Active vs. Passive: Passive attackers only monitor the network without active inter-ference. Such attacks pursue the disclosure of sensitive information. This infor-mation can be caught in proximity of the network while the actual evaluation can be done in a powerful lab. Active attackers may additionally interfere the net-work. Such interference may entail deletion, modification or creation of informa-tion. Thus, active attacks aim – additionally to the confidentiality – on integrity and reliability of the network. While active attacks typically are more complex and theoretically can be detected, the potential impact of such attacks makes them particularly critical.
Local vs. Extended or mote-class vs. Laptop class: A mote-class attacker uses sensor nodes with similar capabilities as the nodes in the WSN to execute the attacks. The nodes may be part of the network. A laptop class attacker uses devices with significantly more power than the sensor nodes. That performance advantage allows the attacker to execute attacks that rely on fast and complex computations.
Possible attacks include sending false answers faster than the actual sensor nodes, or trying to increase the load on a set of nodes by frequently formulating complex requests. In the uttermost extreme a laptop attacker is connected to a distributed network of high-powered computers which can be utilized to break ciphers or to perform complex analysis. This is assumed to be an extended attacker.
Radio-only vs. Physical: Radio-only attackers attack the network only by means of radio communication. This corresponds to the Dolev-Yao model [DY83] usually applied to analyze security protocols on classic computer systems. The Dolev-Yao model assumes that the only point of attack would be the network. For most sensor networks that is clearly not the case since unauthorized physical access to nodes is very likely in networks deployed outside [WGS06]. However many mechanisms still rely on the radio-only attacker model and neglect physical attacks.
In this thesis we assume the default attacker to be a physical, laptop-class, active, malicious insider. That is the worst-cast combination. Such an attack can be executed with equipment worth less than $1000, considered standard sensor nodes are deployed unprotected in the field. Anyway, in security analysis we always have to consider the worst case, unless we can justify why a less-extensive attacker model should be used.
Qualitative Attacker Model
The attacker classifications presented so far help to classify the attacker types but they do not express the qualities of the attacks. In the domain of hardware design qualitative at-tacker models were first proposed by Abraham in [ADDS91] and Weingart in [WWAD90].
Meanwhile the classification scheme is well-accepted industry practice [Gra04]. The at-tackers are classified in groups depending on their abilities, strengths, monetary budget, and available resources.
Table 4.1 shows the four classes of attackers and the major discriminators of the classes.
Class 0 are no actual attackers but normal users that could violate security requirements by accident.
Table 4.1: Four-class attacker classification.
Class Attacker Tools Budget
0 No actual attack attack can succeed by ac-cident
-1 curious hacker common tools <$10,000
2 organized attacker (academic, crime)
special tools <$100,000 3 large organized attacker highly specialized tools, >$100,000
(crime, government) laboratory
Class 1 is the group of amateurs or curious hackers with a limited budget and no special tools. They are not organized.
Class 2 is the group of organized hackers with a reasonable budget and time and special tools. Typically for this group are academic hackers who perform the attacks mainly for publicity. This group also includes hackers with criminal background motivated by an economic target.
Class 3 are large organized attacker groups. We can find them in large crime organi-zations, terrorist networks, or in the governments’ intelligence structures. They have unlimited resources, outstanding knowledge and highly specialized tools and laboratories.
4.2.2 Attacker Goals
While literature is rich on classifications of attacker groups and their general motivation, there is relatively few focus on the actual goals. Mostly it is implied that attacks aim on stealing or disclosing protected data. However, possession of data or eavesdropping of secret information is only one of many possible goals. While basically the attacker goals depend on the actual application and environment, we still can classify general attacker goals that are valid in WSNs:
Disclosure of information: Attackers may be interested to extract actual data, but also the information of network activity or the existence of the network. Disclosing of information may be the actual target or only a partial goal to implement a more complex attack scheme.
Possession of nodes: Getting access on a computer system is an attack already known from standard networks. There computation power can be used for extensive com-putation operations, e.g. for breaking passwords or codes. Hijacked systems also can be used as proxy - either as relay to other trusted systems or for coordinated distributed attacks. While exploiting computation resources of WSNs can be ne-glected due to the limited resources, exploiting trust relations in a network is a feasible scenario.
With respect to amateur hackers, access on sensor nodes allows to do fancy things with the nodes. For example changing LED configurations to demonstrate what’s possible, or to use sensors on the nodes for private projects.
Possession of nodes can be differentiated in physical possession and logical pos-session. Physical possession allows an adversary to steal the node or tamper the
Figure 4.3: Context of attacker motivation: The attacker motive contradicts a security goal, while the attacks realize the motive and thus the violation.
hardware. The effect of logical possession concerns changed behavior typically achieved by reprogramming.
Disruption of the network: One potential attacker goal is the destruction of nodes or network. The actual motivation may vary between vandalism and directed attacks.
Also the means may vary between physical destruction of nodes to logical disruption of the communication channel.
Harm to the monitored infrastructure: If the WSN actively influences the controls of a system, the attack on the WSN may be a means to harm the actual infras-tructure. An example is the agriculture scenario. There competitors could have motivation to spoil the harvest of neighbors to increase the market price. In in-dustry automation systems manipulation of the control system may have severe impact on the entire facility.
Forging events: In a water pipeline monitoring application a just-for-fun attacker could forge events pretending a hazard just to watch the maintenance team trying to fix a non-existent error. The same is considerable for automatic fire detection in forests.
Change of stored events: If data is stored in the WSN, attackers may be interested in changing the data. For instance information in a WSN that records the status of a road could be manipulated to hide misbehavior in a post-accident investigation [BHUW08].
Selective forwarding of information If an adversary is in control of a communica-tion path packets may be forwarded or dropped deliberately. For example a tres-passer is interested in dropping alarm messages indicating the intrusion.
Personal challenge/prestige: To some extend hacking has always been a sort of com-petition. Hacking a real-life system is exciting and can increase the social status in the peer group, so that it is clearly an incentive for the attacker.
The attack motivations clearly contradict possible security goals of the system, but they are no actual violation. Attacks are required to realize the attacker goals. Figure 4.3 illustrates the connections. In this context it is important to note that attacks are motivated and need the motive to be executed. Knowledge about potential motives is important to understand the actions of the assumed attacker and to decompose the motives to actual attacks. Tackling security by resolving the motives is a theoretical approach that most likely in practice will not work. Maybe social campaigns and strong prosecution of hacking and destruction attempts can help to reduce the motivation in particular for amateur hackers. Anyway, a technical solution is favorable. It needs an understanding of the actual attacks, which will be addressed in the following section.