Benjamin Fabian
Abstract
Introduction The "Internet of Things," once reality, will have to rely on a global IT infrastructure that provides information about all those "things" in a secure and reliable manner. The EPCglobal Network is a proposal for a widely distributed information system to offer such services. But it may introduce more challenges concerning security, privacy, and political control than was initially anticipated.
If the vision of many RFID proponents becomes true, more and more common objects will soon acquire a cyber presence. Objects will be equipped with RFID tags containing identification data and possibly some additional information about the object in question (data on tag). To keep tag costs low, one may often just store an identifier and use it as a key to access databases containing the actual object information (data on network). This second approach is typical for "EPC tags"—RFID tags that aim to replace the conventional barcode system. They use an Electronic Product Code (EPC, see Figure 1), which is globally unique, as a key to retrieve information from the EPCglobal Network, envisioned as a large distributed system of databases. The EPC standard represents a numbering framework that is independent of specific hardware features, such as tag generation or specific radio frequency.
The databases compromising the EPCglobal Network are to be run by manufacturers, logistic providers, retailers, or third parties, and can be accessed via special web services called EPC Information Services (EPCIS). The network architecture is designed and administered by the standardization consortium EPCglobal, which is a joint venture of GS1 U.S. (formerly Uniform Code Council) and GS1 (formerly EAN International).
By improving the information flow, as objects pass from suppliers to manufacturers, distributors, retail stores, and customers, the EPCglobal Network aims to facilitate cooperation within supply chains and thus to make them more efficient. Once established, it could also be used to support a wide range of applications in the area of ubiquitous computing. An often-cited example is the "smart home," in which "intelligent" cupboards and fridges could be realized using RFID technology. By scanning the RFID tags on objects and using the EPCglobal Network for information retrieval, such devices can identify their current content and offer new services like food counseling or automated replenishing of goods.
As a result of this broadened use of the EPCglobal Network, its security context would change from closed supply chains to the rather open environments of ubiquitous computing–just like the security context of the Internet was changed by moving from relatively closed groups of fellow researchers to the global environment it represents today.
In this article, we first describe the EPCglobal Network architecture, as currently specified. We then discuss its security and privacy risks, as well as possible countermeasures. We conclude with suggestions on how to improve existing design proposals, once appropriate security and privacy requirements have been established.
- Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. DNS Security Introduction and Requirements, RFC 4033, 2005.Google Scholar
- Balakrishnan, H., Kaashoek, M. F., Karger, D., Morris, R., and Stoica, I. Looking up data in P2P systems. Comm. of the ACM 46, 2, (2003), 43--48. Google ScholarDigital Library
- Dingledine, R., Mathewson, N., and Syverson, P. Tor: The second generation onion router. Proceedings of the 13th USENIX Security Symposium, Aug. 2004. Google ScholarDigital Library
- EPCglobal. EPC Information Services (EPCIS) Version 1.01 Specification. September 2007; www.epcglobalinc.org/standards/epcis/.Google Scholar
- Evdokimov, S., Fabian, B., Günther, O. Multipolarity for the Object Naming Service. Proceedings IOT 2008. LNCS 4952, Springer, Zürich, (2008), 1--18. Google ScholarDigital Library
- Fabian, B. and Günther, O. Distributed ONS and its Impact on Privacy. Proceedings IEEE ICC 2007, Glasgow, U.K., (2007), 1223--1228.Google ScholarCross Ref
- Günther, O. and Spiekermann, S. RFID and the perception of control: The consumer's view. Comm. of the ACM 48, 9, (Sept. 2005), 73--76. Google ScholarDigital Library
- Juels, A. RFID security and privacy--A research survey. IEEE Journal on Selected Areas in Communications 24, 2, (Feb. 2006), 381--394. Google ScholarDigital Library
- EPCglobal. EPCglobal Object Naming Service (ONS). Ratified Standard Specification with Approved, Fixed Errata, Version 1.01, 2008; www.epcglobalinc.org/standards/ons/.Google Scholar
- Ramasubramanian, V. and Sirer, E. G. The design and implementation of a next generation name service for the internet. Proceedings ACM SIGCOMM '04. ACM Press, 2004, 331--342. Google ScholarDigital Library
- Shih, D.-H., Sun, P.-L., and Lin, B. Securing Industry-wide EPCglobal network with WS-Security. Industrial Management&Data Systems, July 2005, 105 (7), 972--996.Google Scholar
- Traub, K. (ed.). The EPCglobal Architecture Framework, Version 1.3, (March 2009), www.epcglobalinc.org/standards/architecture/.Google Scholar
Index Terms
- Security challenges of the EPCglobal network
Recommendations
Secure EPCglobal class-1 gen-2 RFID system against security and privacy problems
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part IRadio Frequency Identification (RFID) system is an important technology in ubiquitous computing environment RFID system should be compatible with most RFID system applications to support the ubiquitous computing environment Recently, researchers had ...
Anti-cloning protocol suitable to EPCglobal Class-1 Generation-2 RFID systems
Radio frequency Identification (RFID) systems are used to identify remote objects equipped with RFID tags by wireless scanning without manual intervention. Recently, EPCglobal proposed the Electronic Product Code (EPC) that is a coding scheme considered ...
A Practical Approach for Enhancing Security of EPCglobal RFID Gen2 Tag
FGCN '07: Proceedings of the Future Generation Communication and Networking - Volume 01Radio Frequency Identification(RFID) has been consid- ered as an key infrastructure for the ubiquitous society. However, due to the inherent drawbacks, RFID causes var- ious security threats like privacy problems, tag cloning, etc. To address these ...
Comments