Despite their increasingly ubiquitous deployment, RFID systems are plagued with a wide variety of security and privacy threats. A large number of these threats arise due to the tag?s promiscuous response to any reader requests. This renders sensitive tag information easily subject to unauthorized reading. It also incites different forms of relay attacks whereby a colluding pair, by relaying information between a legitimate tag and reader, can successfully impersonate the legitimate tag without actually possessing it.
This research explores novel context-aware security and privacy mechanisms by leveraging the newly-equipped sensing capabilities on the next generation (passive) RFID tags. The goal is to provide improved protection against unauthorized reading and relay attacks without undermining the usability and efficiency offered by the RFID systems. The project also includes a feasibility study of the proposed mechanisms in terms of both economical and power constraints, and a systematic analysis of possible (new) sensor-centric attacks. The overall proposed activities range from system design and analysis to implementation and performance measurements.
More broadly, this exploratory work intends to arrive at a better understanding of the feasibility of utilizing parameters derived from the physical world to solve security and privacy issues of the cyber systems. In terms of educational activities, new security courses focusing on resource-constrained devices and lightweight cryptographic tools will be developed.
In this research, we study how to use various contextual information to design context-aware security mechanisms for RFID systems with minimum user distraction. This line of research leverages current technological advances that continuously add new sensing capabilities to mobile devices. These new sensing capabilities bring new and improved user experience as a device can use sensed information to adapt its behavior accordingly to its environment, and its owner. They also suggest new ways of providing security and privacy services by utilizing the unique properties of physical environment or physical status of the device (or its owner). Based on context recognition, we have devloped a series of context-aware selective techniques and server transaction verification methods to defend against stubborn unauthorized reading and relay attacks in RFID systems. This project led to the training and intellectual development of multiple graduate students involved with it. 3 Master's Thesis and 1 Master's Project are based on this project. Research results from this project have been disseminated through a total of 9 publications in major security/pervasive computing conferences and journals such as Esorics'12, WiSec'12, WiSec'13, PerCom'12, IEEE TDSC, IEEE TETC. Research results have also been incoorporated into the teaching materials in two security courses offered by the Department of Computer and Information Science, University of Michigan-Dearborn.