skip to main content
10.1145/1455770.1455831acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

RFIDs and secret handshakes: defending against ghost-and-leech attacks and unauthorized reads with context-aware communications

Published: 27 October 2008 Publication History

Abstract

We tackle the problem of defending against ghost-and-leech (a.k.a. proxying, relay, or man-in-the-middle) attacks against RFID tags and other contactless cards. The approach we take -- which we dub secret handshakes -- is to incorporate gesture recognition techniques directly on the RFID tags or contactless cards. These cards will only engage in wireless communications when they internally detect these secret handshakes. We demonstrate the effectiveness of this approach by implementing our secret handshake recognition system on a passive WISP RFID tag with a built-in accelerometer. Our secret handshakes approach is backward compatible with existing deployments of RFID tag and contactless card readers.
Our approach was also designed to minimize the changes to the existing usage model of certain classes of RFID and contactless cards, like access cards kept in billfold and purse wallets, allowing the execution of secret handshakes without removing the card from one's wallet. Our techniques could extend to improving the security and privacy properties of other uses of RFID tags, like contactless payment cards.

References

[1]
L. Bao and S. S. Intille. Activity recognition from user-annotated acceleration data. In A. Ferscha and F. Mattern, editors, Proceedings of PERVASIVE, 2004.
[2]
S. C. Bono, M. Green, A. Stubblefield, A. Juels, A. D. Rubin, and M. Szydlo. Security analysis of a cryptographically-enabled rfid device. In SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium, pages 1--1, Berkeley, CA, USA, 2005. USENIX Association.
[3]
H.-J. Chae, D. J. Yeager, J. R. Smith, and K. Fu. Maximalist cryptography and computation on the WISP UHF RFID tag. In Proceedings of the Conference on RFID Security, July 2007.
[4]
T. Choudhury, G. Borriello, S. Consolvo, D. Haehnel, B. Harrison, B. Hemingway, J. Hightower, P. P. Klasnja, K. Koscher, A. LaMarca, J. A. Landay, L. LeGrand, J. Lester, A. Rahimi, A. Rea, and D. Wyatt. The mobile sensing platform: An embedded activity recognition system. IEEE Pervasive Computing, 7(2):32--41, 2008.
[5]
J. Conway. On Numbers and Games. Academic Press, 1976.
[6]
N. Davies, D. P. Siewiorek, and R. Sukthankar. Activity based computing. IEEE Pervasive Computing, 7(2):20--21, 2008.
[7]
S. Drimer and S. J. Murdoch. Keep your enemies close: Distance bounding against smartcard relay attacks. In 16th USENIX Security Symposium, August 2007.
[8]
EPCGlobal. Class 1 Generation 2 UHF Air Interface Protocol Standard. http://www.epcglobalinc.org/standards/uhfc1g2.
[9]
D. Gafurov, K. Helkala, and T. Sdrol. Biometric gait authentication using accelerometer sensor. Journal of Computers, 1(7):51--59, 2006.
[10]
D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In IEEE Symposium on Security and Privacy. IEEE Computer Society, May 2008.
[11]
G. Hancke. A practical relay attack on ISO 14443 proximity cards, 2005. http://www.cl.cam.ac.uk/?h275/relay.pdf .
[12]
G. P. Hancke and M. G. Kuhn. An RFID distance bounding protocol. In Proceedings of IEEE/Create-Net SecureComm, 2005.
[13]
T. S. Heydt-Benjamin, D. V. Bailey, K. Fu, A. Juels, and T. O'Hare. Vulnerabilities in first-generation RFID-enabled credit cards. In Proceedings of Financial Cryptography and Data Security, 2007.
[14]
A. Juels. RFID security and privacy: A research survey. In IEEE Journal on Selected Areas in Communications, 2006.
[15]
A. Juels, R. Rivest, and M. Szydlo. The blocker tag: Selective blocking of RFID tags for consumer privacy. In 10th Annual ACM Conference on Computer and Communications Security, 2003.
[16]
D. Kaminsky. Soylent badges: An attack surface analysis of RFID, 2007. http://www.law.washington.edu/LCT/Events/rfid/Dan_Kaminsky-RFID-Attack-%Surface.pdf.
[17]
Z. Kfir and A. Wool. Picking virtual pockets using relay attacks on contactless smartcard systems, 2005. citeseer.ist.psu.edu/kfir05picking.html.
[18]
B. Logan, J. Healey, M. Philipose, E. Munguia-Tapia, and S. Intille. A long-term evaluation of sensing modalities for activity recognition. In Proceedings of Ubicomp, 2007.
[19]
R. Mayrhofer and H. Gellersen. Shake well before use: Authentication based on accelerometer data. In Proc. Pervasive 2007: 5th International Conference on Pervasive Computing. Springer-Verlag, May 2007. phto appear.
[20]
MIT Auto-ID Center. 860MHz -- 930MHz Class I Radio Frequency Identification Tag Radio Frequency & Logical Communication Interface Specification Candidate Recommendation, 2002. http://tinyurl.com/2ebjx7.
[21]
D. Molnar and D. Wagner. Privacy and security in library RFID issues, practices, and architectures. In 11th ACM Conference on Computer and Communications Security, 2004.
[22]
S. N. Patel, J. S. Pierce, and G. D. Abowd. A gesture-based authentication scheme for untrusted public terminals. In UIST '04: Proceedings of the 17th annual ACM symposium on User interface software and technology, pages 157--160, New York, NY, USA, 2004. ACM.
[23]
A. P. Sample and J. R. Smith. A low-cost capacitive touch interface for passive RFID tags. Submitted for publication.
[24]
J. R. Smith, A. P. Sample, P. S. Powledge, S. Roy, and A. Mamishev. A wirelessly-powered platform for sensing and computation. In P. Dourish and A. Friday, editors, Ubicomp, volume 4206 of Lecture Notes in Computer Science, pages 495--506. Springer, 2006.
[25]
A. Varshavsky, A. Scannell, A. LaMarca, and E. de Lara. Amigo: Proximity-based authenticaiton of mobile devices. In Proceedings of Ubicomp, 2007.
[26]
Identity Stronghold website. http://idstronghold.com/.
[27]
Privaris plusID products. http://www.privaris.com/products/index.html.
[28]
SMARTCODE solves the privacy issue relating to potential unauthorized reading of RFID enabled passports and ID cards. http://tinyurl.com/ypodsz.

Cited By

View all
  • (2023)Secure UHF RFID Authentication With Smart DevicesIEEE Transactions on Wireless Communications10.1109/TWC.2022.322675322:7(4520-4533)Online publication date: Jul-2023
  • (2023)Frequency Scaling Meets Intermittency: Optimizing Task Rate for RFID-Scale Computing DevicesIEEE Transactions on Mobile Computing10.1109/TMC.2023.3239515(1-12)Online publication date: 2023
  • (2022)An RFID Zero-Knowledge Authentication Protocol Based on Quadratic ResiduesIEEE Internet of Things Journal10.1109/JIOT.2021.31385579:14(12813-12824)Online publication date: 15-Jul-2022
  • Show More Cited By

Index Terms

  1. RFIDs and secret handshakes: defending against ghost-and-leech attacks and unauthorized reads with context-aware communications

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '08: Proceedings of the 15th ACM conference on Computer and communications security
    October 2008
    590 pages
    ISBN:9781595938107
    DOI:10.1145/1455770
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 27 October 2008

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. context-aware communications
    2. gesture recognition
    3. man-in-the-middle attacks
    4. passive gesture recognition
    5. privacy
    6. proxy attacks
    7. relay attacks
    8. rfid
    9. rfid device selection
    10. skimming attacks

    Qualifiers

    • Research-article

    Conference

    CCS08
    Sponsor:

    Acceptance Rates

    CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)14
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 17 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)Secure UHF RFID Authentication With Smart DevicesIEEE Transactions on Wireless Communications10.1109/TWC.2022.322675322:7(4520-4533)Online publication date: Jul-2023
    • (2023)Frequency Scaling Meets Intermittency: Optimizing Task Rate for RFID-Scale Computing DevicesIEEE Transactions on Mobile Computing10.1109/TMC.2023.3239515(1-12)Online publication date: 2023
    • (2022)An RFID Zero-Knowledge Authentication Protocol Based on Quadratic ResiduesIEEE Internet of Things Journal10.1109/JIOT.2021.31385579:14(12813-12824)Online publication date: 15-Jul-2022
    • (2021)OPay: an Orientation-based Contactless Payment Solution Against Passive AttacksProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485887(375-384)Online publication date: 6-Dec-2021
    • (2020)Securely Connecting Wearables to Ambient Displays with User IntentIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.284097917:4(676-690)Online publication date: 1-Jul-2020
    • (2020)A Mutual Authentication Lightweight RFID Protocol for IoT DevicesCognitive Cities10.1007/978-981-15-6113-9_58(518-525)Online publication date: 20-Jun-2020
    • (2019)DoubleEcho: Mitigating Context-Manipulation Attacks in Copresence Verification2019 IEEE International Conference on Pervasive Computing and Communications (PerCom10.1109/PERCOM.2019.8767404(1-9)Online publication date: Mar-2019
    • (2019)On The Performance Bound of Structured Key-Based RFID Authentication2019 IEEE International Conference on Pervasive Computing and Communications (PerCom10.1109/PERCOM.2019.8767391(1-10)Online publication date: Mar-2019
    • (2019)Data Verification in Integrated RFID SystemsIEEE Systems Journal10.1109/JSYST.2018.286557113:2(1969-1980)Online publication date: Jun-2019
    • (2019)A methodological review on attack and defense strategies in cyber warfareWireless Networks10.1007/s11276-018-1724-125:6(3323-3334)Online publication date: 1-Aug-2019
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media