ReSC: An RFID-Enabled Solution for Defending IoT Supply Chain

The Internet of Things (IoT), an emerging global network of uniquely identifiable embedded computing devices within the existing Internet infrastructure, is transforming how we live and work by increasing the connectedness of people and things on a scale that was once unimaginable. In addition to facilitated information and service exchange between connected objects, enhanced computing power and analytic capabilities of individual objects, and increased interaction between objects and their environments, the IoT also raises new security and privacy challenges. Hardware trust across the IoT supply chain is the foundation of IoT security and privacy. Two major supply chain issues—disappearance/theft of authentic IoT devices and appearance of inauthentic ones—have to be addressed to secure the IoT supply chain and lay the foundation for further security and privacy-defensive measures. Comprehensive solutions that enable IoT device authentication and traceability across the entire supply chain (i.e., during distribution and after being provisioned) need to be established. Existing hardware, software, and network protection methods, however, do not address IoT supply chain issues. To mitigate this shortcoming, we propose an RFID-enabled solution called ReSC that aims at defending the IoT supply chain. By incorporating three techniques—one-to-one mapping between RFID tag identity and control chip identity; unique tag trace, which records tag provenance and history information; and neighborhood attestation of IoT devices—ReSC is resistant to split attacks (i.e., separating tag from product, swapping tags), counterfeit injection, product theft throughout the entire supply chain, device recycling, and illegal network service access (e.g., Internet, cable TV, online games, remote firmware updates). Simulations, theoretical analysis, and experimental results based on a printed circuit board (PCB) prototype demonstrate the effectiveness of ReSC. Finally, we evaluate the security of our proposed scheme against various attacks.