SecuCode: Intrinsic PUF Entangled Secure Wireless Code Dissemination for Computational RFID Devices

The simplicity of deployment and perpetual operation of energy harvesting devices provides a compelling proposition for a new class of edge devices for the Internet of Things. In particular, Computational Radio Frequency Identification (CRFID) devices are an emerging class of battery-free, computational, sensing enhanced devices that harvest all of their energy for operation. Despite wireless connectivity and powering, secure wireless firmware updates remains an open challenge for CRFID devices due to: intermittent powering, limited computational capabilities, and the absence of a supervisory operating system. We present, for the first time, a secure wireless code dissemination (SecuCode) mechanism for CRFIDs by entangling a device intrinsic hardware security primitive Static Random Access Memory Physical Unclonable Function (SRAM PUF) to a firmware update protocol. The design of SecuCode: i) overcomes the resource-constrained and intermittently powered nature of the CRFID devices; ii) is fully compatible with existing communication protocols employed by CRFID devices in particular, ISO-18000-6C protocol; and ii) is built upon a standard and industry compliant firmware compilation and update method realized by extending a recent framework for firmware updates provided by Texas Instruments. We build an end-to-end SecuCode implementation and conduct extensive experiments to demonstrate standards compliance, evaluate performance and security.Comment: Accepted to the IEEE Transactions on Dependable and Secure Computin

A review of RFID based solutions for indoor localization and location-based classification of tags

Wireless communication systems are very used for indoor localization of items. In particular, two main application field can be identified. The former relates to detection or localization of static items. The latter relates to real-time tracking of moving objects, whose movements can be reconstructed over identified timespans. Among the adopted technologies, Radio-Frequency IDentification (RFID), especially if based on cheap passive RFID tags, stands out for its affordability and reasonable efficiency. This aspect makes RFID suitable for both the above-mentioned applications, especially when a large number of objects need to be tagged. The reason lies in a suitable trade-off between low cost for implementing the position sensing system, and its precision and accuracy. However, RFID-based solutions suffer for limited reading range and lower accuracy. Solutions have been proposed by academia and industry. However, a structured analysis of developed solutions, useful for further implementations, is missing. The purpose of this paper is to highlight and review the recently proposed solutions for indoor localization making use of RFID passive tags. The paper focuses on both precise and qualitative location of objects. The form relates to (i) the correct position of tags, namely mapping their right position in a 2D or 3D environment. The latter relates to the classification of tags, namely the identification of the area where the tag is regardless its specific position

A Secure RFID Authentication Protocol Adopting Error Correction Code

RFID technology has become popular in many applications; however, most of the RFID products lack security related functionality due to the hardware limitation of the low-cost RFID tags. In this paper, we propose a lightweight mutual authentication protocol adopting error correction code for RFID. Besides, we also propose an advanced version of our protocol to provide key updating. Based on the secrecy of shared keys, the reader and the tag can establish a mutual authenticity relationship. Further analysis of the protocol showed that it also satisfies integrity, forward secrecy, anonymity, and untraceability. Compared with other lightweight protocols, the proposed protocol provides stronger resistance to tracing attacks, compromising attacks and replay attacks. We also compare our protocol with previous works in terms of performance

Design and Analysis of Security Schemes for Low-cost RFID Systems

With the remarkable progress in microelectronics and low-power semiconductor technologies, Radio Frequency IDentification technology (RFID) has moved from obscurity into mainstream applications, which essentially provides an indispensable foundation to realize ubiquitous computing and machine perception. However, the catching and exclusive characteristics of RFID systems introduce growing security and privacy concerns. To address these issues are particularly challenging for low-cost RFID systems, where tags are extremely constrained in resources, power and cost. The primary reasons are: (1) the security requirements of low-cost RFID systems are even more rigorous due to large operation range and mass deployment; and (2) the passive tags' modest capabilities and the necessity to keep their prices low present a novel problem that goes beyond the well-studied problems of traditional cryptography. This thesis presents our research results on the design and the analysis of security schemes for low-cost RFID systems. Motivated by the recent attention on exploiting physical layer resources in the design of security schemes, we investigate how to solve the eavesdropping, modification and one particular type of relay attacks toward the tag-to-reader communication in passive RFID systems without requiring lightweight ciphers. To this end, we propose a novel physical layer scheme, called Backscatter modulation- and Uncoordinated frequency hopping-assisted Physical Layer Enhancement (BUPLE). The idea behind it is to use the amplitude of the carrier to transmit messages as normal, while to utilize its periodically varied frequency to hide the transmission from the eavesdropper/relayer and to exploit a random sequence modulated to the carrier's phase to defeat malicious modifications. We further improve its eavesdropping resistance through the coding in the physical layer, since BUPLE ensures that the tag-to-eavesdropper channel is strictly noisier than the tag-to-reader channel. Three practical Wiretap Channel Codes (WCCs) for passive tags are then proposed: two of them are constructed from linear error correcting codes, and the other one is constructed from a resilient vector Boolean function. The security and usability of BUPLE in conjunction with WCCs are further confirmed by our proof-of-concept implementation and testing. Eavesdropping the communication between a legitimate reader and a victim tag to obtain raw data is a basic tool for the adversary. However, given the fundamentality of eavesdropping attacks, there are limited prior work investigating its intension and extension for passive RFID systems. To this end, we firstly identified a brand-new attack, working at physical layer, against backscattered RFID communications, called unidirectional active eavesdropping, which defeats the customary impression that eavesdropping is a ``passive" attack. To launch this attack, the adversary transmits an un-modulated carrier (called blank carrier) at a certain frequency while a valid reader and a tag interacts at another frequency channel. Once the tag modulates the amplitude of reader's signal, it causes fluctuations on the blank carrier as well. By carefully examining the amplitude of the backscattered versions of the blank carrier and the reader's carrier, the adversary could intercept the ongoing reader-tag communication with either significantly lower bit error rate or from a significantly greater distance away. Our concept is demonstrated and empirically analyzed towards a popular low-cost RFID system, i.e., EPC Gen2. Although active eavesdropping in general is not trivial to be prohibited, for a particular type of active eavesdropper, namely a greedy proactive eavesdropper, we propose a simple countermeasure without introducing extra cost to current RFID systems. The needs of cryptographic primitives on constraint devices keep increasing with the growing pervasiveness of these devices. One recent design of the lightweight block cipher is Hummingbird-2. We study its cryptographic strength under a novel technique we developed, called Differential Sequence Attack (DSA), and present the first cryptanalytic result on this cipher. In particular, our full attack can be divided into two phases: preparation phase and key recovery phase. During the key recovery phase, we exploit the fact that the differential sequence for the last round of Hummingbird-2 can be retrieved by querying the full cipher, due to which, the search space of the secret key can be significantly reduced. Thus, by attacking the encryption (decryption resp.) of Hummingbird-2, our algorithm recovers 36-bit (another 28-bit resp.) out of 128-bit key with $2^{68}$ ($2^{60}$ resp.) time complexity if particular differential conditions of the internal states and of the keys at one round can be imposed. Additionally, the rest 64-bit of the key can be exhaustively searched and the overall time complexity is dominated by $2^{68}$. During the preparation phase, by investing $2^{81}$ effort in time, the adversary is able to create the differential conditions required in the key recovery phase with at least 0.5 probability. As an additional effort, we examine the cryptanalytic strength of another lightweight candidate known as A2U2, which is the most lightweight cryptographic primitive proposed so far for low-cost tags. Our chosen-plaintext-attack fully breaks this cipher by recovering its secret key with only querying the encryption twice on the victim tag and solving 32 sparse systems of linear equations (where each system has 56 unknowns and around 28 unknowns can be directly obtained without computation) in the worst case, which takes around 0.16 second on a Thinkpad T410 laptop

Wireless Positioning and Tracking for Internet of Things in GPS-denied Environments

Wireless positioning and tracking have long been a critical technology for various applications such as indoor/outdoor navigation, surveillance, tracking of assets and employees, and guided tours, among others. Proliferation of Internet of Things (IoT) devices, the evolution of smart cities, and vulnerabilities of traditional localization technologies to cyber-attacks such as jamming and spoofing of GPS necessitate development of novel radio frequency (RF) localization and tracking technologies that are accurate, energy-efficient, robust, scalable, non-invasive and secure. The main challenges that are considered in this research work are obtaining fundamental limits of localization accuracy using received signal strength (RSS) information with directional antennas, and use of burst and intermittent measurements for localization. In this dissertation, we consider various RSS-based techniques that rely on existing wireless infrastructures to obtain location information of corresponding IoT devices. In the first approach, we present a detailed study on localization accuracy of UHF RF IDentification (RFID) systems considering realistic radiation pattern of directional antennas. Radiation patterns of antennas and antenna arrays may significantly affect RSS in wireless networks. The sensitivity of tag antennas and receiver antennas play a crucial role. In this research, we obtain the fundamental limits of localization accuracy considering radiation patterns and sensitivity of the antennas by deriving Cramer-Rao Lower Bounds (CRLBs) using estimation theory techniques. In the second approach, we consider a millimeter Wave (mmWave) system with linear antenna array using beamforming radiation patterns to localize user equipment in an indoor environment. In the third approach, we introduce a tracking and occupancy monitoring system that uses ambient, bursty, and intermittent WiFi probe requests radiated from mobile devices. Burst and intermittent signals are prominent characteristics of IoT devices; using these features, we propose a tracking technique that uses interacting multiple models (IMM) with Kalman filtering. Finally, we tackle the problem of indoor UAV navigation to a wireless source using its Rayleigh fading RSS measurements. We propose a UAV navigation technique based on Q-learning that is a model-free reinforcement learning technique to tackle the variation in the RSS caused by Rayleigh fading

Sistemas eficientes de transmissão de energia sem-fios e identificação por radiofrequência

Doutoramento em Engenharia EletrotécnicaIn the IoT context, where billions of connected objects are expected to be ubiquitously deployed worldwide, the frequent battery maintenance of ubiquitous wireless nodes is undesirable or even impossible. In these scenarios, passive-backscatter radios will certainly play a crucial role due to their low cost, low complexity and battery-free operation. However, as passive-backscatter devices are chiefly limited by the WPT link, its efficiency optimization has been a major research concern over the years, gaining even more emphasis in the IoT context. Wireless power transfer has traditionally been carried out using CW signals, and the efficiency improvement has commonly been achieved through circuit design optimization. This thesis explores a fundamentally different approach, in which the optimization is focused on the powering waveforms, rather than the circuits. It is demonstrated through theoretical analysis, simulations and measurements that, given their greater ability to overcome the built-in voltage of rectifying devices, high PAPR multi-sine (MS) signals are capable of more efficiently exciting energy harvesting circuits when compared to CWs. By using optimal MS signals to excite rectifying devices, remarkable RF-DC conversion efficiency gains of up to 15 dB with respect to CW signals were obtained. In order to show the effectiveness of this approach to improve the communication range of passive-backscatter systems, a MS front-end was integrated in a commercial RFID reader and a significant range extension of 25% was observed. Furthermore, a software-defined radio RFID reader, compliant with ISO18000-6C standard and with MS capability, was constructed from scratch. By interrogating passive RFID transponders with MS waveforms, a transponder sensitivity improvement higher than 3 dB was obtained for optimal MS signals. Since the amplification and transmission of high PAPR signals is critical, this work also proposes efficient MS transmitting architectures based on space power combining techniques. This thesis also addresses other not less important issues, namely self-jamming in passive RFID readers, which is the second limiting factor of passive-backscatter systems. A suitable self-jamming suppression scheme was first used for CW signals and then extended to MS signals, yielding a CW isolation up to 50 dB and a MS isolation up 60 dB. Finally, a battery-less remote control system was developed and integrated in a commercial TV device with the purpose of demonstrating a practical application of wireless power transfer and passive-backscatter concepts. This allowed battery-free control of four basic functionalities of the TV (CH+,CH-,VOL+,VOL-).No contexto da internet das coisas (IoT), onde são esperados bilhões de objetos conectados espalhados pelo planeta de forma ubíqua, torna-se impraticável uma frequente manutenção e troca de baterias dos dispositivos sem fios ubíquos. Nestes cenários, os sistemas radio backscatter passivos terão um papel preponderante dado o seu baixo custo, baixa complexidade e não necessidade de baterias nos nós móveis. Uma vez que a transmissão de energia sem fios é o principal aspeto limitativo nestes sistemas, a sua otimização tem sido um tema central de investigação, ganhando ainda mais ênfase no contexto IoT. Tradicionalmente, a transferência de energia sem-fios é feita através de sinais CW e a maximização da eficiência é conseguida através da otimização dos circuitos recetores. Neste trabalho explora-se uma abordagem fundamentalmente diferente, em que a otimização foca-se nas formas de onda em vez dos circuitos. Demonstra-se, teoricamente e através de simulações e medidas que, devido à sua maior capacidade em superar a barreira de potencial intrínseca dos dispositivos retificadores, os sinais multi-seno (MS) de elevado PAPR são capazes de excitar os circuitos de colheita de energia de forma mais eficiente quando comparados com o sinal CW tradicional. Usando sinais MS ótimos em circuitos retificadores, foram verificadas experimentalmente melhorias de eficiência de conversão RF-DC notáveis de até 15 dB relativamente ao sinal CW. A fim de mostrar a eficácia desta abordagem na melhoria da distância de comunicação de sistemas backscatter passivos, integrou-se um front-end MS num leitor RFID comercial e observou-se um aumento significativo de 25% na distância de leitura. Além disso, desenvolveu-se de raiz um leitor RFID baseado em software rádio, compatível com o protocolo ISO18000-6C e capaz de gerar sinais MS, com os quais interrogou-se transponders passivos, obtendo-se ganhos de sensibilidade dos transponders maiores que 3 dB. Uma vez que a amplificação de sinais de elevado PAPR é uma operação crítica, propôs-se também novas arquiteturas eficientes de transmissão baseadas na combinação de sinais em espaço livre. Esta tese aborda também outros aspetos não menos importantes, como o self-jamming em leitores RFID passivos, tido como o segundo fator limitativo neste tipo de sistemas. Estudou-se técnicas de cancelamento de self-jamming CW e estendeu-se o conceito a sinais MS, tendo-se obtido isolamentos entre o transmissor e o recetor de até 50 dB no primeiro caso e de até 60 dB no segundo. Finalmente, com o objetivo de demonstrar uma aplicação prática dos conceitos de transmissão de energia sem fios e comunicação backscatter, desenvolveu-se um sistema de controlo remoto sem pilhas, cujo protótipo foi integrado num televisor comercial a fim de controlar quatro funcionalidades básicas (CH+,CH-,VOL+,VOL-)

Survey on Lightweight Primitives and Protocols for RFID in Wireless Sensor Networks

The use of radio frequency identification (RFID) technologies is becoming widespread in all kind of wireless network-based applications. As expected, applications based on sensor networks, ad-hoc or mobile ad hoc networks (MANETs) can be highly benefited from the adoption of RFID solutions. There is a strong need to employ lightweight cryptographic primitives for many security applications because of the tight cost and constrained resource requirement of sensor based networks. This paper mainly focuses on the security analysis of lightweight protocols and algorithms proposed for the security of RFID systems. A large number of research solutions have been proposed to implement lightweight cryptographic primitives and protocols in sensor and RFID integration based resource constraint networks. In this work, an overview of the currently discussed lightweight primitives and their attributes has been done. These primitives and protocols have been compared based on gate equivalents (GEs), power, technology, strengths, weaknesses and attacks. Further, an integration of primitives and protocols is compared with the possibilities of their applications in practical scenarios