A Systematic Security Analysis for Path-based Traceability Systems in RFID-Enabled Supply Chains

TL;DR

This paper systematically analyzes the security of RFID-enabled supply chain traceability systems, identifying vulnerabilities and comparing 17 solutions using a unified security framework to highlight critical weaknesses.

Contribution

It introduces a comprehensive security framework for traceability systems and provides the first large-scale security evaluation of 17 solutions, revealing significant vulnerabilities.

Findings

Identified multiple security weaknesses in existing traceability solutions.

Compared 17 solutions using a unified security framework.

Highlighted critical vulnerabilities in RFID-based supply chain security.

Abstract

Traceability systems have become prevalent in supply chains because of the rapid development of RFID and IoT technologies. These systems facilitate product recall and mitigate problems such as counterfeiting, tampering, and theft by tracking the manufacturing and distribution life-cycle of a product. Therefore, traceability systems are a defense mechanism against supply chain attacks and, consequently, have become a target for attackers to circumvent. For example, a counterfeiter may change the trace of a fake product for the trace of an authentic product, fooling the system into accepting a counterfeit product as legit and thereby giving a false sense of security. This systematic analysis starts with the observation that security requirements in existing traceability solutions are often unstructured or incomplete, leaving critical vulnerabilities unaddressed. We synthesized the properties of current state-of-the-art traceability solutions within a single security framework that allows us to analyze and compare their security claims. Using this framework, we objectively compared the security of $17$ traceability solutions and identified several weaknesses and vulnerabilities. This article reports on these flaws, the methodology we used to identify them, and the first security evaluation of traceability solutions on a large scale.