The IEEE 802.15.4 standard has been established as the dominant enabling technology for Wireless Sensor Networks (WSNs). With the proliferation of security-sensitive applications involving WSNs, WSN security has become a topic of great significance. In comparison with traditional wired and wireless networks, WSNs possess additional vulnerabilities which present opportunities for attackers to launch novel and more complicated attacks against such networks. For this reason, a thorough investigation of attacks against WSNs is required. This paper provides a single unified survey that dissects all IEEE 802.15.4 PHY and MAC layer attacks known to date. While the majority of existing references investigate the motive and behavior of each attack separately, this survey classifies the attacks according to clear metrics within the paper and addresses the interrelationships and differences between the attacks following their classification. The authors’ opinions and comments regarding the placement of the attacks within the defined classifications are also provided. A comparative analysis between the classified attacks is then performed with respect to a set of defined evaluation criteria. The first half of this paper addresses attacks on the IEEE 802.15.4 PHY layer, whereas the second half of the paper addresses IEEE 802.15.4 MAC layer attacks.
The IEEE 802.15.4 standard [
Many applications involving WSNs are security-sensitive and possess zero tolerance for error and latency. While error and latency can occur due to network failure and congestion, they can also be triggered by malicious behavior. For instance, eavesdropping on confidential information exchange or injecting false information in battlefield monitoring applications can have severe consequences and can lead to injuries or at worst fatalities. Another example is Home Area Networks (HANs) in smart grids [
IEEE 802.15.4 defines the Physical (PHY) and Media Access Control (MAC) layer specifications of Low-Rate Wireless Personal Area Networks (LR-WPANs) [
This section explains the purpose and operation of the attacks which can be launched by a malicious adversary against the PHY layer of an IEEE 802.15.4-based network. We refer to the different methods of launching the same attack as the attack’s
Sokullu et al. [
This jamming attack transmits radio interference signals with high transmission power over all channels of the related frequency band. This can be achieved either through continuous transmission of a jamming signal over the entire frequency band [
In contrast to
Classification of IEEE 802.15.4 PHY layer attacks.
These attacks are used by adversaries to inject false data into the network by transforming a legitimate data frame into a modified frame containing information of the adversary’s choice. Wilhelm et al. [
An adversary can emit RF waves whose amplitude and phase are synchronized with those of the original transmitted signal. If these RF waves are combined with the original signal at the correct time, this leads to a new signal containing the falsely injected data. This technique is referred to as
This technique is used in conjunction with angular modulation schemes, in which only the stronger of two colliding signals is received. While
Martins and Guyennet [
While [
In this classification, we define two broad categories of
This classification classifies attacks with respect to the fields of the transmitted frame which are corrupted due to adversary jamming. We infer from O’Flynn [
In this method, the adversary aims to jam a few or all bytes of the PHY payload, thus corrupting the frame and indirectly leading to an incorrect Frame Check Sequence (FCS) at the receiver. Upon frame reception, the receiver discards the frame due to its incorrect FCS [
Contrary to
It is worth noting that, for each of the two aforementioned frame corruption techniques, an adversary is able to detect the point in time at which the transmission of a frame’s PHY payload or FCS starts by examining the frame’s PHY layer header, which contains the length of the transmission frame. The frame content targeted for corruption by the adversary depends on the point in time at which the adversary starts emitting jamming energy, as well as how long the adversary continues to jam throughout the entire duration of frame transmission [
In this section, we first define the criteria which will be used to evaluate each of the PHY layer attacks discussed in the previous section. Following this, we perform a detailed comparison between the attacks with respect to the defined evaluation criteria.
We define four criteria for the purpose of PHY layer attack evaluation.
An adversary launching an energy-efficient attack consumes minimum energy in order to disrupt network communications, thus preventing drainage of the adversary node’s limited battery power [
An effective attack is one that yields maximum disruption of network communications throughout the length of its deployment.
A stealthy attack is an unintrusive attack which is launched with minimum probability of detection by the network [
Security goals are used to assess a WPAN’s level of security. Kumar et al. [
Table
Comparative analysis of IEEE 802.15.4 PHY layer attacks.
Attack | Energy efficiency | Effectiveness | Stealthiness | Primary security goals | |
---|---|---|---|---|---|
Integrity | Availability | ||||
Wide-Band Denial | Low [ | High | Low [ | × | √ [ |
Constant Jamming | Low [ | High | Low [ | ||
Deceptive Jamming | Low [ | High | Moderate [ | ||
Random Jamming | Moderate [ | Moderate [ | Moderate [ | ||
Interrupt Jamming | High [ | High [ | High [ | ||
Activity Jamming and Scan Jamming | Moderate [ | High | Moderate [ | ||
Node-Specific Denial and Message-Specific Denial | High | High | High | ||
Message Manipulation Attacks | No enough information | √ [ | × | ||
Steganography Attacks | Dependent | × | × |
It is noted that Table
The differences between the discussed IEEE 802.15.4 PHY layer attacks with respect to energy efficiency, effectiveness, and stealthiness are as follows.
The longer the secret message that needs to be transmitted, the larger the number of frames exchanged over the network. Exchanging a larger number of frames leads to shorter lifetime of malicious adversaries due to higher energy consumption, in addition to higher probability of detection due to abnormal activity monitored by the network. Energy efficiency of PHY layer
With reference to the security goals acquired from Kumar et al. [
This section addresses attacks against the IEEE 802.15.4 MAC layer and is based on the research in [
Similar to
In this variant, a malicious adversary emits packets of useless content at random time intervals and for no specific purpose. While this variant can be considered as a stand-alone attack, it is also the basis for the
An intelligent jammer emits packets of useless content at specific times for specific purposes [
Mišić et al. [
The Carrier Sense Multiple Access with Collision Avoidance (CSMA-CA) [
Mišić et al. [
BLE mode ensures the conservation of power for nodes operating on battery power. A malicious adversary can take advantage of this CSMA-CA feature by falsely pretending to run in BLE mode in order to acquire a smaller initial contention window size than the other legitimate nodes. This reduces the range of values from which the adversary can select its back-off period and ensures that its probability of accessing the medium is much higher than legitimate nodes.
A malicious adversary can choose not to increment its BE after a failed transmission attempt. Maintaining a constant BE prevents contention window size from being increased, thus increasing probability of channel access.
Another way of increasing the odds of channel access is for a malicious adversary to modify its RNG in such a way that ensures that the back-off periods selected by the adversary are much smaller than those selected by legitimate nodes.
Mišić et al. [
Mišić et al. [
In this attack variant, if the adversary senses that the channel is idle for only 1 back-off period (not 2), it initiates packet transmission, giving channel access more quickly and frequently to adversaries than to legitimate network nodes.
Rather than reducing the number of back-off periods during which CCA is performed, an adversary may choose to omit the CCA procedure altogether in order to immediately start transmitting whenever the random back-off countdown is over. This could potentially cause collisions if the channel is not idle, leading to a DoS effect as in
Consider a node providing the access control service in secured operating mode. In this case, if two entries within this node’s Access Control List (ACL) possess the same key and nonce, a malicious adversary obtaining the cipher texts pertaining to these two entries will be able to infer useful information about the transmitted data, as explained in [
Replay-protection is an IEEE 802.15.4 mechanism which causes a node to drop a frame if its sequence number is equal to or less than the sequence number of a preceding frame received by that same node. An adversary can send frames with large sequence numbers to targeted legitimate nodes, causing frames with smaller sequence numbers from other legitimate nodes to be dropped [
In IEEE 802.15.4 as well as in other types of networks, ACK frames are sent between network nodes in order to confirm successful frame transmission. For some types of frames, an
In this subsection, we explain two variants of the
An adversary can perform
In this variant, although the transmitted data is correctly received by the receiver,
This attack is an extension of the
In beacon-enabled networks, the PAN coordinator reserves Guaranteed Time Slots (GTS) within the Contention Free Period (CFP) of each superframe duration in order to guarantee channel access for network nodes running time-critical applications with real-time delivery, low latency, or specific bandwidth requirements. A maximum of 7 GTS can be assigned at any one time, with each GTS possibly occupying more than one superframe slot within the superframe’s CFP. Allocation and deallocation of GTS are performed by the PAN coordinator on a first-come-first-serve basis [
Since there is no method of verifying of sensor nodes’ identifiers (IDs), Jung et al. [
In this category, a
Rather than spoofing the IDs of legitimate nodes within the PAN, a malicious adversary can use its own or other nonexisting IDs to conduct either of the two attack variants contained within this category [
Sokullu et al. [
In this type of
CAP maintenance involves the use of a number of preventative actions in order to ensure that the length of the CAP period of each superframe does not fall below a predefined threshold known as
IEEE 802.15.4 defines a conflict resolution procedure, which is initiated when two PAN coordinators residing within the same Personal Operating Space (POS) have the same coordinator ID, also referred to as
The
Balarengadurai and Saraswalhi [
A node switches to a new PAN coordinator if the membership degree to the new PAN coordinator is greater than its membership degree to its current PAN coordinator.
A new node is elected as the PAN coordinator if its election possibility is higher than the election possibility of the current coordinator. Election possibility is determined with respect to factors such as mobility and remaining battery capacity.
O’Flynn [
The explained MAC layer attacks cannot be classified using one single deterministic classification. Therefore, we present two classifications which include some of the most important methods of classifying IEEE 802.15.4 MAC layer attacks obtained from external references. Novel extensions to these classifications are also presented. Figure
Classification of IEEE 802.15.4 MAC layer attacks.
Sokullu et al. [
This class contains specific variants of some general attacks applied against IEEE 802.15.4 MAC layer security mechanisms.
In addition to the above three classes of attacks, we extend this classification by including the following additional class of attacks.
This class refers to attacks applied against IEEE 802.15.4 MAC layer schemes. Contrary to Sokullu et al. [
In this classification, we classify attacks with respect to conformance to MAC protocol rules and mode of network operation.
Mišić et al. [
All MAC layer attacks can be launched against both beacon-less and beacon-enabled networks except for all
In this section, we perform a detailed comparison between the attacks with respect to the following evaluation criteria.
The primary intent of most MAC layer attacks is to cause a DoS against a specific part of or the entire network [
As in Section
Table
Comparative analysis of IEEE 802.15.4 MAC layer attacks (√ for cause, √√ for effect).
Attack | DoS intent | Primary security goals | ||||||
---|---|---|---|---|---|---|---|---|
Exhaustion | Collision | Unfairness | Sleep | Confidentiality | Integrity | Authenticity | Availability | |
Link Layer Jamming | √√ | √ | √ | × | × | × | √√ | √ |
Node-Specific Flooding | × | √ | √ | × | × | × | √√ | √√ |
BLE pretense, constant BE, RNG tampering, and CCA reduction | × | √√ [ | × | × | × | × | √√ | × |
Back-off countdown omission and CCA omission | √ | √√ [ | × | × | × | × | √√ | × |
Same-Nonce Attack | × | × | × | √√ | × | × | × | × |
Replay-Protection Attack | × | √√ | √ | × | × | × | √√ | √ |
ACK spoofing attack | × | √√ | × | × | × | √√ | √√ | × |
ACK dropping attack | × | √ | √ | × | × | × | √√ | √√ |
MITM Attack | × | √√ | × | × | √√ | √√ | √√ | × |
PANId Conflict Attack | × | √ | √ | × | × | × | √√ | √√ |
DoS against data transmissions during CFP | × | √ | × | × | × | √√ | √√ | × |
DoS against GTS Requests | × | √ | × | × | × | × | √√ | √√ |
False Data Injection | × | √ | × | × | √√ | √√ | √√ | √√ |
Stealing network bandwidth | × | √ | × | × | √√ | × | √√ | √√ |
DoS against CAP maintenance | × | √ | × | × | × | × | √√ | √√ |
Interference during CFP | √√ | √ | √ | × | × | × | √√ | √ |
Ping-Pong Effect | × | √ | √ | × | × | × | √√ | √√ |
Bootstrapping Attack | × | √√ | × | × | × | × | √√ | √ |
Steganography Attack | × | √ | × | × | × | × | × | × |
This work constitutes a detailed survey on IEEE 802.15.4 PHY and MAC layer attacks.
In the first part of this survey, we extensively discussed 802.15.4 PHY layer attacks. The purpose and operation of each attack and its variants were explained. We presented two classifications for
IEEE 802.15.4 MAC layer attacks were addressed in the second part of this survey. We started off by clarifying the purpose and method of operation of each attack and its variants. A novel variant of the
The authors declare that they have no competing interests.