Shedding Some Light on RFID Distance Bounding Protocols and Terrorist Attacks

During the last years, researchers have focused on designing secure and efficient RFID authentication protocols. The vast majority of these protocols assume proximity between readers and tags due to the limited range of the radio channel. However, in real scenarios, an intruder can be located between the prover (tag) and the verifier (reader) and trick the latter into thinking that the prover is in close proximity. This attack is globally known as a relay attack, a kind that includes others such as distance fraud, mafia fraud and terrorist attacks. Distance bounding protocols represent a promising countermeasure to hinder relay attacks. Several protocols have been proposed in the last years, but vulnerabilities of major or minor relevance have been identified in all of them. In 2008, Kim et al. [10] proposed a new distance bounding protocol with the objective of being the best one in terms of security, privacy, tag computational overhead and fault tolerance - as claimed by their authors. The study of this recent protocol is the main subject of this paper. We present a passive full disclosure attack which allows an adversary -listening the public messages exchanged on the channel- to discover the long-term secret key of the tag. The presented attack is very relevant as it implies that none of the protocol security objectives are guaranteed. Additionally, we also show that the probability of a successful mafia fraud attack against the Reid et al. protocol [16] is bounded by (3/4)^n and not by (7/8)^n as Piramuthu states in [15].