Radio frequency identification tags (RFIDs) and other contactless cards (such as proximity cards and contactless smartcards) are increasing in ubiquity. For example, large corporations often use RFIDs or proximity cards to regulate building access. American Express, VISA, and MasterCard all produce credit cards with embedded RFID tags. Many car keys also have embedded RFID tags to help protect against hot-wiring. While the security community has invested significant resources in understanding and addressing the security deficiencies of such cards—including documented attacks against and defensive recommendations for each of the above examples—there exists one class of attacks that the community is still battling: the so-called ghost-and-leech attacks.
The phrase “ghost-and-leech attack” was coined in 2005 by Z. Kfir et al., but more general relay attacks have been known for over 30 years. A key challenge with RFIDs and other contactless cards is that they are indiscriminate with respect to the external devices with which they wirelessly communicate. A ghost-and-leech attack exploits this indiscriminatory nature as follows. Consider, for example, the case where an RFID or proximity access card (or access badge) is used to gain entry into a building. Under a normal usage scenario, an employee might keep an access card in a wallet, walk up to the door, take the wallet out of a pocket, and then place the wallet near the reader, thereby triggering the reader to unlock the door and grant the employee entry, as illustrated in FIG. 1A. To mount a ghost-and-leech attack, two attackers—the ghost and the leech—will coordinate their activities as shown in FIG. 1B. The ghost places attack equipment near the door's reader, and the leech places other attack equipment near the employee's wallet, perhaps, as the employee rides the bus or train to work or stands in line at a local coffee shop. By relaying all communications between the reader and the employee's access card, the ghost can surreptitiously gain access to the building.
One can apply similar ghost-and-leech attacks to other uses of RFID tags and contactless cards. Moreover, anti-cloning and strong cryptographic mechanisms cannot by themselves protect against the ghost-and-leech attack. This consequence follows naturally from the behavior of the ghost and leech, i.e., the ghost and leech do not need to modify, tamper with, or inspect the contents of the communications between the reader and an employee's access card—the ghost and leech simply need to relay the communications in a black-box manner. The inability for cryptography to defend against the ghost-and-leech attack creates a conundrum, and the solutions that are typically used require either sophisticated processing on the reader or sometimes, obtrusive changes to the usage model of the RFID or contactless card. As an example of the former, one solution—known as distance bounding—is for the reader to gauge the physical proximity of the RFID or contactless card by measuring the time it takes for the tag or card to respond to challenge messages. The assumption here is that the ghost's and leech's proxying step will introduce non-negligible time delays. As an example of the latter, some vendors are producing access cards with buttons that users must press in order to activate them, and third-party vendors are selling protective metallic sleeves that block contactless communications.
Wireless identification service point (WISP) RFID tags are a powerful tool for implementing stronger security mechanisms on passive RFID devices. Researchers have demonstrated that it is possible to implement RC5 on the WISPs and have shown how WISP-like technologies could improve the security and privacy of implantable medical devices.
Others have shown that a large number of possible approaches can be applied to reducing the risk of fraud and privacy invasions associated with RFID credit cards, including the use of more sophisticated cryptographic techniques, protective sleeves, and buttons on the cards. Among these defensive approaches, there is conjecture that motion sensors on an RFID card could detect the telltale tap-and-go motion typically associated with RFID credit card purchases. This shared conjecture might be applied to solidify a model for context-aware communications—even on an existing passive RFID tag.
Based on the discussion above, it would be desirable to disable communications and other activities while a device (i.e., RFID tag or contactless card) is in the context of day-to-day activities, i.e., to only enable communications during specific authentication activities associated with, for example, attempting to gain legitimate entry to a building. In contrast, the prior art approach is to enable actions in day-to-day activities like walking, in response to the motion detected. Clearly, further development will be useful in achieving a robust approach that is usable with RFID tags and other contactless cards to protect against ghost-and-leech attacks and other such undesired attacks.