Threat model

In addition to the basic requirements, the individual threats need to be accounted in order to provide the desired level of security. This subsection describes what these threats are, how they are carried out by attackers and what the possible evasive solutions are. The threat model is discussed and proposed countermeasures are explained. Some of these solutions are more closely connected to this research and thus discussed in detail in the next section.

Attacks on confidentiality

The wireless communication medium that sensor networks use to communicate implies that any receiver in range is capable of reading all radio traffic [33]. Therefore, data must be sealed from eavesdroppers and this constitutes the requirement of confidentiality, which is met via encryption. Sufficiently complex encryption schemes are implemented in WSNs with care, as strong encryption methods are associated with high computational overheads [29]. Nevertheless, most systems that attempt to achieve confidentiality introduce encryption schemes with varying computational difficulty. Attacks on confidentiality are known as cryptanalytic attacks, discussed in [3], and are characterised by a level of required computational complexity before they conclude by revealing the encryption key.

The most known cryptanalytic attack is the known-plaintext attack, popularly known as brute force attack. It involves obtaining a plaintext and the associated output ciphertext. By knowing two of the three inputs of the encryption function, the attacker can tries every possible key value until the correct key is revealed. Brute force attacks have a complexity equal to the effective key length of the encryption function. Longer keys provide greater confidentiality.

Other confidentiality attacks aim to reduce the level of computational complexity required by discovering a fundamental flaw in the mathematics underlying the encryption function. There are many types of cryptanalytic attacks in this category [3]. Cryptanalytic attacks usually require a number of conditions or pieces of the cryptographic input or output data to be acquired before they can be executed [3].

Cryptanalysis of encryption functions is the ongoing process conducted by the cryptographic community that aims to discover cryptanalytic attacks in existing algorithms. Using an

32 encryption function that is well analysed by the cryptographic community is a way to further protect the confidentiality of a secure cryptosystem.

Attacks on authentication and integrity

Communications via an open wireless medium allows attackers to alter or inject messages into the medium [33]. These attacks involve utilising a carefully crafted and powerful transceiver to overwrite the radio signals emitted by the network devices. Although it requires a skilful attacker, it is easier to conduct than a brute force attack on confidentiality, as it does not require great computational ability.

The efficient solution to this problem is to employ a cryptographic hash function to protect messages [3]. The function accepts the sender‟s identification information and the data as input and outputs a cryptographic signature. This is then appended to the data in the form of a Message Authentication Code (MAC). Each signature is associated with a probability of failure, known as confidence. Depending on the kind of hash function, the length of the input data and the amount of unique possible output, the exact probability that the protection might fail can be determined.

The hash function might be derived by the encryption function itself, as it was for example proposed in TinySec[2]. Under this solution, a possible attempt to inject authenticated messages or to alter existing messages would require knowledge of the authenticity mechanism‟s key, which in turn requires a cryptanalytic attack. Such authentication mechanism is believed to be as secure as the encryption function upon which is based [75].

Attacks on routing

Routing security is not a direct threat since most routing protocols can be protected if the security requirements for message exchange are met. However, many attacks become available if the security mechanism fails to protect the routing messages. These vulnerabilities are clearly demonstrated by Karlof et al. [76]. The majority of routing attacks is briefly described here. Many of the routing attacks described here might be classified as Denial of Service (DoS) attacks in the literature. Other DoS attacks are further discussed later.

If allowed to spoof, alter or replay routing information, an attacker can manipulate the routing table with bogus routing information. Successful manipulation allows the attackers to create a

33 number of problems including routing loops, attract or repel network traffic, extend or shorten routes, generate false error messages, partition the network, increase end-to-end latency etc.

Black hole and Sibyl [77] attacks aim to place a malicious node inside the network. This node will be able to choose whether to forward or drop a packet; it will therefore conduct a

selective forwarding attack. The aim of the attacker is to provide a location on the network, which would look extremely attractive to the routing protocol and thus trick it to route traffic via the area under attack. Usually the method involves compromising a node or injecting nodes in the network. It therefore requires either insecure hardware or weak authentication.

A wormhole attack [78] creates and provides an actual high quality route between two points on the network using a communication medium normally unavailable to a sensor network. This route would quickly attract traffic and the attacker can then manipulate traffic in the way they choose. This attack requires the attacker to be able to inject packets or nodes in the network.

The HELLO flood attack utilises a powerful transceiver to broadcast a HELLO message that will trick distant nodes to believe that the attacker‟s node is neighbouring them. A laptop- class attacker can convince the whole network that they are a preferred route via a HELLO flood attack and thus it will make other attacks possible. This is another attack that requiring ability to inject nodes.

The final potential attack documented by [76] is acknowledgement spoofing. The attack involves recording and then replaying a legitimate acknowledgement message at the attackers will in order to pretend that a destroyed link is in good working order. That implies that the attacker can destroy nodes and hide that fact from the network. In addition, the attacker can trick the routing protocol and make it think that low quality routes are actually healthy routes. That would lead to higher energy consumption and increased latency. This attack requires the ability to inject acknowledgement messages.

Denial of Service attacks

The term Denial of Service (DoS) attack is loosely used to describe attacks that cause complete or partial system failure. Usually, the attacks involve sending a powerful

34 transmission in order to jam the radio channel or to confuse the medium access control protocol.

Brutal DoS attacks involve completely blocking the communication medium by causing interference. The low power radio capabilities of sensor networks mean that it is relatively easy to create a portable transmitter with enough power to jam the network [76]. There is no easy defence against such attacks [28], although some groups are working on solutions given particular assumptions [79].

A survey of intelligent attacks and countermeasures is provided by Wood and Stankovic [80] who describe DoS attacks that do not rely on raw power but flaws in the design instead. It might be possible for an attacker to inject a small, maliciously structured message that would exploit a design vulnerability of the system. The target of the attacker is to trigger asymmetrical resource usage, in the sense that the attacker can cause a great problem to the system with little effort on their part.

Physical attacks

Secure systems are vulnerable if an attacker obtains physical access in the hardware that hosts the system. This is as true for sensor networks as for every other system. Initial research in sensor networks suggested that they would be vulnerable to physical attacks including node tampering and reading of memory contents.

Such potential attack would be catastrophic for a secure cryptosystem that relies on keys as those have to be stored on memory and thus revealed to the attacker in case of node tampering. It is therefore essential to design systems that would sustain physical attacks as well. Research in this area has taken many directions depending on different assumptions4.

Attacks on single points of failure

By definition, every system will have a component, which would be weaker than the other components. Examples of such components in wireless sensor networks might be cluster heads and base stations. A carefully designed secure wireless sensor network should disclose as little information as possible on the location of such singe points of failure. Additional, non-physical, points of failure might involve poorly designed components of the system.

35 The work of Deng et al. [81] analyses the security of the base station viewing it as a single point of failure. There are other examples in the literature that refer to the importance of single points of failure but very little published research considers just that.