TADAP), and Sensor Query and Data Dissemination Protocol (SQDDP).
In addition, the power, mobility, and task management planes monitor the power, movement, and task distribution among the sensor nodes. These planes help the sensor nodes coordinate the sensing task and lower the overall power consumption. The power management plane manages how a sensor node uses its power. For example, the sensor node may turn off its receiver after receiving a message from one of its neighbors. This is to avoid getting duplicated messages [6].
SECURITY IN WIRELESS SENSOR NETWORKS
TECHNICAL DISCUSSION
Information security has become one of the biggest concerns for wireless networks. Security plays an important role; data has to be protected using traditional techniques. On the other hand the network has to be protected from attacks and unauthorized users.
Security mechanisms created for wireless ad-hoc networks cannot be used directly to WSN’s due the architectural difference of the two networks. To illustrate this point, the differences between sensor networks and ad-hoc networks are [6]:
1. The number of sensor nodes in a sensor network is higher than the nodes in ad-hoc networks. Sensor nodes range from a few hundred to thousands, depending on the application.
2. Sensor nodes are densely deployed.
3. Sensor nodes are prone to failures and physical damage.
4. The topology of a sensor network changes very frequently.
5. Sensor nodes mainly use a broadcast communication paradigm, whereas most ad hoc networks are based on point-to-point communications.
6. Sensor nodes are limited in power, computational capacities, and memory.
7. Sensor nodes may not have global identification (ID) because of the large amount of overhead and large number of sensors.
The requirements of data security in WSN’s are basically the same as those defined in traditional networks, that is, data confidentiality, authenticity, and availability [9].
Data confidentiality: The requirement on data confidentiality in WSN’s is as follows: The event sensing nodes are not compromised; the confidentiality of the corresponding data report should not be compromised due to other nodes, including those nodes along the report forwarding path. Data confidentiality refers to the prevention of unauthorized access to the information assets.
Data authenticity: Data authenticity is performed to verify if the data is indeed what the source has sent. Data reports gathered by WSN’s are sensitive, especially for military applications; therefore, it is important to assure data authenticity in addition to confidentiality.
Data Availability: It is important to prevent or be tolerant to interference or network failures as much as possible to protect data availability. In other words data availability in WSN’s should be highly resilient against any type of (DoS) attacks ensuring that the information is available and accessible when requested.
FEASIBILITY OF BASIC SECURITY SCHEMES IN WSN’S
In this section we discuss network security fundamentals and how these techniques can be applied to WSN’s.
• Cryptography: Typical encryption-decryption techniques created for wired networks are not feasible to be applied directly to WSN’s. Applying an encryption scheme requires the use of more processing capabilities, and energy which are important resources for the sensor life-span. Encryption increases delay, and packet loss [2]. Questions such as “How the keys are generated, managed, assigned to a new sensor added to the network” come up when applying encryption schemes to WSN’s.
• Steganography: Aims to hide the existence of a message. However, wireless sensor networks are not directly related to steganography due the lack of resources of the sensor. This is an open research issue.
• Physical layer secure access: In wireless sensor networks this could be provided by using frequency hopping. A dynamic combination of parameters like hopping set, dwell time, and hopping pattern could be used with a little expense of memory, processing, and energy resources. Important points in physical layer secure access are the efficient design so that the hopping sequence is modified in less time than is required to discover it. In order to use this, both the sender and receiver should maintain a synchronized clock [2].
SECURITY THREATS IN WIRELESS SENSOR NETWORKS
WSN’S are more susceptible to malicious attacks than traditional wireless networks. Threats to wireless sensor networks can be classified in a number of ways, based on the capabilities of the attacker, the level of access by the attacker, and the level of intervention by the attacker [4].
For instance, an attacker can use devices with the same capabilities as the sensor nodes in the network, placing sensor nodes in the sensor field or corrupting some of the nodes in the network that is being attacked. The scope of this attack is limited since the attacker only has the same resources in terms of processing capability and energy as the nodes under attack.
An alternative is if the attacker uses a powerful device equipped with the appropriate radio, this device can be a laptop; this option creates more avenues of attack due the higher capabilities in terms of computation, energy supply and communications.
A serious threat faced by WSN’s is the ability of the attacker to gain physical access to the sensor nodes. This is because the sensor nodes are deployed in an unsupervised manner, and sometimes in hostile environments making the sensors vulnerable. This physical access opens up a number of attacks, including: reprogramming the sensor nodes with malicious code, retrieving cryptographic keys, or just physically destroying the nodes [4].
ATTACKS IN WIRELESS SENSOR NETWORKS
Attacks against wireless sensor networks can be either invasive or non-invasive.
Non-invasive attacks usually consist of side channel attacks such as power, timing or frequency based attacks. Invasive attacks are more common and the more important of these are described below:
1. Denial of service: (DoS) are produced by the unintentional failure of nodes or malicious actions. DoS attacks try to exhaust the resources available to the victim node, by sending unnecessary packets and thus preventing legitimate networks users from accessing services or resources to which they are entitled. In wireless sensor networks DoS attacks can be performed in different layers. At the physical layer the DoS attacks could be jamming and tampering [2]; At the data link layer the attacks could be collision, exhaustion [4]; at the network layer, neglect and greed, homing, misdirection, black holes [2]; at the transport layer this attack could be performed by malicious flooding and desynchronization. The mechanisms to prevent DoS attacks include payment for network resources, and pushback [2].
2. Attacks on Information in transit: sensor nodes monitor the changes of specific parameters or values and send the data gathered to the sink node according to the requirements. While sending the report, the information in transit is vulnerable to eavesdropping, modification, injection, interruption, and traffic analysis. These attacks can be prevented using established confidentiality, authentication, integrity, and replay protection protocols.
3. Selective Forwarding: Multi-hop networks are frequently based on the assumption that participating nodes will dependably forward receive messages. In a selective forwarding attack, malicious nodes may refuse to forward certain messages and simply drop them, ensuring that they are not transmitted any further.
A simple form of this attack is when a malicious node behaves like a black hole and refuses to forward every packet it receives. However, the attacker runs the risk that neighboring nodes will conclude that it has failed and decides to look for another path. A subtle form of this attack is when an adversary selectively forwards packets. An adversary interested in suppressing or modifying packets originating from a select few nodes can reliably forward the remaining traffic and limit suspicion of its wrongdoing. Selective forwarding attacks are typically most effective when the attacker is explicitly included on the data flow path.
4. Sybil attacks: A single malicious node presents multiple identities to other nodes in the network. This attack can reduce the effectiveness of fault-tolerant schemes such as distributed storage, dispersity, and multipath routing [10].
5. Wormholes attacks: is a critical attack in which the malicious node records the packets that receives and tunnels those to another location in the sensor network. The simplest instance of this attack is a single node situated between two other nodes forwarding messages between the two of them. Wormhole attacks usually involve two distant malicious nodes colluding to understate their distance from each other by relaying packets along an out-of-bound channel available only to the attacker [10]. An attacker situated close to a base station may be able to completely disrupt routing by creating a well-placed wormhole. A wormhole can convince nodes that they are only one or two hops away when in reality are multiple hops from the base station. This can create a sinkhole: since the adversary on the other side of the wormhole can artificially provide a high-quality route to the base station, all traffic in the surrounding area will be drawn through it if alternate routes are significantly less attractive.
6. Spoofed, altered routing attacks: By feeding spoofed, altered information the attackers can reshape the network, attract or repel traffic, generate error messages, and increase end to end latency.
7. Sinkholes attack: The goal of this attack is to lure all the traffic from a particular area through a compromised node, in order to make selective forwarding or wormhole attacks more effective. Sinkhole attacks typically work by making a compromised node look attractive to surrounding nodes with respect to the routing algorithm. For instance, an attacker could spoof or replay an advertisement for an extremely high quality route to a base station. Some protocols might actually try to verify the quality of route with end-to-end acknowledgements containing reliability or latency information [4]. In this scenario, a laptop-class attacker with a powerful transmitter can actually provide a high quality route by transmitting with enough power to reach the base station in a single hop.
One motivation for mounting a sinkhole attack is that it makes selective forwarding trivial. By ensuring that all traffic in the targeted area flows through a compromised node, an adversary can selectively suppress or modify packets originating from any node in the area.
8. Hello flood attacks: Many protocols require nodes to broadcast Hello packets to announce themselves to their neighbors, and a node receiving such packets may assume that is within normal radio range of the sender [10]. This attack uses Hello packets as a weapon to convince the sensors in WSN. The sensors are persuaded that the attacker is their neighbor. As a consequence, while sending the information to the base station, the nodes try to go through the attacker as they know that it is their neighbor and are ultimately spoofed by the attacker.
9. Acknowledgment spoofing: an adversary can spoof the link layer acknowledgments for “overheard packets” addressed to neighboring nodes. Goals include convincing the sender that a weak link is strong or that a dead or disabled node is alive. For example, a routing protocol may select the next hop in a path using link reliability. Artificially reinforcing a weak or dead link is a subtle way of manipulating such a scheme. Since packets sent along a weak or dead links are lost, an adversary can effectively mount a selective forwarding attack using acknowledgement spoofing by encouraging the target node to transmit packets on those links.
EXISTING SECURITY SOLUTIONS
In this section, we will review the most popular and suitable security solutions that are some way appropriate for use in WSN.
1. 802.15.4
The IEEE 802.15.4-2006 is a standard which specifies the physical layer and media access control for low-rate wireless personal area networks (LR-WPANs). It intends to offer the fundamental lower network layers of a type of wireless personal area network (WPAN) which focuses on low-cost, low-speed ubiquitous communication between devices. The emphasis is on very low cost communication of nearby devices with little to no underlying infrastructure, intending to exploit this to lower power consumption even more. This standard provides link layer security services. It has 3 modes of operations: Secure, unsecured, and access control list mode (ACL).
In unsecured mode there is no security provided at all. In access control list mode (ACL) a list of secure devices is maintained allowing communication among them. All communications from devices not listed are ignored. This mode of operation does not offer cryptographic security so it is trivial for the message source address to be spoofed [4].
The secure mode offers four security services: access control, data encryption, frame integrity, and sequential freshness. One cryptographic algorithm, AES-128 is employed for all security services. For a higher security the message integrity code (MIC) can be added to each transmitted message.
Overall the 802.15.4 standard contains well designed security features, which if implemented correctly, can be used for a good base to build higher and fully implemented security suites [4].
2. Zigbee
Zigbee is a specification for a suite of high level communication protocols using small, low-power digital radios based on the IEEE 802.15.4-2003 standard.
Zigbee uses the concept of a “trust centre” to manage the security of a network [4]. This trust centre, normally a Zigbee network coordinator, is trusted by all devices on the network and has three main roles: to authenticate devices that request to join the network, to maintain and distribute keys, and to enable end-to-end security between devices.
This security architecture builds on the AES encryption and security modes offered by the underlying 802.15.4 standard.
3. TinySec
TinySec is a link layer security architecture for wireless sensor networks implemented for the TinyOS operating system. In order to overcome the processor, memory, and energy constraints of sensor nodes, TinySec leverages the inherent sensor network limitations, such as low bandwidth and relatively short lifetime for which the messages need to remain secure, to choose the parameters of the cryptographic primitives used.
TinySec has two modes of operation: authenticated encryption (TinySec-AE) and authentication only (TinySec-Auth).
With authenticated encryption, TinySec encrypts the data payload and authenticates the packet with a message authentication code (MAC). The MAC is computed over the encrypted data and the packet header. In authentication only mode, TinySec authenticates the entire packet with a MAC, but the data payload is not encrypted.
An important feature of TinySec is its ease of use and transparency, as many application developers will either implement the security features incorrectly or leave out any security entirely if the security API is difficult to use. TinySec solves this problem by integrating into TinyOS at a low level [11].
While TinySec has been well designed for its target application domain it still suffers from a number of limitations. The primary limitation is that no key exchange mechanisms are included. TinySec uses a single network wide shared key and it is left up to the application developer to change this key as appropriate and distribute new keys to all nodes. The other major limitation of TinySec is its limited platform support; the official release of TinySec as included in version 1 of TinyOS only works on the MICA2 mote, a 7 year old device which is no longer being manufactured [11].
4. MiniSec
MiniSec is a secure network layer protocol that claims to have lower energy consumption than TinySec while achieving a level of security which matches that of Zigbee.
A major feature of MiniSec is that it uses offset codebook (OCB) mode as its block cipher mode of operation, which offers authenticated encryption with only one pass over the message data. Normally two passes are required for both secrecy and authentication. Another primary feature MiniSec has over the other security suites mentioned here is strong replay protection without the transmission overhead of sending a large counter with each packet or the problems associated with synchronized counters if packets are dropped. To achieve this MiniSec has two modes of operation, one for unicast packets MiniSec-U, and one for broadcast packets, MiniSec-B [12].
5. SenSec
SenSec is another link-layer security protocol which is primary based on TinySec but still has a number of major differences. It is worth noting that the design of SenSec was motivated by the problems encountered while trying to use TinySec for a specific WSN deployment [13]. However a number of the design choices were driven by the needs of this particular deployment and may not be generally applicable.
SenSec can be seen as an evolution of TinySec with slightly lower power consumption, due to one pass encryption and authentication, and a higher level of security, again only slightly.
SenSec also fails to address most of the major limitations of TinySec mentioned above, such as the lack of freshness checks and replay protection, no built in key exchange mechanisms and a lack of support for a variety of platforms.
6. SecureSense
SecureSense differs from the other security suites because it enables a sensor node to dynamically modify its security controls based upon requirements from the application as well as observations about the external environment.
The idea of a node being able to dynamically modify the security services it provides in order to save resources is potentially beneficial, but due to implementation limitations of SecureSense it is difficult to determine if it is a practical solution and even whether or not it provides any real energy savings [4].
7. AMSecure
AMSecure is a link layer security suite which provides message confidentiality, authentication, integrity, replay protection and semantic security.
AMSecure uses the security features of the Texas Instruments CC2420 radio chip in order to provide all of its security services. An interface is provided to allow security aware applications to manage the keys being used. AMSecure support should be very easy to add to existing TinyOS applications as it fits into the TinyOS active messaging stack without any need to modify the higher layer protocols or applications.
AMSecure can be considered to have a high level of security as it uses the AES cipher, which is generally held to be much more secure than RC5 or Skipjack [4].
The biggest weakness of AMSecure lies in its lack of portability. Due to the fact that it relies so heavily on the CC2420 security operations it would prove difficult to port to a platform that uses a different radio chip.
CONCLUSION AND AREAS OF POSSIBLE FUTURE WORK
To sum up, wireless sensor networks are an emerging technology that evolved from military applications to civil applications such as health care, agriculture, manufacturing, and transportation.
In this paper, the basics of wireless sensor networks, security attacks, and the most popular security solutions were reviewed. However, it is important to mention that up to this date there is no solution that can be effectively used in an application to provide a full spectrum of security against all possible attacks, since many of the proposed security schemes are based on specific network models.
Developing a security solution that will satisfy the constraints of wireless sensor networks represents a big research challenge and new wireless networking techniques are required.
One of the most important areas of possible future work is in research. Some of these researches involve data dissemination protocols, along with energy and power aware management. Another area of possible work is the inclusion on sensor networks in many civil applications. This wide range of application areas will make sensor networks an integral part of our lives.
References
[1] Chungen Xu, Yanhong Ge; “The Public Key Encryption to Improve the Security on Wireless Sensor networks” Volume 1, 21-22 May 2009 Page(s):11 – 14
[2] Pathan, A.S.K.; Hyung-Woo Lee; Choong Seon Hong, “Security in wireless sensor networks: issues and challenges” Volume 2, 20-22 Feb. 2006 Page(s):6 pp. – 1048
[3] Xiaojiang Du; Hsiao-Hwa Chen; “Security in wireless sensor networks”
Volume 15, Issue 4, Aug. 2008 Page(s):60 – 66
[4] Healy, M.; Newe, T.; Lewis, E.; “Security for wireless sensor networks: A review”
17-19 Feb. 2009 Page(s):80 – 85
[5] Abbasi, A.; “Better Security for Wireless Sensor Networks”
7-9 March 2009 Page(s):100 – 103
[6] Akyildiz, I.F.; Weilian Su; Sankarasubramaniam, Y.; Cayirci, E.; “A survey on sensor networks” Volume 40, Issue 8, Aug. 2002 Page(s):102 – 114
[7] J. M. Kahn, R. H. Katz, and K. S. J. Pister, “Next Century Challenges: Mobile Networking for Smart Dust,” 1999, pp. 271–78.
[8] V. Potdar, A. Sharif, E. Chang; “Wireless Sensor Networks: A Survey” 2009 International Conference on Advanced Information Networking and Applications Workshops.
[9] Kui Ren; Wenjing Lou; Yanchao Zhang; “LEDS: Providing Location-Aware End-to-End Data Security in Wireless Sensor Networks” Volume 7, Issue 5, May 2008 Page(s):585 – 598
[10] C. Karlof, D. Wagner; “Secure routing in wireless sensor networks: attacks and countermeasures” May 2003 Page(s):113-127
[11] C. Karlof, N. Sastry, and D. Wagner; “TinySec: a link layer security architecture for wireless sensor networks,” 2004, pp. 162 – 175.
[12] M. Luk, G. Mezzour, A. Perrig, and V. Gligor; “MiniSec: A Secure Sensor Network Communication Architecture,” 2007.
[13] T. Li, H. Wu, X. Wang, and F. Bao; “SenSec: Sensor Security Framework for TinyOS,” 2005.