>
curriculum/Advanced Communications: Cellular, Satellite, Wireless Sensor Networks
section 3 of 812 min read

Part C: Wireless Sensor Networks

C.1 What and why

A wireless sensor network (WSN) is a system of small, distributed, low-power devices ("sensor nodes" or "motes") that sense physical phenomena, process data locally, and communicate wirelessly. The defining feature: scale and energy constraints.

A WSN might be 10,000 nodes in a building monitoring HVAC, 100 nodes in a vineyard tracking soil moisture, 50 nodes on an oil pipeline detecting leaks, or 1 million in a smart-city deployment counting cars and air quality. Each node typically has a coin-cell battery (or solar panel) and is expected to last years on it.

WSNs differ from cellular and satellite in critical ways:

  • Low data rate. A soil-moisture node sends a few bytes every 10 minutes. A cellular phone streams 5 Mbps of video.
  • Low duty cycle. A node might be active 0.01% of the time, asleep 99.99%.
  • Self-organizing. Nodes form ad-hoc networks without dedicated infrastructure.
  • Constrained crypto. Hard to run RSA-2048 on a Cortex-M0+ with 8 KB of RAM and a 1.5 V coin cell.

The hardware-security implications are huge: there are billions of these nodes deployed and they are notoriously hard to secure individually. This is exactly the surface area exploited by IoT botnets like Mirai.

C.2 Sensor node hardware

A sensor node is a stripped-down embedded system from Chapter 21:

plaintext
   ┌──────────────────────────────────┐
   │  Sensor node                     │
   │                                  │
   │  ┌──────┐    ┌──────┐    ┌────┐  │
   │  │ MCU  │----│ Radio│----│ Antenna │
   │  └──────┘    └──────┘    └────┘  │
   │     │                            │
   │  ┌──────┐    ┌──────┐            │
   │  │Sensor│    │ Power│            │
   │  └──────┘    └──────┘            │
   │              │ battery /         │
   │              │ harvester         │
   └──────────────┴───────────────────┘
  • MCU. Cortex-M0+, M3, or M4 (modern). MSP430 (ultra-low-power, classic). 8-bit AVR (older). Active draw 100 µA to a few mA. Sleep draw 1-10 µA.
  • Radio. Sub-GHz (868/915/433 MHz) for long range and low data rate. 2.4 GHz (BLE, IEEE 802.15.4, Wi-Fi) for short range and higher data rate. Active TX/RX 10-100 mW. Off draw <1 µA.
  • Sensors. MEMS accelerometer, MEMS gas sensor, MEMS pressure, photodiode, thermistor, microphone, etc. 1-100 µW each typical.
  • Power. CR2032 coin cell (220 mAh, ~700 J at 3 V). AA cells (2700 mAh, ~12 kJ at 1.5 V). Solar panel (a few cm², 10-100 mW in sun). Energy harvesting from RF, vibration, thermal gradients.

Energy budget. A typical node has Etotal104E_{\text{total}} \approx 10^4 J in a coin cell. To last 1 year (3 × 10⁷ s), average power Pˉ<0.3\bar{P} < 0.3 mW. The radio's TX consumes ~30 mW for ~1 ms per packet, so the node sends roughly 0.3/30=1%0.3 / 30 = 1\% of the time, which at 1 packet/s of 100 ms TX bursts, is 100 packets/sec, way too high. Real low-power sensor nodes send maybe 1 packet every 10 seconds (10% of energy budget on TX), with the rest divided between MCU sleep, brief MCU wakes for sensing, and RX listening.

C.3 Topologies

plaintext
   STAR             TREE              MESH
   
       *                *               *---*
      /|\              /|\             /|   |\
     * * *            * * *           *-*---*-*
                     /| | |\          | | X | |
                    * * * * *         *-*---*-*
  • Star. Every node talks directly to a central hub. Simple, low latency, but limited range (whoever is on the edge cannot reach the hub).
  • Tree. Hierarchy. Coordinators relay for end devices. ZigBee uses this.
  • Mesh. Every node can relay for any other. Robust (if one path fails, another exists), scalable (large networks), but more complex routing. ZigBee, Thread, Bluetooth Mesh use this.

C.4 Protocol stacks

rendering diagram...
  • IEEE 802.15.4 is the foundation. PHY at 868/915 MHz or 2.4 GHz. MAC layer with CSMA-CA and optional time-slotted operation.
  • ZigBee. Network and application layers on top of 802.15.4. Smart home (lighting, locks, thermostats, sensors). Open standard but with closed parts (the ZigBee Cluster Library is licensed).
  • Thread. Replacement for ZigBee. IPv6-based (6LoWPAN), more secure, mesh-routing with RPL. Used by Google Nest, Apple HomeKit (in some products), Matter.
  • Z-Wave. Sub-GHz (868/908 MHz). Proprietary but widely deployed in home automation. Star/mesh network up to 232 nodes.
  • Bluetooth Mesh. Built on top of BLE. Uses flooding (every node retransmits packets it has not seen before), inefficient but simple.
  • Matter. Application-layer protocol unifying Thread, Wi-Fi, and Ethernet for smart home. Backed by Apple, Google, Amazon, Samsung. Aims to replace ZigBee's proprietary fragmentation.

C.5 Routing

  • Proactive (table-driven). Maintain routes always (DSDV, OLSR). Low latency for known destinations, high overhead.
  • Reactive (on-demand). Find routes when needed (AODV, DSR). Lower overhead, higher latency on first packet.
  • Hybrid. ZRP combines both for different ranges.
  • Hierarchical. Cluster-based (LEACH). Cluster heads aggregate from members, forward to base station.
  • Geographic. Use position to forward (GPSR). Useful when nodes know each other's location.
  • RPL (Routing Protocol for Low-Power and Lossy Networks). IPv6-based, designed for 6LoWPAN. Builds a Destination-Oriented Directed Acyclic Graph (DODAG) rooted at the gateway. Standard for Thread.

C.6 MAC protocols and energy

The MAC layer's main job in WSN is to save energy by letting nodes sleep most of the time.

  • CSMA-CA. Standard collision avoidance. Nodes listen before transmitting. Wastes energy when idle.
  • B-MAC (Berkeley MAC). Low-power listening. Nodes wake briefly (a few ms) every sleep interval (~100 ms), check if anyone is sending a long preamble. If so, they keep listening; otherwise they go back to sleep. Sender prepends a long preamble so any sleeping receiver wakes up. Simple but inefficient at the sender.
  • S-MAC (Sensor MAC). Synchronized sleep. All nodes in a cluster share a sleep schedule. Saves both sender and receiver energy.
  • TSCH (Time-Slotted Channel Hopping). Used in 802.15.4e and IEC 62734 (industrial). Time is divided into slots, and a schedule tells each node when to wake and which channel to listen on. Channel hopping fights interference and multipath. Used in WirelessHART for industrial automation.
  • Beacon-enabled mode (802.15.4). Coordinator broadcasts a beacon every superframe. End devices wake at the beacon, do their business, sleep until the next beacon.

C.7 Localization

WSN nodes often need to know where they are. Several approaches.

  • GPS. Works but power-hungry (10-50 mW for a fix that takes seconds), not always available indoors, expensive ($1-5 per chip).
  • RSSI-based. Use received signal strength to estimate distance. Cheap (free, the radio measures RSSI anyway) but inaccurate (wall losses, multipath skew RSSI heavily, ±5 m typical).
  • Time-of-flight. Measure round-trip time to anchor nodes. Needs precise clocks (UWB does this with sub-ns timing for ~10 cm accuracy).
  • Angle-of-arrival. Phased array measures direction. Used by some BLE 5.1 features.
  • Anchor-and-multilateration. A few anchor nodes know their position (GPS or surveyed). Other nodes triangulate from anchors.

C.8 Time synchronization

Distributed sensor networks need shared time for TDMA scheduling, event correlation, and data fusion.

  • FTSP (Flooding Time Synchronization Protocol). Root node broadcasts time. Each receiver computes offset and propagates. Microsecond accuracy across a multi-hop network.
  • Glossy. Synchronous flooding. Multiple nodes transmit simultaneously the same packet; constructive interference at the receiver lets it decode.
  • PTP (Precision Time Protocol, IEEE 1588). Used in industrial WSNs. Sub-microsecond accuracy with hardware timestamping.

C.9 Data aggregation

Energy in WSN is dominated by radio. Send fewer bytes -> last longer. In-network aggregation combines data from multiple nodes before sending toward the sink. Examples:

  • Average. Cluster head sends mean instead of every reading.
  • Min/max. Send only extremes (useful for "any node above threshold?" queries).
  • Compression. Delta encoding, run-length encoding.
  • Computational sensing. Edge AI inference: send "person detected" instead of raw video.

Aggregation can reduce traffic by 10-100x but adds latency and complicates security (encrypted aggregation requires homomorphic schemes or trusted aggregators).

C.10 Applications

  • Smart cities. Parking sensors, air quality, traffic counters. Barcelona has 20,000+ sensors deployed. Singapore's Smart Nation initiative deployed millions.
  • Industrial monitoring. Vibration on rotating machinery (predictive maintenance), temperature in industrial freezers, pressure in pipelines, gas leaks in chemical plants. WirelessHART and ISA100.11a are the relevant standards.
  • Smart agriculture. Soil moisture, leaf wetness, weather stations, livestock health. Vineyards, orchards, row crops. John Deere's See & Spray uses sensor networks plus computer vision to spot-spray weeds instead of blanket-spraying entire fields, cutting herbicide use 80%.
  • Smart home. Lights, locks, thermostats, smoke alarms, doorbells, occupancy sensors. Z-Wave, ZigBee, Thread, Matter ecosystems.
  • Structural health monitoring. Strain gauges and accelerometers on bridges, dams, high-rise buildings. The Golden Gate Bridge has hundreds of wireless accelerometers.
  • Environmental. Glacier movement, volcano monitoring, wildfire detection, ocean buoys, wildlife tracking.
  • Healthcare. Wearable ECG, glucose sensors, fall detection.
  • Smart metering. Smart water meters using LoRaWAN are deployed in millions of homes (the system reads meters once a day with battery life of 10 years on a single AA cell). Smart electricity meters in much of the developed world. Smart gas meters. NB-IoT and LoRaWAN dominate.

C.11 LoRaWAN: long-range alternative

LoRa is a sub-GHz radio modulation by Semtech (chirp spread spectrum). LoRaWAN is the network layer above it, defined by the LoRa Alliance.

  • Spectrum. ISM bands: 868 MHz in Europe, 915 MHz in the Americas, 433 MHz Asia.
  • Modulation. Chirp Spread Spectrum (CSS). A symbol is a frequency sweep over the channel. Each symbol encodes SFSF bits, where SFSF is the spreading factor (7 to 12 typical).
  • Range vs data rate tradeoff. Higher SF means longer chirp, lower data rate, more processing gain, longer range.
python
# Range vs SF tradeoff for LoRa
import numpy as np
 
BW = 125e3              # Hz (typical EU868 channel)
SF_values = np.arange(7, 13)
# Symbol rate = BW / 2^SF
sym_rate = BW / 2**SF_values
# Bit rate (no FEC)
bit_rate = SF_values * sym_rate
# Required SNR (datasheet, dB)
SNR_required = np.array([-7.5, -10, -12.5, -15, -17.5, -20])
# Free-space path loss budget at 868 MHz
P_t_dBm = 14            # +14 dBm regulatory cap EU868
NF = 6                  # receiver noise figure dB
N_floor = -174 + 10*np.log10(BW) + NF
margin = P_t_dBm - (N_floor + SNR_required)
 
# Range estimate (free-space)
def range_km(margin_dB, f_MHz=868):
    # Free-space: PL = 32.45 + 20 log f(MHz) + 20 log d(km)
    return 10**((margin_dB - 32.45 - 20*np.log10(f_MHz)) / 20)
 
for sf, br, snr, m in zip(SF_values, bit_rate, SNR_required, margin):
    print(f"SF{sf}: {br:.0f} bps, SNR_req {snr} dB, link margin {m:.1f} dB, range {range_km(m):.1f} km")

Output (free-space, optimistic): SF7 ~5 km, SF12 ~50 km. Real-world urban: 1-5 km for SF7, 10-15 km for SF12. Achievable record: 766 km from a balloon at altitude.

  • Three classes. Class A: end-device transmits, then opens two short receive windows. Lowest power. Class B: scheduled receive windows synchronized via beacons. Class C: continuously listening, used for AC-powered actuators.
  • Battery life. 5-10 years on AA cells with 1 message per hour.
  • Use cases. Smart water meters, gas meters, agricultural sensors, asset tracking, environmental monitoring, smart parking.

Hardware-security tie-ins for LoRaWAN. Per-device AES-128 keys. Replay attacks possible if frame counters not enforced (early v1.0 deployments shipped without). Join procedure uses a master key (AppKey) shared between device and network server. AppKey extraction from compromised devices breaks the chain. Some IoT vendors hardcode AppKey across device families.

C.12 NB-IoT and LTE-M

Cellular IoT in licensed spectrum.

  • NB-IoT. Narrowband IoT. 200 kHz channels in cellular bands. Designed for very-low-throughput devices: 26 kbps down, 16 kbps up. Range: 7-15 km (deep building penetration thanks to coverage extension up to 164 dB MCL). Battery life 10+ years. Used for smart meters, parking, asset tracking.
  • LTE-M (LTE Cat-M1). 1.4 MHz channels, 1 Mbps. Better for moving devices (handoff support). Used for vehicle telematics, wearables.

Both are 3GPP standards integrated into LTE/5G networks (no separate infrastructure). iPhone 14+ uses LTE-M for elevator emergency calls and similar critical-but-low-bandwidth use cases, in addition to L-band Globalstar for emergency satellite messaging in areas with no cellular coverage.

C.13 Security in WSN

The constraints are brutal:

  • 8 KB of RAM, 256 KB of flash, 32 MHz clock typical.
  • Battery operated, often physically accessible.
  • Lifetime measured in years, so cryptographic algorithms must hold up across that span.
  • Update mechanisms must be secure but also low-bandwidth (a 1 MB firmware update over LoRaWAN at 5 kbps takes 30 minutes of TX and depletes a year of battery).

Practical approaches:

  • AES-128 in CCM mode. Standard for IEEE 802.15.4 link encryption. Cheap on hardware (most modern radios have AES accelerators).
  • TinySec, MiniSec. Older lightweight crypto frameworks for motes.
  • Authenticated key agreement. ECDH on Cortex-M with optimized libraries (MicroECC, Mbed TLS).
  • Secure boot. Hardware-backed (TrustZone-M, secure elements like ATECC608A).
  • Over-the-air updates. Signed firmware images, version checks, rollback protection.

Real-world failures:

  • Mirai botnet (2016). Default passwords on IP cameras and DVRs. Compromised millions of devices, used for record-breaking DDoS attacks (1.2 Tbps against Dyn, taking out Twitter, Reddit, GitHub).
  • KRACK (2017). WPA2 4-way handshake replay vulnerability. Affected billions of Wi-Fi devices.
  • BleedingTooth (2020). Linux Bluetooth stack memory corruption.
  • Sybil attacks in mesh networks: one physical node claims multiple identities to bias routing or aggregation.
  • Wormhole attacks: attackers tunnel packets between two distant points, faking proximity.
  • Node capture: physical access to a deployed node lets the attacker dump firmware, extract keys, and reprogram. Defenses: tamper-evident enclosures, key wipe on tamper detection, secure elements.

C.14 Sensor platforms (real ones you can buy)

  • Berkeley Motes / TelosB. Classic research platforms (early 2000s). Atmel + CC2420 + sensor board. Still cited in WSN papers.
  • Arduino + ESP32. Hobbyist tier. ESP32 has Wi-Fi + BLE, dual core, ~$5. Not low-power but flexible.
  • Nordic nRF52840. Professional BLE + 802.15.4 + Thread. ~$10. ~5 µA sleep, ~6 mA TX. The platform behind many smart-home products.
  • Silicon Labs EFR32. Multi-protocol (BLE, ZigBee, Thread).
  • STM32WL. Cortex-M4 with integrated LoRa radio. Single-chip LoRa node.
  • Microchip ATSAMR21. Cortex-M0+ with 802.15.4 radio.
  • Particle.io. Cellular-IoT cloud platform. Boron, Argon, Tracker.