Security Vulnerabilities and Countermeasures for Time Synchronization in TSCH Networks

Time-slotted channel hopping (TSCH), which can enable highly reliable and low-power wirelessmesh networks, is the cornerstone of current industrial wireless standards. In a TSCH network, all nodes must maintain high-precision synchronization. If an adversary launches a time-synchronization attack on a TSCHnetwork, the entire network communication system can be paralyzed. Thus, time-synchronization security is a key problem in this network. In this article, time synchronization is divided into singlehop pairwise, clusterwise, and three-levelmultihop according to the network scope.We deeply analyze their security vulnerabilities due to the TSCH technology itself and its high-precision synchronization requirements and identify the specific attacks; then, we propose corresponding security countermeasures. Finally, we built a test bed using 16 OpenMoteSTM nodes and the OpenWSN software to evaluate the performance of the proposed scheme.The experimental results showed that serious security vulnerabilities exist in time-synchronization protocols, and the proposed countermeasures can successfully defend against the attacks.


Introduction
Most industrial applications, e.g., steel mills, chemical industries, and oil refineries, need real-time monitoring and management processes [1,2].Traditionally, wired industrial automation and monitoring systems have been deployed to monitor temperature, pressure, or tank-fill levels.But it is difficult and expensive to install communication cables in a factory [3].With the recent advances in wireless technology, industrial wireless sensor networks (IWSNs) have become a trend, instead of the traditional wired industrial systems.Their advantages are easier deployment and cheaper maintenance.In particular, they can be used in mobile objects and explosive environments.
As industrial wireless applications have critical requirements for reliability, low power, and real-time response rates, IWSNs face many challenges.Research has shown that wireless communication is vulnerable to external interference, path obstruction, and multipath fading.Moreover, nodes waste considerable energy in idle listening states, e.g., IEEE802.15.4-2006 networks [4].
The time-slotted channel-hopping (TSCH) technique can be applied to low-power and highly reliable wireless mesh networks.All nodes in a TSCH network must maintain high-precision synchronization.The nodes radios switch on according to the network schedule, which can avoid idle listening.It also uses a channel-hopping technique to improve the wireless communication reliability.Currently, the TSCH technology is the fundamental for the industrial wireless standards, e.g., ISA100.11a[5], WirelessHART [6], and IEEE802.15.4-2015 [7].
Figure 1 shows a sample timeslot-channel schedule in a TSCH network with a 101-slot super-frame.The horizontal axis represents ASN (absolute slot number) value which indicates how many timeslots have elapsed after the network formation.And the vertical axis represents communication channel.The communication of nodes happens in one timeslot and communication channel according to the network schedule.Some nodes can sleep in a specified timeslot to save energy (e.g., node B and node D sleep in timeslot 1).In addition, the network adopts a channel-hopping technology based on time to improve wireless communication reliability.Overall, high-precision time synchronization is the core feature of TSCH networks.Time synchronization is fundamental for the TSCHbased wireless networks.However, the time-synchronization protocol in TSCH networks focuses on energy efficiency and clock accuracy while ignoring security issues.If an adversary launches a time-synchronization attack on a TSCH network, the entire network communication system can be paralyzed.There are some secure time-synchronization protocols in WSNs (e.g., SPS [8] and SMTS [9]).But those countermeasures cannot be directly applied to the timesynchronization protocol in TSCH networks.The SPS (secure pairwise synchronization) protocol [8] is designed to defend against the pulse-delay attack in TPSN time synchronization.The SMTS (secured maximum-consensus-based timesynchronization) protocol [9] is designed to defend against message-manipulation attacks in MTS time synchronization.The time-synchronization protocol in TSCH networks is different from the MTS and TPSN protocol.There exist difference security vulnerabilities in the process of time synchronization.And the security countermeasures should also consider the detail of implementation of the timesynchronization protocol.It is necessary to research the secure time synchronization in TSCH-based wireless networks.
In our paper, time synchronization in TSCH networks is divided into single-hop pairwise, clusterwise, and multihop according to the network scope.We analyze in detail their security vulnerabilities, due to the high-precision synchronization requirements and TSCH protocol itself, and identify some specific attacks and then propose corresponding security countermeasures.
The contributions of the paper are threefold.Firstly, we analyze in detail the vulnerability of single-hop pairwise synchronization and propose security countermeasures that include an authentication mechanism and a clock-offset filter (COF) algorithm.The COF algorithm can filter out timesynchronization packets from malicious nodes.Secondly, we analyze in detail the vulnerability of clusterwise synchronization and propose an improved TESLA scheme that supports immediate authentication.It does not need to wait until it receives the disclosed key before authenticating the packets.Finally, we analyze in detail the vulnerability of multihop synchronization and define an error-accumulation attack.We propose a multipath approach based on trust modeling, which can find a secure path to the root node by establishing a trust model between nodes.
A test bed using 16 OpenMoteSTM nodes and the OpenWSN software was built to validate the effectiveness and feasibility of the security countermeasures.
The paper is organized as follows.Section 2 introduces secure time-synchronization protocols in wireless sensor networks.Section 3 presents time synchronization in TSCH networks and the attack model.Sections 4, 5, and 6 describe secure pairwise, secure clusterwise, and secure multihop time synchronization, respectively.Section 7 presents the experimental evaluation of the secure time synchronization in a network with 16 OpenMoteSTM nodes.Section 8 presents a comparison with other secure time-synchronization protocols.Section 9 concludes the paper.

Related Work
Huang et al. [10] showed the seq num attacks and global time attacks on the flooding time-synchronization protocol (FTSP).Then they proposed a series of countermeasures which include new root-selection and blacklist filter mechanisms to protect against the above attacks.Zhang et al. [11] observed a novel time-synchronization attack (TSA) that can manipulate the timing information in a smart grid.The attack can reduce the fault-location performance and disable the voltage-instability alarm.
Ganeriwal et al. [8] defined a pulse-delay attack on the timing-synchronization protocol for sensor networks (TPSN).This attack causes legitimate nodes to calculate an error clock offset.Then, they proposed a SPS protocol that adopts message-authentication codes and end-to-end delayestimation methods.The experiment, which is conducted on Mica2 motes, shows that SPS can successfully detect the attack.
He et al. [9] analyzed the vulnerability of the MTS protocol and described message-manipulation attacks.They then proposed a secure MTS protocol using hardware and logical clocks to detect the attacks.The result showed that the protocol can quickly compensate the clock offset.And they also proposed a SATS protocol [12] to protect against messagemanipulation attacks in the average-consensus-based timesynchronization (ATS) protocol.
Dong et al. [13] showed Sybil attacks and compromise attacks can destroy a distributed time-synchronization protocol.They proposed RTSP that employs a graph-theoretical technology to detect attacks.But the security mechanism can not be directly used in centralized time-synchronization protocols.
Yang et al. [14] analyzed the vulnerability of the timingsynchronization protocol in IEEE802.15.4e networks.They pointed out the ASN and timeslot-template synchronization attack.Then, they proposed security countermeasures which fully consider the characteristic of IEEE802.15.4e networks to defend against the attacks.However, the paper only focused on secure single-hop synchronization, and only simulations were conducted to verify the effectiveness of the countermeasures.

Time Synchronization in TSCH Networks
In this section, we briefly describe time synchronization in TSCH networks.Then, we present a model for timesynchronization attacks.
. .Time-Synchronization Process.Every node keeps synchronized in TSCH networks, and the communication happens in timeslots (e.g., 15 ms long).Before a new node joins the network, it should receive the enhanced beacon (EB) packets from neighborhood nodes.The contents of EB packets mainly contain Join Priority (JP) value and ASN value.The new node prefers to choose a neighborhood node with a lower JP value to do ASN synchronization.
After the node successfully joins the network, it needs to maintain synchronization.The timeslots of network nodes should remain aligned.Usually, the nodes are equipped with an inexpensive oscillator to keep time.Because of the differences in temperature or fabrication, there is a clock drift between two oscillators (typically 30 ppm).So the nodes need to do device-to-device synchronization to compensate for the clock offset.Every node can use framebased or acknowledgment-based synchronization methods to synchronize with the network.
Figure 2(a) illustrates a detailed process of frame-based synchronization between a transmitter and receiver.The receiver should turn on the radio a little earlier than the transmitter.The duration is defined as the guard time (GT).And the receiver needs to record the arriving time of the frame.Based on (1), the receiver can get the value of clock offset.And the receiver can synchronize to the transmitter when it updates the period based on (2). Figure 2(b) illustrates a process of acknowledgment-based synchronization.Here, the transmitter is a child node.It should first send a request frame to the receiver.The receiver needs to calculate the time offset based on (1).And the transmitter gets the time offset and synchronizes to the receiver based on (2).
. .Attack Model.The Dolev-Yao threat model is a typical attack model where the attacker can eavesdrop on, modify, or forge communication messages in the network.Our attack model is based on this model.We consider two types of attack: external and internal.
In the external attack model, an attacker can eavesdrop on or modify messages but cannot obtain the secret key.So it is unable to impersonate a legitimate node.But an internal attacker can get a legal identity because it knows the secret key.The compromise attack is a typical internal attack.The compromised node can not only eavesdrop on network messages, but also forge legitimate network messages.Our paper will consider the impact of the two types of attacks on the time-synchronization protocol.

Secure Pairwise Time Synchronization
Two neighbor nodes usually adopt single-hop pairwise synchronization to establish relative clock offsets.In this section, we first analyze its security in depth and then propose a security countermeasure that includes authentication mechanisms and a COF algorithm.
. .Vulnerabilities in Pairwise Synchronization.ASN synchronization occurs when new nodes join the network.And the EB packet is an important control packet in the process of ASN synchronization.Figure 3 shows the detailed format of the EB packet.The EB packets mainly contain Join Priority (JP) value, ASN value, and channel-hopping template information for a new node to join the network.The EB packet may be encrypted to defend against eavesdrop attacks.It only adopts a shared key for encryption; otherwise, it will prevent new nodes from joining the network.However, from the ASN synchronization perspective, it should adopt a secret key to hide the  value.If a new node receives a forged EB packet that contains a false ASN value, it may deduce the wrong channel frequency for all the given pairwise communication according to (3).This is the first security vulnerability in the single-hop pairwise synchronization process. = ( + ℎ) %16.
(3)  In the process of device-to-device synchronization, the receiver may deduce the time offset according to (1).However, if an adversary modifies the  value in the timeslot template, the receiver may calculate an incorrect time offset, according to (4).Δ represents the modification size.It is defined as a timeslot-template attack.However, the attacker cannot modify the  value arbitrarily.If the value of Δ is larger than the GT, it may have no effect, as the receiver may turn off the radio in this case.This is the second security vulnerability in the single-hop pairwise synchronization process.
The pulse-delay attack which was first proposed by Ganeriwal et al. [8] may destroy device-to-device synchronization.To quote from Ganeriwal et al. [8]: "The adversary first sends jamming signals and replays it after a little delay, which will cause the receivers to calculate an incorrect clock offset."Both the frame-based and acknowledgment-based ways may be affected by this attack.This is the third security vulnerability in the single-hop pairwise synchronization process.
. .Secure Pairwise Synchronization.In the ASN synchronization process, a new node may receive a forged EB packet that contains a false ASN value.This occurs when joining a network.Fortunately, the IETF 6TiSCH working group recently made some progress in the secure Join protocol [16].
If a new node can securely join a network or choose a legitimate time source, it can successfully do ASN synchronization.Therefore, in our study, we mainly focus on the second and third security vulnerabilities in the pairwise synchronization process.
Generally, all nodes periodically perform device-todevice synchronization with their time parents in TSCH.The offset is usually less than a threshold when the period of synchronization is fixed.Therefore, the criterion of attack success is that the legitimate node receives a clock offset that exceeds the threshold value.Here, we present a mathematical model to describe the device-to-device time-synchronization process (see ( 5) and ( 6)).Let 1 represent the transmitterrecorded sending time of the synchronization frame and 1 represent the receiver-recorded receiving time of the synchronization frame.Similarly, 2 and 2 represent the relation time.For more detail, refer to Figure 2(b).Using ( 5) and ( 6), the time offset and transmission delay are easily calculated.
First, let us consider the timeslot-template attack where an adversary modifies the value of . Assume that the receiver is a malicious node that is compromised by an adversary.The  value of receiver is modified to  − .According to (1), the receiver would calculate a larger offset than the normal case.From the perspective of the mathematical model, the R1 and R2 value increase.Thus, according to ( 5) and ( 6), the adversary can conduct the offset increases, as indicated by (7), but the delay does not increase.
Second, the pulse-delay attack may destroy pairwise synchronization in TSCH.Assuming the adversary introduces delay Δ.The 1, 2, and 2 value do not change.But the 1 value may increase to 1 + Δ.According to ( 5) and ( 6), it can conduct the offset increases, as indicated by (8), and the delay increases, as indicated by (9).
In order to defend against time-synchronization attacks in the pairwise synchronization in TSCH, a secure algorithm is proposed as shown in Algorithm 1.
Our proposed scheme combines the message-integrity authentication mechanism and COF algorithm.In the process of child node A sending a synchronization request to parent node B, it contains random nonce   and MAC (message authentication codes).The random nonce   is used to protect against a reply attack.The MAC is an effective way to defend against an external attack which has been proved.However, the adversary may launch an internal attack such as a compromise attack or pulse-delay attack.Here we propose a COF algorithm to protect against the internal attack.
The core idea of the COF algorithm is that the synchronization packet will be filtered out when the clock offset or delay is larger than a threshold value.Therefore, how to accurately estimate the threshold value is a key issue.Let  represent clock threshold and  * represent delay threshold.When the period of synchronization  is fixed, the  value can be estimated based on (10), where   represent the maximum clock drift between two nodes.The value of   can refer to the crystal manually.The value of  * can also be estimated theoretically.Ganeriwal et al. [8] have proved that the transmission delay usually follows a Gaussian distribution.Let  represent the delay in the process of exchanging data packets, which is calculated according to (6).As the delay follows a Gaussian distribution, it can conclude that most of the delay is among [ V − 3,  V + 3].It can reach 99.7% confidence.So the value of  can be estimated theoretically according to (11).

Secure Clusterwise Time Synchronization
In this section, we first analyze in detail the vulnerability of clusterwise time synchronization and then propose a lightweight security countermeasure.  . .Vulnerabilities in Clusterwise Synchronization.To improve the energy efficiency, a cluster of nodes in TSCH networks may sleep in the given timeslots and wake simultaneously.Many other WSN applications (e.g., fire monitoring, speed estimating, and movement detection) also need consistent distributed coordination and sensing.Thus, a secure and low-power clusterwise synchronization protocol is critical.
In TSCH networks, a node has two methods for maintaining clusterwise time synchronization: KA-based and ADV-based.In the process of KA-based synchronization, every child node must periodically send a KA packet to the cluster-head to maintain synchronization.ADV-based synchronization is different because the cluster-head needs to periodically broadcast a time-synchronization packet to the child node.Vilajosana et al. [17] observe that the ADVbased synchronization scheme is more practical and energy efficient.Thus, our paper mainly focuses on the security vulnerability of ADV-based synchronization.
The ADV-based synchronization process has no security mechanisms and, in particular, no broadcast-authentication mechanism.A malicious node can easily forge broadcast time-synchronization packets to disturb the clusterwise synchronization.
Figure 4 shows the scenario of a malicious node launching an attack on ADV-based clusterwise synchronization.In the normal case, the cluster-head node should periodically broadcast an ADV packet.All the child nodes receive the ADV packet to do synchronization.However, the malicious node launches a time-synchronization attack on child 2 and child 3 by forging an ADV packet with a strong power.Child 2 and child 3 will calculate a false time offset and may lose synchronization with the cluster-head.
In TSCH networks, all communications are based on high-precision synchronization.A false time offset can effectively reduce the performance of a cluster network.Thus, a secure clusterwise synchronization protocol should be designed for the TSCH network.
. .Secure Clusterwise Synchronization.In TSCH networks, the ADV-based synchronization scheme is more energy efficient than the KA-based synchronization scheme at making a cluster of nodes' synchronization.However, it has a serious security vulnerability.As it lacks a broadcast-authentication mechanism, a malicious node can easily impersonate a cluster to send false ADV packets.Therefore, it is necessary to adopt a broadcast-authentication mechanism to secure the network against this vulnerability.
Generally, digital signatures [18] and TESLA [19] are typical mechanisms for authenticating broadcast packets in WSNs.Many studies have shown that digital signatures are computationally expensive, which cannot be used in resource-constrained WSNs.The TESLA scheme is based on symmetric cryptography, which introduces low computation and communication overheads.However, the original TESLA scheme exhibits several shortcomings.
One critical shortcoming is that the receivers must wait to authenticate packets until the cluster-head discloses the key.The longer delay means the receivers need more memory to buffer the synchronization packets.It also increases the risk of denial-of-service (DoS) attacks.We propose an improved TESLA scheme in which receivers do not need to delay or buffer synchronization packets.In the following, we first review TESLA and then propose an improved TESLA scheme that allows receivers to authenticate most packets immediately upon arrival.
. . .Overview of TESLA.The core idea of TESLA is that every broadcast packet attaches a MAC which is hard to forge.The child nodes first buffer the incoming packets until the cluster-head discloses the secret key.Only the cluster-head owns the secret key.A malicious node cannot forge a legitimate MAC unless it obtains the secret key K. Figure 5 illustrates the original TESLA broadcastauthentication mechanisms.In TESLA, the time axis is divided into many equal-length time intervals.Every interval is assigned a different secret key.When one or more broadcast packets are generated in a time interval, it uses the assigned secret key for authentication.
Usually, a hash function is adopted to generate a oneway key chain.According to (12), all the other keys can be calculated when the last key   is selected.Depending on the mathematical properties of the hash function, it is easy to authenticate the current disclosed key by previous keys, but it is hard to forge the later keys.
. . .Improved TESLA Scheme.The shortcoming of the original TESLA scheme is that the receivers must wait until they receive the disclosed key before they authenticate the packets.Buffering packets may incur serious DoS attacks and might not be practical for secure time-synchronization applicants.We propose an improved TESLA scheme that supports immediate authentication.Its main idea is that the cluster-head needs to buffer some packets during an interval and send the current packet with the hash value of a later packet.The receivers can then immediately authenticate current packets according to the hash value of the earlier packet.

Secure Multihop Time Synchronization
In this section, we first briefly present the multihop time synchronization in TSCH and then perform an in-depth security analysis.Finally, we propose a secure multihop synchronization method that adopts a multipath scheme based on trust modeling.
. .Multihop Synchronization in TSCH Networks.The synchronization protocol introduced in the above sections aims to provide a clock offset between neighborhoods of nodes.Multihop TSCH networks usually consist of hundreds of nodes, and the distant child nodes must synchronize with the network root.In the multihop time-synchronization process, building a hierarchical network topology is a critical problem.The IETF 6TiSCH working group recommends the RPL (routing protocol for low power and lossy networks) [20] (see below) as a routing protocol to build the timesynchronization tree.The nodes far away from the root can synchronize step by step along the path of the timesynchronization tree.
Here, we briefly review the RPL; for more detail, refer to [20].The RPL is an IPv6 routing protocol for low-power and lossy networks (LLNs) where both the routers and sensor nodes are resource-constrained.It is a distance-vector routing protocol.The RPL organizes the network topology as a Destination-Oriented Directed Acyclic Graph (DODAG) using Objective Functions (OFs).IETF 6TiSCH suggests reusing the DODAG structure: i.e., a node's routing parent is also its clock source.It not only prevents synchronization loops, but also reduces the energy cost to construct the synchronization tree.
. .Vulnerabilities in Multihop Synchronization.In multihop TSCH networks, the RPL plays a key role in constructing the time-synchronization tree.The distant child nodes synchronize along the edges of the tree.Having the procedure go smoothly relies on the assumption that none of the side nodes are malicious.Even a single malicious node along the multihop path can affect the time-synchronization performance.Unfortunately, the current RPL is not resilient against all of the attacks, especially the compromise attack.The adversary can easily control or instruct the compromised nodes to damage the time-synchronization services in an Internet-of-Things (IoT) environment.This may cause an error-accumulation phenomenon in the multihop time synchronization.
If a compromised node brings an incorrect offset to its immediate child node, the incorrect offset will propagate along the time-synchronization tree.Because the erroraccumulation phenomenon exists in multihop networks, this attack may seriously damage the performance of TSCH networks, which require high-precision synchronization.In this paper, we define this attack as an error-accumulation attack.
Figure 7 illustrates the impact of an error-accumulation attack on multihop synchronization in a TSCH network.The network consists of five nodes.The root node is the reference clock source for the network.Node A1 is the immediate child node of the root.And node A2 is the immediate child node of A1, etc.As the phenomenon of clock drift exists, nodes need to synchronize periodically.Right before synchronizing, a clock offset exists between the node and its clock source (e.g., 200 s).Assume the GT is set to 1,000 s.This means the node may lose synchronization if the clock offset is bigger than 1,000 s.
We assume that, at some point, each node will synchronize just before its clock-source neighbor does.The phenomenon of the top half of Figure 7(a) may occur; i.e., the clock offset is 200 s between each node and its clock source.Let us further assume that the nodes synchronize from left to right; i.e., A1 synchronizes with the root, and then A2 synchronizes with A1.After the node A3 synchronization, the clock offset is about 800 s between A4 and A3.Because the clock offset is lower than the GT, it can successfully synchronize.
In the malicious setting, node A1 is a compromised node, as illustrated in Figure 7(b).The clock offset between compromised node A1 and the root may be 600 s if A1 waits a long time before synchronizing.The clock offset for each pair of legitimate neighbor nodes is 200 s.If the nodes synchronize from left to right, the last node, A4, may lose synchronization.After the node A3 synchronization, the clock offset between nodes A3 and A4 reaches 1,200 s (larger than the GT).This example fully shows the vulnerability of multihop synchronization in TSCH networks.The security of multihop synchronization must be enhanced for TSCH networks to be resilient against attacks.
. .Secure Multihop Synchronization.The error-accumulation attack seriously threatens multihop synchronization in TSCH networks.To effectively defend against such attacks, we propose a multipath time-synchronization scheme based on trust modeling.The scheme can ensure that the nodes can find a secure path to the root nodes by establishing a trust model.Figure 8 shows node 10 finding a secure path to node 1, bypassing compromised node 3.If node 10 chooses Path 1 for synchronization, compromised node 3 can easily damage the multihop synchronization.If node 10 chooses Path 2 or Path 3 for synchronization, it will be successful.Thus, choosing a secure path from multihop paths is a challenge.Our paper proposes a scheme based on a trust model to solve this problem.
Here, we adopt an entropy-based trust model proposed by Sun et al. [21].They proposed four axioms and derived a method for calculating a trust value, as follows: where   represents the observation time,   represents the current time,   and   represent action times, and 0 ≤  ≤ 1 is the remembering factor.
The trust model quantifies the trust relationship between nodes.The trust values can be used to determine whether a node is legitimate or malicious.When a node has multiple neighbor nodes, it should select the node which owns the maximum trust value as the forward node.This way, it can bypass malicious nodes.Let   represent the total number of packets sent by node A,   represent the number of packets forwarded through node K, and    represent the number of packets successfully forwarded through node K.
In our paper, the source of the nodes trust value is mainly considered from two aspects.One is the packet-forwarding rate 1 =  / ; it reflects the cooperative relationship of the nodes.The other is the packet-forwarding success rate 2 =   / .The trust value of a node is   =  1   +  2   , where  1 ,  2 ∈ [0, 1] and 1 + 2 = 1.  can be calculated according to (14), and   can be calculated according to (15).

Wireless Communications and Mobile Computing
Node A observes node K at frequent intervals.  (  ) represents the observation time of node A, where  = 1, 2⋅⋅⋅, .  (  ) represents the current time. is the remembering factor.The entropy-based trust model can bypass malicious nodes and find a secure path between a distant node and the root node.However, the value of  needs to be adjusted according to practical network applications.

Experiment Evaluation
In this section, we perform an evaluation through real experiments on a network of 16 OpenMoteSTM nodes running OpenWSN [22].In the following, we first introduce an OpenMoteSTM node, the OpenWSN software, and the experimental setup.Then, we show the performance evaluation result of the proposed scheme.
. .OpenMoteSTM Nodes and OpenWSN So ware.To verify the effectiveness of the proposed scheme, a low-power wireless sensor node called OpenMoteSTM was designed.Figure 9 shows the detailed structure of an OpenMoteSTM node.It incorporates a high-performance ARM-based 32-bit microcontroller and a short range radio.The microcontroller (STM32F103) can operate at 72 MHz, with 64 kB of embedded SRAM, and 512 kB of flash.It has a variety of peripherals, e.g., GPIOs, UART, SPI, ADC, and a timer.
The radio (AT86RF231) operates in 2.4 GHz and fully supports the IEEE802.15.4-2006 standard.The OpenMoteSTM node is also equipped with a 32.768 kHz crystal to drive the microcontroller timers.Because of the difference in manufacturing and working temperatures, the crystal has a typical drift of up to 30 ppm.
OpenWSN [22] is open-source software developed by UCB which support the IEEE802.15.4eTSCH protocol.The original OpenWSN implements time synchronization in TSCH but has no security mechanisms.Currently, Open-WSN can support a variety of hardware platforms, e.g., Guidance and Inertial Navigation Assistant (GINA), TelosB, and OpenMoteSTM nodes.It also offers the OpenVisualizer software, which can show the internal state (neighbor table, scheduling table, error reports, etc.) of each node in the network.
. .Experimental Setup. Figure 10 shows the test-bed scenario.The OpenMoteSTM nodes, which hang from the testing shelf, are all connected to the USB hub by USB lines.It not only provides power to every node, but also can view the state of the nodes through the OpenVisualizer software.
OpenWSN implements a time-synchronization protocol in TSCH.It adopts a hard-coded resource-scheduling algorithm [23], where a slotframe consists of 11 timeslots.The first timeslot is allocated for EB packets.And there are five shared timeslots allocated for data packets.The period for sending EB packets is set to 10 s.However, the original OpenWSN does not adopt any security mechanisms.We added code to implement the proposed security scheme on the OpenWSN platform.
. .Performance Evaluation.Here we adopt the following metrics for performance evaluation: synchronization error, energy consumption, and synchronization rate.The synchronization error reflects the synchronization precision in the process of synchronization.The energy consumption is a key metric in resource-constrained WSNs, which directly determines the feasibility of the scheme.The synchronization rate can reflect the percentage of nodes successfully synchronizing to the networks.Next, we will carefully analyze the performance of the secure pairwise and multihop synchronization.
. . .Secure Pairwise Time Synchronization.We adopted a pair of OpenMoteSTM nodes to evaluate the performance of secure pairwise time synchronization.We introduce node A and node B. Node A needs to synchronize with node B at a period of 5 s.The GT is set to 1 ms.Assuming the adversary intermittently launches a pulse-delay attack, the synchronization error may vary with time.In real deployment, the attack parameter Δ is set to 0.8 ms.
Figure 11 shows that the comparison of synchronization error values in both the nonmalicious and malicious settings.In the nonmalicious setting, the value on the vertical axis is almost below 0.1 ms, in both the original and our proposed scheme.This illustrates that our proposed scheme does not affect the synchronization error.And we used a green wave line to show the fluctuation of the synchronization error.The synchronization error may increase with time because of the clock drift of each pair of nodes.After synchronizing, child node A compensates its clock according to (2).Thus, the synchronization error is reduced to a very small value.
In the malicious setting (where Δ is set to 0.8 ms), the synchronization error is very different between the original and our proposed scheme.Figure 11 shows the maximum value of the synchronization error almost reaches 0.9 ms in the original scheme.However, it only rises slightly in our proposed scheme because our proposed scheme can successfully detect the delay attack using the threshold-filter mechanism.As we know, the period of synchronization in our experiment is 5 s.According to (10), threshold Q is calculated to be 0.3 ms when   sets 60 ppm (a typical value).In our proposed scheme, when node A receives a synchronization packet from the malicious node, whose clock offset is larger than threshold Q, it will ignore the packet and increase the number of attacks.In the real experiment, the attack parameter Δ is 0.8 ms, larger than the threshold Q.Therefore, the synchronization packet will be ignored, and the synchronization error may go up a little with the clock drift of the pair of nodes.The experimental results not only show the impact of the attack, but also validate the effectiveness of our proposed scheme.
Energy consumption is a key metric in resourceconstrained WSNs, which directly determines the feasibility of our scheme.The secure pairwise synchronization proposed in our paper adopts encryption and authentication mechanisms to protect against attacks.In the ASN synchronization process, an EB packet may be encrypted using a shared key to defend against eavesdrop attacks.The device-to-device Table 1 illustrates the energy consumption in different security modes when the node transmits a 16-byte message.The energy consumption in the encryption mode only increases 9% compared to the no-security mode.However, it may increase 23% in the authentication mode.Generally, the device-to-device synchronization period is about 16 s.Thus, the energy consumption may not increase significantly from the network life cycle.
. . .Secure Multihop Time Synchronization.We implemented a test bed as illustrated in Figure 10 to evaluate the effectiveness of secure multihop time synchronization.The real experiment uses 16 OpenMoteSTM nodes to build a three-hop-deep wireless network.The multihop network adopts the RPL to build the time-synchronization tree.
In the nonmalicious setting, all nodes are legitimate.The nodes far away from the root can synchronize step by step along the path of the time-synchronization tree.The pairs of neighborhood nodes use acknowledgment-based synchronization.The period of synchronization is set to 10 s and the GT is set to 1 ms.In the malicious setting, a compromised node launches an error-accumulation attack.In real deployment, the compromised node intermittently launches attacks.Figure 12 illustrates that the synchronization error and synchronization rate vary with time in malicious settings.The experiments were run 30 times and the average value was calculated.Figure 12(a) indicates the fluctuation of the synchronization error of the nodes and the synchronization rate in the original scheme.In the 0-100 s interval, the average synchronization error of the network stayed in a relatively stable state and the value was less than 0.55 ms.The synchronization rate almost reaches 99%.It indicates all nodes synchronize to the network.In the 100-150 s interval, the malicious node launches an error-accumulation attack.The average synchronization error of the network increases rapidly.And the synchronization rate drops to about 90% as some nodes have lost synchronization.In the 150-200 s interval, the synchronization error and synchronization rate return to the normal level as the malicious node stops attacking.Figure 12(b) indicates the fluctuation of the synchronization error of the nodes and the synchronization rate in our proposed scheme.In the 0-100 s, the average synchronization error and synchronization rate matched those for the original scheme.It illustrates that our proposed scheme does not affect the synchronization error.In the 100-150 s interval, the malicious node launches an error-accumulation attack.Compared to the original scheme, the impact of attacks on the synchronization error and network synchronization rate is much smaller.And in the 150-400 s interval, the synchronization error and network synchronization rate stay in the normal level, because our proposed scheme can ensure that the nodes can bypass the malicious node and find a secure path to the root nodes.

Comparison with Related Protocols
Time-synchronization protocols in WSNs usually divide into two categories: centralized synchronization and distributed synchronization.And secure time-synchronization protocols can also be divided into two categories.Table 2 shows the comparison of different secure time-synchronization protocols.He et al. [12] analyzed the vulnerability of the ATS protocol and described message-manipulation attacks.They then proposed a SATS (secure ATS) protocol using hardware and logical clocks to detect the attacks.The result showed that the SATS protocol can successfully defend against message-manipulation attacks.Ganeriwal et al. [8] pointed out the possible attacks on TPSN, such as a forge and modify attack, pulse-delay attack, and compromise attack.These attacks can mislead legitimate nodes to calculate an error clock offset.They then proposed a SPS protocol, which adopted message-authentication and end-toend delay-estimation methods, to defend against the above attacks.The experiments showed that SPS can successfully protect against the attacks.Maximum-consensus-based time synchronization (MTS) is a typical distributed synchronization in WSNs.An adversary may easily destroy the MTS protocol by launching message-manipulation attacks.The noise-resilient MTS (NMTS) protocol [15], which adopted skew estimation, clock skew, and offset compensation mechanisms, can successfully defend against the attacks.However, the above secure protocols cannot be directly applied to the time-synchronization protocol in TSCH networks.The time-synchronization protocol in TSCH networks is different from the ATS, MTS, and TPSN protocol.There exist difference security vulnerabilities in the process of time synchronization.To the best of our knowledge, the current article is the first to provide an in-depth security analysis of the time synchronization in TSCH networks.We conducted an in-depth security analysis of the single-hop pairwise, clusterwise, and multihop time synchronization.The adversary may easily destroy the time-synchronization protocol by launching the reply attack, pulse-delay attack, timeslottemplate attack, and error-accumulation attack.Security countermeasures, which include authentication mechanisms, the COF algorithm, improved TESLA, and the multipath approach based on trust modeling, were proposed to protect against those attacks.The experimental results validated the effectiveness and feasibility of the security countermeasures.Moreover, the energy cost of our proposed protocol is very low.

Conclusions
The current time-synchronization protocol in TSCH networks has security vulnerabilities and is easily exploited by adversaries.We developed a suite of protocols for secure Wireless Communications and Mobile Computing 13 We conducted an in-depth security analysis of the singlehop pairwise time synchronization and proposed a security countermeasure that includes authentication mechanisms and a COF algorithm.The COF algorithm produced a filter based on a typical clock model to filter out timesynchronization packets from malicious nodes; it was used to defend against timeslot-template attacks.The experimental results showed that the synchronization error was very low, even in the malicious settings.
In clusterwise time synchronization, an adversary can easily forge broadcast time-synchronization packets to disturb normal synchronization.We proposed an improved TESLA scheme that supports immediate authentication.The receivers did not need to wait a long time to receive the disclosed key and authenticate the packets.We provided an in-depth security analysis of multihop time synchronization and described an error-accumulation attack.We proposed a multipath approach based on trust modeling, which could find a secure path to the root node by establishing a trust model between nodes.Finally, a test bed using 16 Open-MoteSTM nodes and the OpenWSN software was built.The experimental results validated the effectiveness and feasibility of the security countermeasures.

Figure 4 :
Figure 4: A malicious node can easily forge broadcast time-synchronization packets.

Figure 7 :Figure 8 :
Figure 7: Error-accumulation attack on multihop synchronization in TSCH.(a) In the nonmalicious setting.(b) Under the malicious setting.

Figure 10 :
Figure 10: Test-bed implementation of time synchronization in TSCH networks.

Figure 11 :
Figure 11: The comparison of synchronization error values under the different scenarios.

Figure 12 :
Figure 12: The synchronization error and synchronization rate vary with time in malicious settings.(a) Original scheme.(b) Our proposed scheme.

Table 1 :
Energy consumption in different security modes.

Table 2 :
Comparison of different secure time synchronization protocols.