Traceability systems have become prevalent in supply chains because of the rapid development of RFID and IoT technologies. These systems facilitate product recall and mitigate problems such as counterfeiting, tampering, and theft by tracking the manufacturing and distribution life-cycle of a product. Therefore, traceability systems are a defense mechanism against supply chain attacks and, consequently, have become a target for attackers to circumvent. For example, a counterfeiter may change the trace of a fake product for the trace of an authentic product, fooling the system into accepting a counterfeit product as legit and thereby giving a false sense of security. This systematic analysis starts with the observation that security requirements in existing traceability solutions are often unstructured or incomplete, leaving critical vulnerabilities unaddressed. We synthesized the properties of current state-of-the-art traceability solutions within a single security framework that allows us to analyze and compare their security claims. Using this framework, we objectively compared the security of $17$ traceability solutions and identified several weaknesses and vulnerabilities. This article reports on these flaws, the methodology we used to identify them, and the first security evaluation of traceability solutions on a large scale.
翻译:随着RFID与物联网技术的快速发展,追溯系统在供应链中日益普及。这类系统通过追踪产品的制造与分销生命周期,促进产品召回并缓解伪造、篡改及盗窃等问题。因此,追溯系统作为抵御供应链攻击的防御机制,相应地也成为攻击者试图规避的目标。例如,伪造者可能将假冒产品的追溯路径替换为真实产品的路径,诱使系统将假冒产品误认为合法产品,从而产生虚假的安全感。本系统化分析基于以下观察:现有追溯方案中的安全需求往往缺乏结构化或完整性,导致关键漏洞未被处理。我们将当前前沿追溯方案的特性整合到统一的安全框架中,该框架使我们能够分析和比较其安全声明。利用此框架,我们客观比较了17种追溯方案的安全性,并识别出若干缺陷与漏洞。本文报告了这些缺陷、我们用于识别缺陷的方法论,以及首次大规模开展的追溯方案安全性评估。