![Page 1: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/1.jpg)
Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems
Angelo T. Capossele, Valerio Cervo, Chiara Petrioli, Dora Spenza
IEEE SECON 2016
![Page 2: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/2.jpg)
Motivation: Duty Cycling
Tradeoff between energy saving and data latency
Without duty cycleLow latencyLifetime: <5 days
Low duty cycleLatency: 10s of sLifetime: >1yr
![Page 3: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/3.jpg)
Nodes with wake-up receivers
● Energy-efficient on-demand communication
● ULP receiver continuously monitoring the channel● Nodes sleep until communication is needed● Selective awakenings (WUR address)
![Page 4: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/4.jpg)
The problem: Denial of Sleep attack
WAKE UP!!
1. Bruteforce2. Replay attack
![Page 5: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/5.jpg)
Effect of DoS attacks on lifetime
Single attacker: replay attack every 10s
Normal operation
Network under attack
Lifetime (years)
4 20128 16
![Page 6: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/6.jpg)
Our solution: AntiDoS
Bootstrap phaseKey Management Protocol● Lightweight● Mutual authentication
Prevent replay attackWUR addresses updated in a pseudo-random fashion after every use
MAC(common secret key, ...)
Secure wake ups only from authorized nodes
![Page 7: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/7.jpg)
AntiDoS protocol (unicast)A B
Compute B address
Send WUR request
WUR address matching
Receive DataSend Data Communication
Update WUR address
Awakening
Prevent replay attacks
Wake-up radio
Main radio
MAC(secret, IDs, SN)
MAC(secret, IDs, SN)
![Page 8: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/8.jpg)
Bruteforce
Attacker must use datarate of the WUR
![Page 9: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/9.jpg)
Simulation setup
● Simulation framework: GreenCastalia● WUR model: actual prototype,
experimental data
● Monitoring application, converge casting (CTP)● Single attacker randomly placed in the field● Overhear legitimate WUR addresses● Re-broadcast them every 10s to prevent nodes
from sleeping
![Page 10: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/10.jpg)
Simulations results: Energy
![Page 11: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/11.jpg)
Experimental validation
● MagoNode++○ WUR○ Energy harvesting
● TinyOS implementationEnergy consumption of AntiDos operations
● Scalar addition/multiplication 14 uJ● SHA-160 0.04 mJ● HMAC 0.28 mJ
...
![Page 12: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/12.jpg)
Denial of Sleep attacks are a significant threat for WUR-based sensing systems
AntiDos● Secure wake ups (authorized nodes)● “Disposable” WUR addresses thwarts replay
attacks
Conclusion
![Page 13: Counteracting Denial-of-Sleep Attacks in Wake-up-based …spenza/files/SECON2016-slides.pdf · Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,](https://reader031.vdocuments.us/reader031/viewer/2022020416/5c6678f309d3f2d8348c38b6/html5/thumbnails/13.jpg)
Thank you!