Abstract—So far, the problem of positioning in wireless networks has been studied mainly in a nonadversarial setting. In this paper, we analyze the resistance of positioning techniques to position and distance spoofing attacks. We propose a mechanism for secure positioning of wireless devices, that we call verifiable multilateration. We then show how this mechanism can be used to secure positioning in sensor networks. We analyze our system through simulations. Index Terms—Ad hoc networks, positioning, secure protocols, security, sensor networks, wireless. I.

Abstract — Until recently, the problem of localization in wireless networks has been mainly studied in a nonadversarial setting. Only recently, a number of solutions have been proposed that aim to detect and prevent attacks on localization systems. In this work, we propose a new approach to secure localization based on hidden and mobile base stations. Our approach enables secure localization with a broad spectrum of localization techniques: ultrasonic or radio, based on received signal strength or signal time of flight. Through several examples we show how this approach can be used to secure nodecentric and infrastructure-centric localization schemes. We further show how this approach can be applied to secure localization in sensor networks. I.

Abstract. Distance-bounding protocols aim to prevent an adversary from pretending that two parties are physically closer than they really are. We show that proposed distance-bounding protocols of Hu, Perrig and Johnson (2003), Sastry, Shankar and Wagner (2003), and Čapkun and Hubaux (2005, 2006) are vulnerable to a guessing attack where the malicious prover preemptively transmits guessed values for a number of response bits. We also show that communication channels not optimized for minimal latency imperil the security of distance-bounding protocols. The attacker can exploit this to appear closer himself or to perform a relaying attack against other nodes. We describe attack strategies to achieve this, including optimizing the communication protocol stack, taking early decisions as to the value of received bits and modifying the waveform of transmitted bits. We consider applying distance-bounding protocols to constrained devices and evaluate existing proposals for distance bounding in ad hoc networks. 1

Mobile sinks are needed in many sensor network applications for efficient data collection, data querying, localized sensor reprogramming, identifying, and revoking compromised sensors, and other network maintenance. Employing mobile sinks however raises a new security challenge: if a mobile sink is given too many privileges, it will become very attractive for attack and compromise. Using a compromised mobile sink, an adversary may easily bring down or even take over the sensor network. Thus, security mechanisms that can tolerate mobile sink compromises are essential. In this article, based on the principle of least privilege, we first propose an efficient scheme to restrict the privilege of a mobile sink without impeding its ability to carry out any authorized operations for an assigned task. In addition, we present an extension to allow conditional trajectory change due to unexpected events. To further reduce the possible damage caused by a compromised mobile sink, we propose efficient message forwarding schemes for deleting the privilege assigned to a compromised mobile sink immediately after its compromise has been detected. Through detailed

Abstract—For sensor networks deployed to monitor and report real events, event source anonymity is an attractive and critical security property, which unfortunately is also very difficult and expensive to achieve. This is not only because adversaries may attack against sensor source privacy through traffic analysis, but also because sensor networks are very limited in resources. As such, a practical tradeoff between security and performance is desirable. In this paper, for the first time we propose the notion of statistically strong source anonymity, under a challenging attack model where a global attacker is able to monitor the traffic in the entire network. We propose a scheme called FitProbRate, which realizes statistically strong source anonymity for sensor networks. We also demonstrate the robustness of our scheme under various statistical tests that might be employed by the attacker to detect real events. Our analysis and simulation results show that our scheme, besides providing source anonymity, can significantly reduce real event reporting latency compared to two baseline schemes. Index Terms—security and privacy, source anonymity, statistical test, SPRT, sensor networks I.

Abstract: Despite the popularity of adding sensors to mobile devices, the readings provided by these sensors cannot be trusted. Users can fabricate sensor readings with relatively little effort. This lack of trust discourages the emergence of applications where users have an incentive to lie about their sensor readings, such as falsifying a location or altering a photo taken by the camera. This paper presents a broad range of applications that would benefit from the deployment of trusted sensors, from participatory sensing to monitoring energy consumption. We present two design alternatives for making sensor readings trustworthy. Although both designs rely on the presence of a trusted platform module (TPM), they trade-off security guarantees for hardware requirements. While our first design is less secure, it requires no additional hardware beyond a TPM, unlike our second design. Finally, we present the privacy issues arising from the deployment of trusted sensors and we discuss protocols that can overcome them. 1.

Abstract. In this paper, we examine several localization algorithms and evaluate their robustness to attacks where an adversary attenuates or amplifies the signal strength at one or more landmarks. We propose several performance metrics that quantify the estimator’s precision and error, including Hölder metrics, which quantify the variability in position space for a given variability in signal strength space. We then conduct a trace-driven evaluation of several point-based and areabased algorithms, where we measured their performance as we applied attacks on real data from two different buildings. We found the median error degraded gracefully, with a linear response as a function of the attack strength. We also found that area-based algorithms experienced a decrease and a spatial-shift in the returned area under attack, implying that precision increases though bias is introduced for these schemes. We observed both strong experimental and theoretic evidence that all the algorithms have similar average responses to signal strength attacks. 1

Sensors deployed to monitor the surrounding environment report such information as event type, location, and time when a real event of interest is detected. An adversary may identify the real event source through eavesdropping and traffic analysis. Previous work has studied the source location privacy problem under a local adversary model. In this work, we aim to provide a stronger notion: event source unobservability, which promises that a global adversary cannot know whether a real event has ever occurred even if he is capable of collecting and analyzing all the messages in the network at all the time. Clearly, event source unobservability is a desirable and critical security property for event monitoring applications, but unfortunately it is also very difficult and expensive to achieve for resource-constrained sensor networks. Our main idea is to introduce carefully chosen dummy traffic to hide the real event sources in combination with mechanisms to drop dummy messages to prevent explosion of network traffic. To achieve the latter, we select some sensors as proxies that proactively filter dummy messages on their way to the base station. Since the problem of optimal proxy placement is NP-hard, we employ local search heuristics. We propose two schemes (i) Proxy-based Filtering Scheme (PFS) and (ii) Tree-based Filtering Scheme (TFS) to accurately locate proxies. Simulation results show that our schemes not only quickly find nearly optimal proxy placement, but also significantly reduce message overhead and improve message delivery ratio. A prototype of our scheme was implemented for TinyOS-based Mica2 motes.

We propose SecNav, a new protocol for securing wireless navigation systems. This protocol secures localization and time-synchronization in wireless networks by relying on devices ’ awareness of presence in the power-range (coverage area) of navigation stations. We perform a detailed security analysis of SecNav and show that, compared to existing secure navigation approaches, it prevents the widest range of attacks on navigation. Our implementation of SecNav, using 802.11b devices, shows that this scheme can be efficiently implemented with existing technologies. 1

Abstract — Accurately positioning nodes in wireless and sensor networks is important because the location of sensors is a critical input to many higher-level networking tasks. However, the localization infrastructure can be subjected to non-cryptographic attacks, such as signal attenuation and amplification, that cannot be addressed by traditional security services. We propose several attack detection schemes for wireless localization systems. We first formulate a theoretical foundation for the attack detection problem using statistical significance testing. Next, we define test metrics for two broad localization approaches: multilateration and signal strength. We then derived both mathematical models and analytic solutions for attack detection for any system that utilizes those approaches. We also studied additional test statistics that are specific to a diverse set of algorithms. Our tracedriven experimental results provide strong evidence of the effectiveness of our attack detection schemes with high detection rates and low false positive rates across both an 802.11 (WiFi) network as well as an 802.15.4 (ZigBee) network in two real office buildings. Surprisingly, we found that of the several methods we describe, all provide qualitatively similar detection rates which indicate that the different localization systems all contain similar attack detection capability. I.