Using Directional Antennas to Prevent Wormhole Attacks Lingxuan Hu David Evans Department of Computer Science University of Virginia Charlottesville, VA [lingxuan, evans]@cs.virginia.edu Abstract Wormhole attacks enable an attacker with limited resources and no cryptographic material to wreak havoc on wireless networks. To date, no general defenses against wormhole attacks have been proposed. This paper presents an analysis of wormhole attacks and proposes a countermeasure using directional antennas. We present a cooperative protocol whereby nodes share directional information to prevent wormhole endpoints from masquerading as false neighbors. Our defense greatly diminishes the threat of wormhole attacks and requires no location information or clock synchronization. 1. Introduction Wireless ad hoc networks have properties that increase their vulnerability to attacks. Wireless links are inherently vulnerable to eavesdropping and message injection, as well as jamming attacks. Constraints in memory, computing power, and battery power in mobile devices can impose trade-offs between security and resource consumption. Routing in ad hoc wireless networks is an especially hard task to accomplish securely, robustly and efficiently. Many proposed routing protocols are focused on energy, and provide no protection against an adversary. Some secure routing protocols also have been proposed. However, due to the unpredictability of ad hoc networks, it is hard to detect behavior anomalies in route discovery. In particular, proposed routing protocols cannot prevent wormhole attacks. In a wormhole attack, an attacker introduces two transceivers into a wireless network and connects them with a high quality, low-latency link. Routing messages received by one wormhole endpoint are retransmitted at the other endpoint. Attackers can exploit wormholes to build bogus route information, selectively drop packets, and create routing loops to waste the energy of network. Wireless ad hoc networks typically assume omni-directional antennas. In this paper, we consider devices with directional antennas. Directional antennas have been shown to improve efficiency and capacity of wireless networks. Several MAC protocols [4, 14, 12, 20] and routing protocols [5, 2, 17] have been proposed that take advantage of directional antennas. Next we provide background on secure routing protocols and previous work on preventing wormhole attacks. Section 3 considers wormhole attacks and analyzes their effectiveness. Section 4 introduces directional antennas and describes the antenna model we use. Section 5 describes our protocols for verifying neighbor relationships. Section 6 considers the impact of our protocol on network connectivity and routing performance, and Section 7 analyzes the impact of directional errors. Section 8 concludes. 2. Background Several secure routing protocols have been proposed for wireless ad hoc networks. Papadimitratos and Haas [23] present the SRP protocol that secures against non-colluding adversaries by disabling route caching and providing end-to-end authentication using an HMAC primitive. SEAD [7] uses one-way hash chains to provide authentication for DSDV [21]. Ariadne [8] uses an authenticated broadcast technique [22] to achieve similar security goals on DSR [11]. Marti et al. [16] examine techniques to minimize the effect of misbehaving nodes through node snooping and reporting, but it is vulnerable to blackmail attacks. ARRIVE [13] proposes probabilistic multi-path routing instead of single path algorithm to enhance the robustness of routing. These secure routing protocols are still vulnerable to wormhole attacks which can be conducted without having access to any cryptographic keys. Wormhole attacks depend on a node misrepresenting its location. Hence, location based routing protocols have the potential to prevent wormhole attacks [15].Localization may be done using globally accessible beacons that broadcast known locations (that may be pre-configured or determined using GPS [29]). Recently there has been some research to build localization system using localized protocols [19, 1, 10, 18]. The location service itself may become the attack target. Localization systems generally require some seed nodes that know their own positions, which may not be possible in all network environments. Sastry, Shankar, and Wagner propose a protocol that verifies a node is located within a particular region [28]. If an attacker acquires a wormhole endpoint within the region, the attacker could make other nodes also appear to be within the region. An adversary who acquires a wormhole endpoint within the region has already violated their security requirements. A previous approach for detecting wormhole attacks is to use packet leashes [9]. A temporal packet leash places a bound on the lifetime of a packet that restricts its travel distance. The sender includes the transmission time and location information in the message, and the receiver checks that the packet could have traveled the distance between the sender and itself within the time between reception and transmission. Since radio transmissions travel at the speed of light, temporal packet leashes require tightly synchronized clocks and precise location knowledge. Our approach to preventing wormhole attacks is for nodes to maintain accurate information about their neighbors (nodes within one hop communication distance). This is simpler than using location since each node need only maintain a set of its neighboring nodes. A message from a non-neighboring node is ignored by the recipient. Note that any protocol used to maintain accurate neighbor sets may itself be vulnerable to wormhole attacks, so our goal is to design a neighborhood discovery protocol that is not vulnerable to wormhole attacks. The security of our protocol will rely on using directional antennas to obtain relative direction information, and cooperation among nodes to verify possible neighbors. 3. Wormhole Attacks In a wormhole attack, an attacker forwards packets through a high quality out-of-band link and replays those packets at another location in the network [9, 15]. Figure 1 shows a basic wormhole attack. The attacker replays packets received by X at node Y, and vice versa. If it would normally take several hops for a packet to traverse from a location near X to a location near Y,