Radio Frequency IDentification (RFID) systems, usually consisting of tags, readers, and/or backend servers,are becoming increasingly ubiquitous in both public and private domains enabling computerized identification of objects and individuals. Prominent RFID applications include supply chain management, e-passports, credit cards, access cards, and medical implants. NFC, or Near Field Communication, is another upcoming RFID technology which allows devices, such as smartphones, to have both RFID tag and reader functionality. In particular, the use of NFC equipped mobile devices as payment tokens (such as Google Wallet) is considered to be the next generation of payment system and the latest buzz in the U.S. financial industry.
Due to the inherent weaknesses of the underlying wireless radio communication, however, RFID systems are plagued with a wide variety of security and privacy vulnerabilities. RFID tags often store sensitive information and usually respond promiscuously to any read requests. This renders the tag-specific information easily subject to eavesdropping, unauthorized reading, owner tracking, and cloning or impersonation. RFID tags are also susceptible to different forms of relay attacks. While RFID tags are prone to these “outsider” attacks, NFC enabled phones are additionally susceptible, perhaps more seriously, to “insider” attacks in the form of NFC malware.
Providing security and privacy services for RFID systems presents a unique and formidable set of challenges. In the context of standalone RFID tags, the inherent difficulty stems partially from the constraints of these tags in terms of computation, memory and power resources, and partially from the strict usability requirements imposed by RFID applications (originally geared for automation). In the context of NFC enabled smartphones, one primary challenge is to mitigate NFC malware without undermining the convenience offered by NFC services.
This project introduces a novel research direction towards RFID security and privacy one that utilizes sensors and sensing technologies. The premise of the work is a current technological advancement that enables many RFID devices (RFID tags as well as NFC devices) with low-cost sensing capabilities. In a nutshell, the project breaks new grounds and offers intellectual merits on three fronts, with a goal towards producing sensor-centric solutions suitable for different RFID applications in terms of efficiency (i.e., computation, memory and power overhead), security, and usability.
- Context-Aware Selective Unlocking: The on-board tag sensors are used to acquire useful contextual information about the tag’s environment (or its owner, or the tag itself). Such context recognition will be leveraged for selective tag unlocking — the tag will respond selectively to reader interrogations, i.e., only when it is deemed safe to do so. Specically, the following novel selective unlocking mechanisms are being explored: (i) magnetic-eld triggered proximity sensing, (ii) posture recognition, and (iii ) location awareness.
- Context-Aware Transaction Verification: The context recognition will be used as a basis for secure transaction verication to provide protection against malicious readers especially targeting RFID payment tokens. In particular, the focus will be on transaction verification using: (i) numeric digit-based speech recognition, and (ii) sensor-centric colocation.
- Context-Aware Malware Mitigation: In order to prevent malicious use of NFC chips on emerging mobile phones, the use of contextual and user-specfic information will be investigated to differentiate between benign human activity and malware activity. To this end, the emphasis will be on: (i) tapping gesture recognition, (ii) biometrics-based triggering, and (iii) CAPTCHA-based triggering.