On Security Attacks in Healthcare WSNs implemented on 802.15.4 BeaconEnabled Clusters

Jelena Misic, Fereshteh Amini, Moazzam Khan,

University of Manitoba, Winnipeg, Manitoba, Canada

Abstract

In this paper, we analyze possible security attacks tothe personal WSN carried on the patient’s body and itsclose vicinity. We assume that WSN is implemented using802.15.4 beacon enabled technology with a secure sensing,location and power management blocks based on the Zig-Bee specification and built on top of 802.15.4 link layer. Wepresent networking and security issues which can be usedas a basis for security attacks.

1 Introduction

Healthcare is an important area for deployment of wire-less sensor networks (WSN). The IEEE 1073 Medical De-vice Communications standards organization is currently inthe process of developing the specifications for wireless in-terface communications. The main objective for this effortis to develop universal and interoperable devices for med-ical equipment which are transparent to the user and easilyre-configurable. The group has recognized that developingnew wireless technologies is not an option and is lookinginstead in deployment of existing wireless technologies be-longing to IEEE 802 family in the healthcare applications.

In order to penetrate the market with cost-effective solu-tions for healthcare WSNs we need standardized low-cost,low-power and short-range communication Low Rate Wire-less Personal Area Network (LR-WPAN) technology. Im-portant candidate for the application in this area is IEEE802.15.4 standard [1]. From the aspect of patient’s privacy,it is necessary that each patient carries his/her own bodyWSN using lightweight devices. Health data collected frompatient’s body have to be gathered at the device possessedby the patient and further communicated to the informationsystem belonging to the healthcare institution. Such datahave to be protected from the aspects of confidentiality andintegrity. Therefore patient’s health data collecting devicealso has the function of Patient Security Processor (PSP).Beacon enabled mode of IEEE 802.15.4 suits this architec-

ture since it supports many sensing nodes communicatingdirectly with cluster coordinator which in our case has thefunction of the data collecting device, bridge towards thehealthcare information system and PSP.

The 802.15.4 specification outlines some basic securityservices at the data link layer that can be combined with ad-vanced techniques at the upper layers to implement a com-prehensive security solution. For example, the recent Zig-Bee specification [2] implements a number of protocols—including security-related ones—that can be deployed inan 802.15.4 network. Given that the 802.15.4 devices aretypically severely constrained in terms of their communi-cation and computational resources, the implementation ofsuch solutions is likely to impose a significant performanceoverhead. For the reason of cost effectiveness we assumethat Symmetric-Key Key Establishment (SKKE) [2] is im-plemented over the body WSN, which in turn is a IEEE802.15.4 sensor cluster operating in beacon-enabled, slot-ted CSMA-CA mode. In this paper we analyze the possiblesecurity attacks on the patient’s body WSN.

The paper is organized as follows. In Section 2 wepresent the architecture of the healthcare network includ-ing patient’s body WSNs. Section 3 gives a brief overviewof the operation of 802.15.4-compliant networks with startopology in the beacon-enabled, slotted CSMA-CA mode,followed by a review of basic security mechanisms providedfor by the standard. As the 802.15.4 specification does notprescribe any particular key management approach, we willmake use of the SKKE mechanism presented in Section 4.Section 5 discusses the possible attacks, while Section 6concludes the paper and discusses our future work.

2 Security architecture of the wireless part ofthe medical information system

Let us consider the medical information system in-frastructure including the wireless sensor networks, asshown in Fig. 1. Due to the physical confinement of thehealthcare central medical database should exist at the phys-ically secure location. Medical record formed by data

1-4244-0667-6/07/$25.00 © 2007 IEEE 741

patient security processor andPAN coordinator (PSP)

ward network (wired or wireless)

room

patient sensor node

roomroom

centralDB

room access pointIPsec

MAC encryptionor IPsec

MAC encryption

KP1 KP2 KP3

KH

KPi: patient keys

KH: hospital key

Figure 1. Security architecture of wirelesspart of medical information systems.

taken using wireless sensor network will be encrypted andtimestamped and stored in central medical database. Otherimportant parts of the architecture are the patient securityprocessor (PSP) which is attached to bed and the wirelessaccess point in the patient room. The PSP is module that im-plements networking as well as security-related functions.

From the application perspective, there are three applica-tion blocks which need to operate securely. They are: sens-ing with required event detection reliability, location report-ing which accompanies sensed data and power managementwhich determines sleep times for nodes in order to maxi-mize the network life-time. They are inter-related becausesleep time has to be determined according to the requiredevent sensing reliability. All three services must have in-tegrity, availability and potentially confidentiality. At thenetwork layer secure routing has to be provided towards themedical database. Control packets for the routing algorithmbe authenticated.

From the data link layer aspect, PSP is the cluster coor-dinator of sensing nodes which belong to the patient’s bodyWSN and participates in the Medium Access Control func-tion of the nodes. Sensing nodes will send packets withauthenticated and potentially encrypted payload to the pa-tient security processor which forwards them, possibly ag-gregated, to the room access point.

The patient’s room access point is further connected tothe central medical record database through a suitable wirednetwork. The access point forwards encrypted and authenti-cated packets to the central database. From the networkingpoint of view access point is interconnection device whichinterconnects Personal Area Network technology with thehospital network.

Medical personnel might carry their own PAN nodes andcommunicate directly to medical health database throughthe patient’s room access point.

3 An overview of 802.15.4 specification

The 802.15.4 networks with star topology operate in bea-con enabled mode where channel time is divided into super-frames bounded by beacon transmissions from the PAN co-ordinator [4]. All communications in the cluster take placeduring the active portion of the superframe; the (optional)inactive portion may be used to switch to conserve power byswitching devices to a low power mode. Standard supports16 different frequency channels in which clusters can op-erate within ISM band. Due to interference, physically ad-jacent clusters must operate in separate channels. Channelaccess is regulated through the slotted CSMA-CA mecha-nism [4].

Data transfers in the downlink direction, from the coor-dinator to a node, must first be announced by the coordi-nator. In this case, the beacon frame will contain the listof nodes that have pending downlink packets, as shown inFig. 2(b). When the node learns there is a data packet to bereceived, it transmits a request. The coordinator acknowl-edges the successful reception of the request by transmit-ting an acknowledgement. After receiving the acknowl-edgement, the node listens for the actual data packet forthe period of aMaxFrameResponseTime, during which thecoordinator must send the data frame.

coordinator

Data

networkdevice

(optional)Acknowledgment

Beacon

(a) Uplink transmission.

coordinatornetworkdevice

Data Request

Beacon

Data

Acknowledgment

Acknowledgment

(b) Downlink transmis-sion.

Figure 2. Data transfers in 802.15.4 PAN inbeacon enabled mode.

The 802.15.4 standard specifies several security suiteswhich consist of a ‘set of operations to perform on MACframes that provide security services’ [4]. Specified secu-rity services include access control lists, data encryption us-ing pre-stored key, message integrity code generated usingthe pre-stored key, and message freshness protection. Whilethese services are useful, they are by no means sufficient.In particular, procedures for key management, device au-thentication, and freshness protection are not specified bythe 802.15.4 standard. Hence, they must be implementedby the applications, or perhaps by another layer of networkprotocols running on top of 802.15.4 itself. Also, if the nodehardware is not-tamper resistant, adversary can obtain keys,and access control lists from the node easily. It is possi-

1-4244-0667-6/07/$25.00 © 2007 IEEE 742

ble to steal node’s identity and launch Sybil attack [13] andas a consequence read the patient’s health data (or transmitforged data). It is also possible to replicate node’s iden-tity in foreign cluster which operates in the same frequencychannel given that forged node is sufficiently close to thepatient’s body.

4 Symmetric-Key Key Establishment Proto-col

Low cost alternative for this task with possibility tochange the symmetric keys between the nodes and the co-ordinator is the ZigBee protocol suite [2] developed by theZigBee Alliance, an industry consortium working on de-veloping network and Application Programming Interfaces(API) for wireless ad hoc and sensor networks. The Zig-Bee APIs include security extensions at different network-ing layers, using both symmetric and asymmetric key ex-change protocols. Asymmetric key exchange protocols,which mainly rely on public key cryptography, are com-putationally intensive and their application in wireless sen-sor networks is only possible with devices that are resourcerich in computation and power and connected through highbandwidth links.

The application support sub-layer of the ZigBee spec-ification defines the mechanism by which a ZigBee devicemay derive a shared secret key (Link Key) with another Zig-Bee device; this mechanism is known as the Symmetric-Key Key Establishment (SKKE) protocol. Key establish-ment involves coordinator and node, and should be prefacedby a trust provisioning step in which trust information (aMaster key) provides a starting point for establishing a linkkey. The Master key may be pre-installed during manufac-turing, may be installed by a trust center, or may be basedon user-entered data (PIN, password).

This protocol relies on Keyed-hash message authentica-tion code, or HMAC, which is a message authenticationcode (MAC) calculated using a cryptographic hash functionin conjunction with a secret key. For the cryptographic hashfunction the 802.15.4 specification supports the AES blockcipher in its basic form, while the ZigBee specification sug-gests the use of a modified AES algorithm with a block sizeof 128 bits [11]. The hash function of a data block d will bedenoted as H(d). The ZigBee specification suggests the useof the keyed-hash message authentication code (HMAC):

MacTag = HMAC(MacData)= H((MacKey⊕opad)||H(MacKey⊕ipad)||MacData)

where ipad and opad are hexadecimal constants. In thispaper, we will follow the notation introduced in [2] andpresent the last equation in the equivalent form MacTag =MACMacKeyMacData.

The SKKE protocol is initiated by the PAN coordinator(denoted as initiator device U ) by exchanging ephemeraldata. The PAN coordinator U will generate the challengeQEU . Upon receiving the challenge QEU , the node (de-noted as V ) the node will validate it and also generate itsown, different challenge QEV and send it to the PAN coor-dinator U .

Upon successful validation of challenges, both devicesgenerate a shared secret based on the following steps:1. Each device generates a MACData value by concate-nating their respective identifiers and validated challengestogether: MACData = U ||V ||QEU ||QEV .2. Each device calculates the MACTag (i.e., the keyedhash) for MACData using the Master Key Mkey asMACTag = MACMkeyMACData. Note that both de-vices should obtain the same shared secret Z = MACTagat this time.3. In order to derive the link key each device generatestwo cryptographic hashes of the shared secret and hexadec-imal numbers, i.e. Hash1 = H(Z||0116) Hash2 =H(Z||0216). The Hash2, will be Link Key among twodevices, while Hash1, will be used to confirm that bothparties have reached the same Link Key.

Key update provides an automated mechanism for re-stricting the amount of data which may be exposed whena Link key is compromised. However key updates protocoldepends on the key update overheads and threat environ-ment under which network is working. Hence controllingthe life time of keys and determination of how the key up-date occurs is a challenging task in any network. In [7]we have reported network behavior when PAN coordinatormaintains a counter for each node that keeps track of thenumber of packets exchanged under the same key and re-distributes the key when the value of the counter reachescertain threshold. We have shown that this scheme requiresthe tradeoff between the event sensing reliability, number ofnodes and the key update threshold.

5 Analysis of possible attacks

From the point of view of general sensor network, fol-lowing attacks have been described in the literature:

sybil attack - malicious node takes fabricated identity or itpresents multiple fabricated identities in the network[13].

sinkhole attack - malicious node tries to get all the trafficfrom particular area which can potentially result in theDoS attack.

blackhole and grayhole attack - malicious node drops allor some traffic received from the other nodes.

1-4244-0667-6/07/$25.00 © 2007 IEEE 743

wormhole attack - malicious node captures packets fromone part of the network and forwards them throughdedicated channel to another malicious node. It cantarget routing function or application when it is usu-ally coupled with the sinkhole attack [6].

sleep attack - node sleeps less than is needed than it canbias the results and it will exhaust its battery beforethe others [14]. If it sleeps more than needed, eventsensing reliability is not accurate .

fairness attack - node sends more packets to the coordina-tor (even without the sleep policy) then the other nodesit can bias the sensing results.

denial of service DoS attack - usually performed at theMAC layer in order to exhaust node’s battery by per-manent packet re-transmissions.

However, there is a large amount of cross-layer inter-action in protocol layers of sensor network. For exam-ple, power management naturally belongs to the applica-tion layer which knows the required event sensing reliabil-ity in the cluster. However, power consumption for nodesin the cluster depends on the routing decisions and amountof packet collisions. Therefore, all three layers must coop-erate in order to determine the sleep period per node whichwill result in required event sensing reliability. Also, in-tegrity of sensing, location and power management func-tion can be provided by Message Authentication Code usingthe symmetric key calculated in Section 4. If different keysare needed for each application part (i.e. sensing, locationand power management) SKKE algorithm can be extendedto provide independent key for each application function.Therefore, we consider attacks which affect the key distri-bution process either for particular node or for the wholecluster. Since key distribution algorithm is implemented ontop of the MAC layer we exploit joint vulnerabilities of theSKKE and cluster based 802.15.4 MAC.

Under the architecture of the medical wireless sensornetwork using the star based 802.15.4 technology the at-tacks take special form. We will also classify the securityattacks as attacks on node and attacks on PAN coordinator(or Patient Security Processor) and relate them to general at-tacks. We note that even with link key updates, Sybil attacks[13] and further attacks which result from their success arestill possible.

Attacks on nodes Nodes are in close vicinity of patient’sbody and we feel that it is reasonable to have only few nodesunder the attack. Since node’s hardware is not tamper-proofit is possible to read the ID and master secret from its ROM,and wait for the time when PSP initiates new Link Key up-date in order to compute the new Link key. Node MACaddresses which are actually node identities can be 16 bits

or 64 bits long. If 16 bit node IDs are chosen in order tosave the space in packet header, node ID might even be fab-ricated in the time range which can make this form of sybilattack feasible.

Even with small number of corrupted nodes it is possi-ble to attack the fair bandwidth allocation in the body WSNdue to CSMA-CA type of access. Malicious node(s) cantry to access the medium more frequently than the othernodes which will increase the access delay and packet lossfor good nodes. This attack can be prevented if PSP keepsthe track about the number of packets received from eachnode during some time period.

Corrupted node can also attack the key distributionprocess since the coordinator (PSP) announces the IDs ofnodes who are about to change the link key in plain-textin the beacon frame. Therefore, attacker can send requestpacket with the ID of the legitimate node. As the result, PSPwill start the key-exchange process when the recipient nodeis not ready and it will be stuck in the algorithm handshake.This attack can be prevented if request packets are authenti-cated with the MAC code and if PSP has time-outs in its keyexchange process. The more brutal outcome of this attackis a simple collision of request packets which prevents goodnode from completing the key update process. This can beclassified as DoS on the key exchange.

Situation gets more difficult if node applies some powersaving technique and sleeps for random periods of time[12]. Such techniques are applied in order to extend the life-time of the network while achieving required event sensingreliability. Randomizing the sleep time spreads nodes ac-tivities uniformly over the time. In that case attacker canjust appear as a legitimate node which has waken up whilethe real node is sleeping (assuming that attacker has secretkey) or is captured and destroyed. In order to deal with thisattack, PSP has to keep the average of the sleep periods andisolate the node which wakes up more often than the others.

Attacks on coordinator (PSP) Attacks on PSP (coordi-nator) can be much more harmful than the attacks on ordi-nary nodes since PSP is forwarding all measurements to thecentral information system.

1. Adversary may read the contents of beacon frame aswell as contents of all data frames if they are not en-crypted. Finding the frequency channel of particularbody network is not difficult since there are only 16 ofthem. From the sequence of beacon frames, adversarymay learn node IDs. It can also hear requested eventsensing reliability and number of nodes and from thesenumbers it can calculate parameter of the sleep timeprobability distribution [12].

2. From the beacon, attacker can also learn the period ofkey exchange since coordinator advertises the MAC

1-4244-0667-6/07/$25.00 © 2007 IEEE 744

address of the node which security packet counter hasreached the threshold value. One way for dealing withthis problem is to encrypt the data in the beacon withthe group key which will prevent passive listening.

3. Location of the PSP has to be securely reported tothe central database. Location of the PSP can be de-termined with the collaboration of surrounding PSPswhich have GPS receivers or by using node’s ownGPS. The first approach is similar to the location dis-covery algorithms [9] where PSP does not have GPSbut it can hear beacon frames from other PSPs withGPSs and determine its relative location with respectto its neighbors based on the power of the received sig-nal. This approach can be attacked with the adversarywhich has higher powered transmitter. As the result,PSP will report measurements from the wrong loca-tion which will not be accepted by the central data-base. This attack can be combined with substitutingthe forged PSP with correct location. Recent work[10, 8] attempts to detect malicious nodes in locationdetection algorithms, but there is an issue how harmfulthis attack can be while it is not detected. If PSP has itsown GPS but it does not participate in localization al-gorithms it is possible that adversary gets in the reachof the whole PSP and forges location and data. In ouropinion, PSP should have its own GPS but it shouldalso participate in location detection algorithm with itsneighbors.

4. It is possible that two corrupted distant PSPs establisha channel (due to the issue of physical security we as-sume that this will be wireless channel also). Then,one PSP can forward the data to the other which can re-port them as measurements. This is similar to a worm-hole attack which was first introduced as the attackon the routing algorithms [3, 5] followed by the gray-hole/blackhole/sinkhole attack. Since no other PSPsare affected it is very difficult to detect this attack us-ing collaborative algorithms among PSPs. Instead, it isnecessary to check the activities on the wireless chan-nels which are not in use by the neighboring PSPs.

5. If the PSP’s hardware is not tamper free, then it can betemporarily stolen and master secrets for the nodes canbe read. However, for the applications which requirehigh level of confidentiality of medical data, we hopethat PSP’s hardware will be tamper-free or/and it willbe kept at secure location.

6 Conclusion and Future Work

We have discussed potential security attacks on health-care network implemented over IEEE 802.15.4 beacon en-

abled clusters. We note that physical security of PSPs iscrucial for the secure network operation. In our future workwe will implement intrusion detection system for health-care network based on misbehaving signatures of the attackslisted in this work.

References

[1] Standard for part 15.4: Wireless medium access control(MAC) and physical layer (PHY) specifications for lowrate wireless personal area networks (WPAN). IEEE Std802.15.4, IEEE, 2003.

[2] Z. Alliance. ZigBee specification (ZigBee document053474r06, version 1.0), Dec. 2004.

[3] Y.-C. Hu, A. Perrig, and D. Johnson. Ariadne: A secure on-demand routing protocol for ad hoc networks. In Proc. ACMMobicom 2002, pages 12–23, 2002.

[4] Standard for part 15.4: Wireless MAC and PHY specifica-tions for low rate WPAN. IEEE Std 802.15.4, IEEE, NewYork, NY, Oct. 2003.

[5] C. Karlof and D. Wagner. Secure routing in sensor networks.In Proc. 1st IEEE International Workshop on Sensor Net-work Protocols and Applications 2003.

[6] I. Khalil, S. Bagchi, and N. B. Shroff. Liteworp: a light-weight countermeasure for the wormhole attack in multihopwireless networks. In Proc. 1st IEEE International Con-ference on Dependable Systems and Networks DSN 2003,pages 612–621, 2005.

[7] M. Khan, F. Amini, J. Misic, and V. Misic. The cost ofsecurity: Performance of zigbee key exchange mechanismin an 802.15.4 beacon enabled cluster. In Proc. WSNS’06,held in conjunction with IEEE MASS06 2006, Vancouver,CA, 2006.

[8] L. Lazos and R. Poovendran. Serloc: Robust loacalizationfor wireless sensor networks. ACM Transacations on SensorNetworks, 1(1):73–100, 2005.

[9] J. Li, J. Jannotti, D. De Couto, D. Karger, and R. Morris. Ascalable location service for geographic ad hoc routing. InProc. ACM Mobicom 2000, pages 120–130, 2000.

[10] D. Liu, N. P., and W. Du. Detecting malicious beacon nodesfor secure loaction discovery in wireless sensor networks.In Proc. International Conference on Distributed ComputerSystems, ICDCS 2005, pages 609–619, 2005.

[11] A. Menezes, P. van Oorschot, and S. Vanstone. Handbookof Applied Cryptography. CRC Press, 1997.

[12] J. Misic, S. Shafi, and V. B. Misic. Cross-layer activity man-agement in a 802.15.4 sensor network. IEEE Communica-tions Magazine, 44(1):131–136, Jan. 2006.

[13] J. Newsome, E. Shi, D. Song, and A. Perrig. The Sybil attackin sensor networks: Analysis and defenses. In Proceedingsof IEEE International Conference on Information Process-ing in Sensor Networks (IPSN 2004), pages 259–268, Berke-ley, CA, Apr. 2004.

[14] M. Pirretti, S. Zhu, Vijaykhrishnan, McDoniel, andM. Kandmir. The sleep deprivation attack in sensor net-works: Analysis and methods of defense. InternationalJournal of Distributed Sensor Networks, 2:267–287, 2006.

1-4244-0667-6/07/$25.00 © 2007 IEEE 745