The threat categories relevant for this work are related to those in the analysis by Tsao et al. [38], and threats therefore fall into either one of the categories authenticity, integrity, availability or confidentiality. Non-repudiation is not considered, because it is not relevant in the communication between devices in the context of the routing protocol [38].
Before categorizing all threats, an overview of the used terminology is given.
• Control plane: provides the support that is required for the establishment and main-tenance of routing paths. Routers therefore exchange control plane messages which contain the relevant routing information to find the quested path for data packets.
Figure 3.1: Architecture and Components of an RPL Routing Domain – DODAG 1 and DODAG 2 with root nodesR1andR2and many routers and hosts, respectively (empty circles). Each router or host may select multiple parents (dashed lines). Both DODAGs are connected by a common backbone link.
• Data plane: provides the support for data forwarding. A router that receives a packet looks up the corresponding entry in its routing table which has been created by the control plane and thus decides the next hop for a given data packet.
• Deception[10]
– by masquerade:an attacker impersonates an authorized node to deceive another authorized node. The goal of the attacker is to obtain the privileges of the im-personated entity to execute functions or gain access to resources that require authorization. Examples for an impersonation are replay attacks or identity spoof-ing.
– by falsification: subcategorizes intosubstitutionandinsertion. Substitution denotes any illegal modification (alter or replace) to valid data to deceive an authorized node. Insertion is the illegal introduction of false data to deceive an authorized node.
• Disruption[10]
– by corruption: subcategorizes intotamperingandmalicious hardware1. Tampering denotes any illegal modifications to the routing logic, data or control informa-tion that alter the funcinforma-tions of the routing protocol. Malicious hardware is any introduced or maliciously used hardware to modify routing behavior.
– by obstruction: subcategorized into overload and interference. Overload is any form of exhaustion of nodes or network. Interference denotes the blocking of communication on the control or data plane.
• Disclosure[10]
– by interception: denotes the unauthorized access to sensitive information by spying on the message exchange (eavesdropping).
– by inference: denotes the unauthorized access to sensitive information by interpret-ing or inferrinterpret-ing the characteristics of the communication (traffic analysis).
3.1.1 Identification of Threats
A threat is defined as an incident that potentially causes harm. A vulnerability is a weakness of the system that allows for threats to occur [39]. Attacks aim at damaging or compromising theassetsof a system by exploiting vulnerabilities and are thus defined as the realization of a threat. Hence, when considering an attack, a threat can be described asthe potential for an attack by exploiting a vulnerability.
Assets in an LLN are routing information, resources, processes and nodes [38]. Routing information is exchanged over-the-air and partially stored by every node. Resources include CPU cycles, memory, energy capacities and communication bandwidth. Processes provide services such as route creation and maintenance required by the network. Nodes provide interconnectivity and form the basis of the LLN.
From these assets it can be deduced that the possibility of an adversary to gain access to an asset is either given by exploiting the wireless communication channel or by accessing a device physically or remotely. Furthermore, RPL has been designed for interoperability of smallest devices where hosts have the ability to connect to the other IP-based networks. This paradigm creates the threat of attacks launched from the Internet. However, it is assumed that border routers are able to use complex and praxis-proven cryptographic protocols, such as digital signatures combined with an infrastructure for digital certificates to communicate with hosts or routers in other routing domains. This work therefore focuses on threats and attacks
1Re-defined from RFC-4949, which defines malicious logic as hardware, firmware and software.
Classification Threat
Authenticity / Deception of an authorized node bymasquerade Integrity Deception bysubstitutionsin the control / data plane
Deception byinsertionsin the control / data plane Availability
Disruption of control / data plane bycorruption Disruption of control / data plane byinterference Disruption of control / data plane byoverload Confidentiality Disclosure of sensitive information byinterception
Disclosure of sensitive information byinference Table 3.1: Summary of Threats
launched from inside an RPL routing domain. Hereby it is assumed that border routers, due to their essential role in RPL, are tamper resistant and thus not compromised by an attacker.
The relevant threat categories are summarized in Table 3.1 and described in the following.
Threats to integrity and authenticity The communication channel can be exploited by the substitution of message content or the insertion of forged messages. This can, for example, be achieved by intercepting messages and making illegal modifications before transmitting them to the actual destination or by accessing a node directly. An attacker that has access to a node may substitute its routing state or reprogram the device with a malicious code, so that the node sends false routing information. He thus has the ability to influence or control route creation and maintenance. He further impersonates other authorized devices to gain their privileges. This enables him to access and misuse protected resources or routing information, or to corrupt processes.
Threats to availability A routing protocol requires services for topology/route creation, maintenance and forwarding. Routers or nodes exchange routing information and provide connectivity, so that all messages reach their destination. Nodes require a minimum of resources to function correctly and to provide those services. An exhaustion of these resources leads to a decreased availability of routing and forwarding. Threats on the availability are thus the disruption of the control or data plane. An attacker achieves this by obstruction or corruption of message exchanges.
Threats to confidentiality The routing information is subject to unauthorized disclosure.
An adversary gains unauthorized access to the routing information by intercepting the commu-nication channel or by accessing a node directly. He may further analyze the commucommu-nication
patterns and infer helpful information. He thus gains knowledge of routing states which help him to detect a lucrative access point for further attacks.
3.1.2 Attacker Model
The attacker is provided with certain capabilities and resources to exploit potential vulnera-bilities of the RPL network which thus denotes the actual risk of a threat. RPL implements cryptographic countermeasures which require security keys. For this reason, this work dis-tinguishes two classes of attackers, as defined by Karlof and Wagner [40]: an insider that has obtained a set of security credentials, and an outsider attacker with no security keys.
Outsider attacker The outsider attacker tries to intrude the network from outside the security perimeter and thus denotes an unauthorized entity. This means that he has no access to any cryptographic keys and is restricted by the security measures of RPL. He thus intends to exploit the wireless communication channel.
The attacker is assumed to be an experienced hacker. Hence, he is assumed to possess standard tools including a general purpose computing device such as a modern laptop which gives him much higher resources than remaining nodes in the network. Furthermore, air-sniffing tools like Wireshark to capture wireless communication and tools to substitute the content of messages and insert new messages into the network are assumed to be be available to this class of attackers.
The outsider attacker is not limited to a single device. Multiple laptops enable the attacker to establish out-of-band communication between attacking devices. Furthermore, he may install malicious hardware, like directed or more sensitive antennas, to influence the signal propagation of the in-band communication and to increase his transmission and reception range.
Insider attacker All characteristics of the outsider attacker apply to the insider attacker as well. Additionally, the insider attacker is assumed to have obtained a set of security keys.
This might be done by an insider (traitor) actually selling or providing cryptographic keys, or by compromising one or more devices of the network. For instance, a memory readout enables him to extract routing information and security keys which he copies to an additional laptop-class device. Hence, he is able to act as an authorized entity with the same privileges of the compromised node. It is further assumed that these privileges allow the insider attacker to function as a router in the network.