Question

1) identify and describe the threats, vulnerabilities and attacks on Wireless Sensors Networks (WSN), describe the scenario of each attack and its effect on wireless network performance. Also, clarify the attacks by diagrams)

(Hint: identify and describe the threats, vulnerabilities and attacks on your selected wireless network, describe the scenario of each attack and its effect on wireless network performance. Also, clarify the attacks by diagrams)

2) Suggest security services and mechanisms to countermeasure the attacks. Provide a detailed description for each service and mechanism. Then, provide a clear diagram of your security architecture of wireless network.

(Hint: identify the security service that could detect/prevent the attack, then describe mechanisms to implement the identified services.)

Answer 1

1. Attacks on Wireless Sensors Networks

Passive and active attacks criteria -

Attacks can be classified into two major categories, according the interruption of communication act, namely passive attacks and active attacks. From this regard, when it is referred to a passive attack it is said that the attack obtain data exchanged in the network without interrupting the communication. When it is referred to an active attack it can be affirmed that the attack implies the disruption of the normal functionality of the network, meaning information interruption, modification, or fabrication.

Examples of passive attacks are eavesdropping, traffic analysis, and traffic monitoring.

Examples of active attacks include jamming, impersonating, modification, denial of service (DoS), and message replay.

Cryptography and non-cryptography related attacks -

Cryptographic Primitive Attacks	Examples
Pseudorandom number attack	Nonce, timestamp, initialization vector (IV)
Digital signature attack	RSA signature, ElGamal signature, digital signature standard (DSS)
Hash collision attack	SHA-0, MD4, MD5, HAVAL-128, RIPEMD

Physical layer attacks -

Wireless communication is broadcast by nature. A common radio signal is easy to jam or intercept. An attacker could overhear or disrupt the service of a wireless network physically.Eavesdropping: Eavesdropping is the intercepting and reading of messages and conversations by unintended receivers. The mobile hosts in mobile ad hoc networks share a wireless medium. The majorities of wireless communications use the RF spectrum and broadcast by nature. Signals broadcast over airwaves can be easily intercepted with receivers tuned to the proper frequency. Thus, messages transmitted can be overheard, and fake messages can be injected into network. Interference and Jamming: Radio signals can be jammed or interfered with, which causes the message to be corrupted or lost. If the attacker has a powerful transmitter, a signal can be generated that will be strong enough to overwhelm the targeted signals and disrupt communications. The most common types of this form of signal jamming are random noise and pulse. Jamming equipment is readily available. In addition, jamming attacks can be mounted from a location remote to the target networks.

Link layer attacks -

The Mobile Ad Hoc Network (MANET) is an open multipoint peer-to-peer network architecture. Specifically, one-hop connectivity among neighbors is maintained by the link layer protocols, and the network layer protocols extend the connectivity to other nodes in the network. Attacks may target the link layer by disrupting the cooperation of the layer’s protocols. Wireless medium access control (MAC) protocols have to coordinate the transmissions of the nodes on the common transmission medium. Because a token-passing bus MAC protocol is not suitable for controlling a radio channel, IEEE 802.11 protocol is specifically devoted to wireless LANs. The IEEE 802.11 MAC protocol uses distributed contention resolution mechanisms for sharing the wireless channel. The IEEE 802.11 working group proposed two algorithms for contention resolution. One is a fully distributed access protocol called the distributed coordination function (DCF). The other is a centralized access protocol called the point coordination function (PCF). PCF requires a central decision maker such as a base station. DCF uses a carrier sense multiple access/collision avoidance protocol (CSMA/CA) for resolving channel contention among multiple wireless hosts.

Network layer attacks - A variety of attacks targeting the network layer have been identified and heavily studied in research papers. By attacking the routing protocols, attackers can absorb network traffic, inject themselves into the path between the source and destination, and thus control the network traffic flow. The traffic packets could be forwarded to a non-optimal path, which could introduce significant delay. In addition, the packets could be forwarded to a nonexistent path and get lost. The attackers can create routing loops, introduce severe network congestion, and channel contention into certain areas. Multiple colluding attackers may even prevent a source node from finding any route to the destination, causing the network to partition, which triggers excessive network control traffic, and further intensifies network congestion and performance degradation.

Transport layer attacks -

The objectives of TCP-like Transport layer protocols in WSN include setting up of end-to-end connection, endto-end reliable delivery of packets, flow control, congestion control, and clearing of end-to-end connection. Similar to TCP protocols in the Internet, the mobile node is vulnerable to the classic SYN flooding attack or session hijacking attacks [1] [3] [4]. However, a WSN has a higher channel error rate when compared with wired networks. Because TCP does not have any mechanism to distinguish whether a loss was caused by congestion, random error, or malicious attacks, TCP multiplicatively decreases its congestion window upon experiencing losses, which degrades network performance significantly.

SYN flooding attack: The SYN flooding attack is a denial-of-service attack. The attacker creates a large number of half-opened TCP connections with a victim node, but never completes the handshake to fully open the connection. For two nodes to communicate using TCP, they must first establish a TCP connection using a three-way handshake. The three messages exchanged during the handshake allow both nodes to learn that the other is ready to communicate and to agree on initial sequence numbers for the conversation.

Session hijacking: Session hijacking takes advantage of the fact that most communications are protected (by providing credentials) at session setup, but not thereafter. In the TCP session hijacking attack, the attacker spoofs the victim’s IP address, determines the correct sequence number that is expected by the target, and then performs a DoS attack on the victim. Thus the attacker impersonates the victim node and continues the session with the target.

Application layer attacks -

The application layer communication is also vulnerable in terms of security compared with other layers. The application layer contains user data, and it normally supports many protocols such as HTTP, SMTP, TELNET, and FTP, which provide many vulnerabilities and access points for attackers. The application layer attacks are attractive to attackers because the information they seek ultimately resides within the application and it is direct for them to make an impact and reach their goals.

Malicious code attacks: Malicious code, such as viruses, worms, spywares, and Trojan Horses, can attack both operating systems and user applications. These malicious programs usually can spread themselves through the network and cause the computer system and networks to slow down or even damaged.

Repudiation attacks: Repudiation refers to a denial of participation in all or part of the communication.

Multi-layer attacks -

Some security attacks can be launched from multiple layers instead of a particular layer. Examples of multilayer attacks are denial of service (DoS), man-in-themiddle, and impersonation attacks.

Denial of service: Denial of service (DoS) attacks could be launched from several layers. An attacker can employ signal jamming at the physical layer, which disrupts normal communications. At the link layer, malicious nodes can occupy channels through the capture effect, which takes advantage of the binary exponential scheme in MAC protocols and prevents other nodes from channel access. At the network layer, the routing process can be interrupted through routing control packet modification, selective dropping, table overflow, or poisoning. At the transport and application layers, SYN flooding, session hijacking, and malicious programs can cause DoS attacks.

Impersonation attacks: Impersonation attacks are launched by using other node’s identity, such as MAC or IP address. Impersonation attacks sometimes are the first step for most attacks, and are used to launch further, more sophisticated attacks.

Man-in-the-middle attacks: An attacker sits between the sender and the receiver and sniffs any information being sent between two ends. In some cases the attacker may impersonate the sender to communicate with the receiver, or impersonate the receiver to reply to the sender.

2.

RFID DEPLOYMENTS -

A typical deployment of an RFID system involves three types of legitimate entities, namely tags, readers and back-end servers. The tags are attached to, or embedded in, objects to be identified. They consist of a transponder and an RF coupling element. The coupling element has an antenna coil to capture RF power, clock pulses and data from the RFID reader. The readers typically contain a transceiver, a control unit, and a coupling element, to interrogate tags. They implement a radio interface to the tags and also a high level interface to a backend server that processes captured data.

The back-servers are trusted entities that maintain a database containing the information needed to identify tags, including their identification numbers. Since the integrity of an RFID system is entirely dependent on the proper behavior of the server, it is assumed that the server is physically secure and not attackable. It is certainly legitimate to consider privacy mechanisms that reduce the trust on the back-end server—for instance, to mitigate the ability of the server to collect user-behavior information, or to make the server function auditable. In this paper, however, we shall not investigate such privacy attacks. These have been discussed extensively elsewhere. For an overview of measures and mechanisms that can be used to deal with privacy issues concerning back-end servers we refer the reader to [22]. Here we shall consider the servers to be entirely trusted.

PASSIVE RFID TAGS -

There are basically three types of passive RFID transponders.

Smart labels : These are class 1 basic memory devices that are typically Read-Only. They are capable of storing small amounts of data, sufficient for tag identification. Smart labels are low-cost replacements of barcodes and are used for inventory control. They function by backscattering the carrier signal from RFID readers. Smart labels are quite insecure: they are subject to both unauthorized cloning and unauthorized tracking, though in many cases are at least resistant to disabling attacks since they have a single operational state.

Re-writable tags : These are class 1 tags with re-writable memory containing non-volatile EEPROM used to store user-and/or server-defined information. In a typical application [1], they store server certificates used to identify tags and are updated each time a tag is identified by an authorized reader. These tags can also store kill-keys, used to disable them. Despite this additional functionality, re-writable tags are still insecure: They are subject to unauthorized cloning, and unauthorized disabling, and in cases unauthorized tracking. Indeed a hacker (rogue reader) can record a tag’s certificate and use it to impersonate the tag, track the tag (only until the next time the tag interacts with an honest reader outside the range of the attacker), and/or replace it with an invalid certificate, to disable the tag.

IC tags : These are class 2 smart tags with a CMOS integrated circuit, ROM, RAM, and nonvolatile EEPROM. They use the integrated circuit to process a reader’s challenge and generate an appropriate response. IC tags are the most structured tags and used with an appropriate RFID protocol they can defeat the attacks discussed in the Introduction. In the rest of this paper we show how this is done.

Countermeasures -

The disabling attack : In a disabling attack the attacker causes tags to assume a state from which they can no longer be identified by the back-end server. One way to prevent this is by having each tag share with the server a permanent (non-erasable) private identifying key ktag (another way, which is however not suitable for low-cost tags, would be to use publickey cryptography). Then, when a tag is challenged by a reader, it will generate a response using this private key. Of course, it should be hard for an attacker to extract the private key from the tag’s response. For this purpose a cryptographic one-way function should be used. This solution relies heavily on the assumption that the server is trusted and physically secured.

The cloning attack : To defeat cloning attacks it should not be possible for an attacker to access a tag’s identifying data. Such data should be kept private. However for authentication, it should be possible for the back-end server to verify a tag’s response. The response must therefore corroborate (but not reveal!) the tag’s identifying data. This can be achieved by having the server share a private key ktag with each tag, as in the previous case.

The tracking attack : Unauthorized tracking is based on tracing a tag responses to a particular tag. This can be prevented by making certain that the values of the responses appear to an attacker as random, uniformly distributed. In fact, since we are assuming that all entities of an RFID system have polynomially bounded resources, it is sufficient for these values to be pseudo-random.

Replay attacks : To deal with replay attacks the tag’s response must be unique for every server challenge. To achieve this, the values of the server challenges and the tag responses must be unpredictable. One way to achieve this is to enforce that the answers be (cryptographically) pseudo-random.