Tampering with Motes: Real-World Physical Attacks on Wireless Sensor Networks

  • Alexander Becher
  • Zinaida Benenson
  • Maximillian Dornseif
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3934)


Most security protocols for wireless sensor networks (WSN) assume that the adversary can gain full control over a sensor node through direct physical access (node capture attack). But so far the amount of effort an attacker has to undertake in a node capture attack is unknown. In our project we evaluate different physical attacks against sensor node hardware. Detailed knowledge about the effort needed for physical attacks allows to fine tune security protocols in WSNs so they provide optimal protection at minimal cost.


Sensor Node Wireless Sensor Network Physical Attack Deployment Area Node Capture 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., Chichester (2001)Google Scholar
  2. 2.
    Anderson, R.J., Kuhn, M.G.: Low cost attacks on tamper resistant devices. In: Proceedings of the 5th International Workshop on Security Protocols, pp. 125–136. Springer, London (1998)CrossRefGoogle Scholar
  3. 3.
    Atmel Corp. AT45DB041B datasheet. Atmel document no. 3443, available at:
  4. 4.
    Atmel Corp. ATmega128 datasheet. Atmel document no. 2467, available at:
  5. 5.
    FU Berlin. ScatterWeb Embedded Sensor Board, Online at:
  6. 6.
    Chan, H., Perrig, A., Song, D.: Random key predistribution schemes for sensor networks. In: IEEE Symposium on Security and Privacy, May 2003, pp. 197–213 (2003)Google Scholar
  7. 7.
    Chipcon AS. CC1000 datasheet, Available at:
  8. 8.
    Chipcon AS. CC2420 datasheet, Available at:
  9. 9.
  10. 10.
    Crossbow, Inc. MPR, MIB user’s manual, Available at:
  11. 11.
    Graff, M.G., van Wyk, K.R.: Secure Coding: Principles and Practices. O’Reilly & Associates, Inc., Sebastopol (2003)Google Scholar
  12. 12.
    Hwang, J., Kim, Y.: Revisiting random key pre-distribution schemes for wireless sensor networks. In: SASN 2004: Proceedings of the 2nd ACM workshop on Security of ad hoc and sensor networks, pp. 43–52. ACM Press, New York (2004)Google Scholar
  13. 13.
    Karlof, C., Sastry, N., Wagner, D.: TinySec: A link layer security architecture for wireless sensor networks. In: Second ACM Conference on Embedded Networked Sensor Systems (SensSys 2004) (November 2004)Google Scholar
  14. 14.
    Karlof, C., Wagner, D.: Secure routing in wireless sensor networks: Attacks and countermeasures. Elsevier’s Ad Hoc Network Journal, Special Issue on Sensor Network Applications and Protocols (September 2003)Google Scholar
  15. 15.
    Martin, G.: An evaluation of ad-hoc routing protocols for wireless sensor networks. Master’s thesis, University of Newcastle upon Tyne (May 2004)Google Scholar
  16. 16.
    McGraw, G., Viega, J.: Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, Reading (2001)Google Scholar
  17. 17.
    Microchip Technology. 24AA64/24LC64 datasheet, Available at:
  18. 18.
    RF Monolithics. TR1001 datasheet, Available at:
  19. 19.
    moteiv Corp. Telos revision B datasheet, Available at:
  20. 20.
    moteiv Corp. Tmote Sky datasheet, Available at:
  21. 21.
  22. 22.
    Peine, H.: Rules of thumb for secure software engineering. In: ICSE 2005: Proceedings of the 27th international conference on Software engineering, pp. 702–703. ACM Press, New York (2005)Google Scholar
  23. 23.
    Perrig, A., Stankovic, J., Wagner, D.: Security in wireless sensor networks. Commun. ACM 47(6), 53–57 (2004)CrossRefGoogle Scholar
  24. 24.
    Shi, E., Perrig, A.: Designing secure sensor networks. IEEE Wireless Communications 11(6) (December 2004)Google Scholar
  25. 25.
    Skorobogatov, S.P.: Semi-invasive attacks - a new approach to hardware security analysis. Technical report, University of Cambridge, Computer Laboratory, April, Technical Report UCAM-CL-TR-630 (2005)Google Scholar
  26. 26.
    Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    STMicroelectronics. M25P80 datasheet, Available at:
  28. 28.
    Texas Instruments. Features of the MSP430 bootstrap loader (rev. B). TI Application note SLAA089B, available at:
  29. 29.
    Texas Instruments. MSP430 F149 datasheet, Available at:
  30. 30.
    Texas Instruments. MSP430 F1611 datasheet, Available at:
  31. 31.
    Texas Instruments. MSP430x1xx family: User’s guide. TI Application note SLAU049E, available at:
  32. 32.
    Viega, J., Messier, M., Spafford, G.: Secure Programming Cookbook for C and C++. O’Reilly & Associates, Inc., Sebastopol (2003)Google Scholar
  33. 33.
    Vogt, H., Ringwald, M., Strasser, M.: Intrusion detection and failure recovery in sensor nodes. In: Tagungsband INFORMATIK 2005, Workshop Proceedings. LNCS, Springer, Heidelberg, Germany (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Alexander Becher
    • 1
  • Zinaida Benenson
    • 1
  • Maximillian Dornseif
    • 1
  1. 1.Department of Computer ScienceRWTH AachenAachenGermany

Personalised recommendations