Security and privacy in unattended sensor networks

Abstract

In recent years, sensors and sensor networks have been extremely popular in the research community. One of the most exciting aspects of sensor networks research is the confluence of diverse areas, such as databases, networking, distributed systems and security. In particular, security issues in have received a lot of attention. Due to low cost of individual sensors and commensurately meager resources, security in sensor networks poses some unique and formidable challenges. A large body of research has been accumulated in recent years, dealing with various aspects of sensor security, such as: key management, data authentication, privacy, secure aggregation, secure routing as well as attack detection and mitigation.One common assumption in prior WSN security research has been that data collection is performed in (or near) real time: a trusted entity --- usually called a sink --- is assumed to be always (or mostly) present. Data sensing can be event-driven (triggered by some changes in the sensing environment), on-demand (initiated by a query from the sink) or scheduled (prompted by a timer). No matter how sensing is activated, the presence of an on-line sink allows nodes to submit measurements soon after sensing. In this model, an adversary capable of compromising nodes and corrupting data has relatively little time to pursue its goals.While many operate in this general setting, there are emerging WSN scenarios and applications that fall outside the real-time data collection model. We refer to such networks as WSNs or UWSNs. For example, deployed in military or law enforcement environments might not have the luxury of an ever-present sink: sensed data can be off-loaded only when the sink visits the network. Another example might be a WSN monitoring compliance with a nuclear non-proliferation treaty operating in a rogue country.We further narrow our scope to UWSNs operating in hostile environments. Unattended sensors deployed in such environment represent an attractive and easy target for an adversary. The sensors' inability to off-load data in real time exposes them and their data to increased risk. Without external connectivity, sensors can be compromised with impunity and collected data can be read, altered or simply erased. Sensor compromise is a realistic threat, since a typical sensor is a mass-produced commodity device with no specialized secure hardware or tamper-resistant components. Prior security research typically assumed that some number of sensors can be compromised during the entire operation of the network and the main challenge is to detect such compromise. This is a reasonable assumption, since --- with a constantly present sink --- attacks can be detected and isolated. The sink can then immediately take appropriate actions to prevent compromise of any more sensors.In contrast, in the UWSN setting, the adversary can compromise up to a certain number of sensors within a particular time interval. This interval can be much shorter than the time between successive sink visits. Given enough intervals, the adversary can subvert the entire network as it moves between sets of compromised nodes, gradually undermining security. The adversary's goals might include: reading, erasing or modifying data collected by unattended sensors.In this talk, we discuss in detail a number of security challenges in unattended WSNS. In doing so, our main goal is to bring the problem to light and engender interest from the research community to investigate it further.