A context-aware approach to defend against unauthorized reading and relay attacks in RFID systems



Radio frequency identification (RFID) systems are becoming increasingly ubiquitous in both public and private domains. However, because of the inherent weaknesses of underlying wireless radio communications, RFID systems are plagued with a wide variety of security and privacy threats. A large number of these threats arise because of the tag's promiscuous response to any reader requests. This renders sensitive tag information easily subject to unauthorized reading. Promiscuous tag response also incites different forms of relay attacks whereby a malicious colluding pair, relaying messages between a tag and a reader, can successfully impersonate the tag without actually possessing it. Because of the increasing ubiquity of RFID devices, there is a pressing need for the development of security primitives and protocols to defeat unauthorized reading and relay attacks. However, currently deployed or proposed solutions often fail to satisfy the constraints and requirements of the underlying RFID applications in terms of (one or more of) efficiency, security, and usability. This paper proposes a novel research direction, one that utilizes sensing technologies, to tackle the problems of unauthorized reading and relay attacks with a goal of reconciling the requirements of efficiency, security, and usability. The premise of the proposed work is based on a current technological advancement that enables many RFID tags with low-cost sensing capabilities. The on-board tag sensors will be used to acquire useful contextual information about the tag's environment (or its owner, or the tag itself). For defense against unauthorized reading and relay attacks, such context information can be leveraged in two ways. First, contextual information can be used to design context-aware selective unlocking mechanisms so that tags can selectively respond to reader interrogations and thus minimize the likelihood of unauthorized reading and “ghost-and-leech” relay attacks. Second, contextual information can be used as a basis for context-aware secure transaction verification to defend against special types of relay attacks involving malicious readers. Copyright © 2011 John Wiley & Sons, Ltd.