978-1-4799-0661-1/13/$31.00 ©2013 IEEE

Analysis of Two Protocols Using EPC Gen-2 Tags for Safe Inpatient Medication

Mehmet Hilal Özcanhan, Gökhan Dalkılıç, Semih Utku Department Of Computer Engineering,

Dokuz Eylul University Izmir, Turkey

{hozcanhan@, dalkilic@, semih@}cs.deu.edu.tr

Abstract—The number of people suffering due to wrong medication is increasing. A hospital-wide ubiquitous system can prevent inpatient medication errors. A correctly designed system guarantees the correct medicine and dosage administration, at the correct time. Such a system also helps tracing the location, time of errors and generates fast alarms to prevent harm to patients. Two proposals using UHF passive radio frequency identification tags have been made. But the proposed schemes give away critical patient information, raising privacy and intentional harm concerns. This work studies the proposals and demonstrates a new full-disclosure attack, on both. In addition, the weaknesses of protocols using the PRNG and CRC functions as encryption algorithms are studied. A conclusion is drawn about the suitability of grouping proofs and other protocols using the EPC Global Class-1 Generation-2 tags, in patient medication.

Keywords—RFID; RFID tag; UHF tag; EPC Gen 2 tag; NFC tag; authentication; group proofing protocol

I. INTRODUCTION Human beings try to stay alive and live a comfortable life,

with the help of invented medicines. Yet, Institute of Medicine reports that about 530,000 preventable “adverse drug events” (ADE) happen, each year in the U.S.A. [1]. Each ADE adds around $8.75 to the hospital stay, accumulating to billions of dollars. There are other adverse statistics [2, 3], all of which put a major goal in front of medical communities: Avoiding harm to patients, caused during medical-care [4].

A medication error is defined as the administering of a wrong medicine or dosage to a patient that ends up harming the patient [4, 5]. Many tools have been used such as high-end servers, desktops, personal digital assistants (PDA), tablets, automatic medicine dispensers (AMD) and recently radio frequency identification (RFID) tags to prevent the human errors in medication. In spite of sophisticated systems and standards, medication errors continue to occur. A solution that reaches the mobile actors (patient, doctor, nurse) is necessary. That solution is a ubiquitous system consisting of back-end servers for management and supervision, mobile tablets for doctors/nurses and wireless tags attached on the inpatients. The tags hold vital identification information about the subject they are attached on. On the other hand, tablets of the nurses are equipped with wireless capabilities, including a tag reader.

The RFID set up is made of a hospital information system (HIS) database server, a reader and a tag (Fig. 1). The HIS is an infrastructure which connects the different departments, clinics

and players of a hospital through a local network, to a central server. The server has all the information about a subject, e.g. personal information, a unique identification (ID) number, tag secrets etc. The tag can be placed as a wristband to an inpatient and as a sticker to a medicine pack. The pre-shared secrets in the tag are used for the authentication of the inpatient.

One type of RFID tags is passive tags. Passive tags have no batteries but are energized by the oncoming reader, which approaches to read the tag. With the experience in tracking commercial goods, researchers have been attempting to incorporate RFID into human related applications. The passive tags are the first type suggested for use in inpatient medication.

Fig. 1. A typical UHF RFID tag reading scenario.

A passive UHF tag can be read from a few meters away and as many as hundreds of tags can be read per second. But this property can be a disadvantage, as well as an advantage, in the presence of malicious eavesdroppers. The ISO 18000-6 and EPC Global Class 1 Generation 2 (EPC Gen-2) standards govern the UHF tags. According to these standards, the UHF tags contain no encryption or hashing capabilities; but only a 16 bit pseudo random number generator (PRNG), a cyclic redundancy check (CRC) and an XOR function for obscuring message exchanges. Lack of encryption or hashing algorithms makes the capture of the Electronic Product Code (EPC = ID) from the exchanged messages, not difficult.

II. RELATED WORK The origins of using RFID tags in groups for the

identification of objects go back to the work of Juels et al. [6]. Juels’s work defined a grouping proof protocol as simultaneous reading of two tags at a given timestamp. Applying the grouping proof protocol to inpatient medication, evidence is produced by simultaneous reading of the inpatient, nurse and the unit dose medication tags [7]. The record of the presence of

the three is accepted as enough evidence that the nurse administered the contents of the read medicine pack to the inpatient present.

The weaknesses and recommended security enhancements for grouping proofs in general are summarized in [8]. But, one of the first proposals to use RFID tags in patient medication is by Wu et al. [9]. Later, Sun et al. proposed the use of RFID tags for identifying patients and barcodes for unit dose medication [10]. The pioneering work lacked detailed description and advocated the use of personal computers as mobile devices. In addition, the proposed paper barcodes have limited capabilities and usage disadvantages, in patient safety [11]. Since simultaneous tag presence is obtained by message exchanges through the air, critical data forming the grouping proof has to be properly secured. Otherwise, an eavesdropper can capture the inpatient identity and the medicine used, opening the avenue to many malevolent intentions.

A proposal where both the inpatient and the medicine are identified by low-cost RFID tags conforming to EPC Class-1 Generation-2 (EPC Gen-2) standard was made by Huang and Ku [12]. The inpatient is assumed to have a wristband with an embedded RFID tag. The medicine container of every patient is also marked with a tag. Unfortunately, the grouping proof proposed has security flaws, which were demonstrated by Chien et al. [13]. But, the suggested alternative protocol was also shown to be vulnerable [14]. Besides having security weaknesses, the above works have the common disadvantage of lacking conformity considerations to Health Level 7 (HL7) standards [15]. HL7 specifies a number of standards, guidelines and methodologies, by which healthcare systems are expected to communicate with each other. As a basic requirement, the communicating principals must be authenticated mutually. The security problems arise because the requirement of strong mutual authentication is not obeyed. This is also demonstrated in the two recent works, analyzed below. The two works are specifically chosen because, they claim to rectify grouping proof protocols, but in fact they don’t. The works fail because of two reasons. The first is the weak encryption properties of the PRNG and CRC functions of the UHF tag. Coupled with the weak encryption, the known algebraic attacks on many previous examples are not considered [16].

III. FULL-DISCLOSURE ATTACK ON IS-RFID The work by Peris et al. attempts to put forward a complete

system named as Inpatient Safety RFID System (IS-RFID) [14]. The authors of the system base their proposal to “five rights” [17, 18]: treating the right patient, with the right drug, in the right dose, in the correct way and at the right time. Although the approach identifies the goal correctly, it fails to protect the inpatient. The proposed system contains five elements and consists of four phases (Fig. 2). The elements are a HIS server, inpatient, nurse, medicine cart and a unit dose medication package. The phases are the drug packaging procedure, nurse station procedure, safe drug administration procedure and the monitoring procedure. The reader is assumed to be connected to the server via a secure channel.

The first phase starts with the doctor ordering the inpatient status, prescribing medicine and informing the HIS via his PDA. The HIS starts to track the inpatient and informs the pharmacy. In the drug packing procedure (Fig. 2), the pharmacy prepares the unit dose medication of the patient, by using an AMD. Then, sends the inpatient identification number (Inpatienti) and the Unit Dose Medication Number (UDi) in a tuple {Inpatienti, UDi, Additional Info}, back to the HIS. In the Nurse Station Procedure, the nurse downloads the inpatient records into a PDA, dedicated specifically to her. The inpatient data {Inpatienti, UDi, ti, Additional Info} now has a timestamp ti, controlling the time to administer the drug. The third phase is the drug administration procedure which is off-line and divided into two parts. As shown in Fig. 2, the first part is the verification process. The same nonce rp is sent to the inpatient’s wristband and the unit dose medication pack. Both tags generate their own nonces rW, rM and encrypt their tag ID by the use of the tag PRNG and reply the reader. Neither the seeding of PRNG(Inpatienti, rp, rW), nor the function PRNG(UDi, rp, rM) are explained. The PDA uses the received nonces to calculate its own version of authenticators. The calculated is matched with the received. After a successful match, a log is created and a confirmation is given to the nurse to administer the medicine.

Cart

Nurse

Unit Dose Medications

Patient

HIS

2. Nurse Station Procedure:Medication cart arrives from the pharmacy. Nurse logs in to HIS and downloads the data of the unit dose medications to be admisnistered at the given period, at the given floor.

Nurse Station

1. Drug Package Procedure:Pharmacy prepares the unit dose medications of an inpatient and puts the same unit dose identification tag on the packages. Links inpatient to her unit dose medications and informs HIS.

RequestInpatient1, UD1, t1

.....Inpatienti, UDi, ti

....InpatientN, UDN, tN

Mutual AuthenticationInpatient1, UD1, t1

.....Inpatienti, UDi, ti

.....InpatientN, UDN, tN

3. Safe Drug Administration Procedure:Verification process: 2 steps.Evidence generation process: 6 steps.

Request, rpRequest, rp

rW, PRNG(Inpatienti, rP, rW) rM, PRNG(UDi, rP, rM)

Matching Verification √ti

r’W, mT

mT = PRNG[Inpatienti ⊕ r’W ⊕ PRNG(ti) ⊕ PRNG(Kinpatienti)]mT

r’M, mUD

mUD = PRNG[UDi ⊕ r’M ⊕ PRNG(mT) ⊕ KUDi]

mUD

mTUD

mTUD = PRNG[Inpatienti ⊕mT ⊕ PRNG(mUD) ⊕ Kinpatienti]

ei = (Inpatienti, Udi, ti, r’w, r’m, mTUD)

Evidence Generation √

4. Monitoring Procedure:Nurse returns to Nurse Station and uploads her data to HIS via the station PC. HIS checks the Inpatient, administered medicine match and the time of administration. If there is a mismatch or time violation an alarm is generated.

ei, sign(ei)

Nurse returns from visit.

Nurse visits next inpatient.

{Inpatient1, UD1, t1, e1, sign(e1)}

{Inpatienti, UDi, ti, ei, sign(ei)}

{InpatientN, UDN, tN, eN, sign(eN)}

.......

.......

Fig. 2. The IS-RFID system [14].

The second part of drug administration is a separate phase for generate evidence, using a grouping proof. The reader sends the timestamp ti to the inpatient’s tag. The inpatient’s tag generates a new nonce, prepares mT using the shared secret KInpatienti and sends them to the reader. The reader stores the nonce and passes mT to the medicine pack. Observe that an active attacker can block and send bogus mT to the medicine pack, resulting in wrong evidence in spite of a good first phase. The medicine pack’s tag generates a new nonce, calculates message mUD using the shared secret KUDi and sends it back. The reader stores the nonce and passes the evidence mUD to the patient’s tag. Finally, the patient’s tag uses mUD to generate mTUD and sends it back to the reader. Hence the proof mTUD is formed by hoping from tag to tag, within a short period of

time. Bogus mUD and mTUD attacks are still possible. The reader takes mTUD and generates the evidence ei = {Inpatienti, UDi, ti, r′W, r′M, mTUD}. The nurse enters a password and the PDA signs the evidence by an unexplained function sign(ei). The PDA now has an updated tuple {Inpatienti, UDi, ei, sign(ei), Additional Info} stored, ending the third procedure. In the Monitoring Procedure the nurse transfers the stored tuples to the HIS. The HIS examines the evidence and the medicine administration times, calculates its own mT, mUD, mTUD values and matches to the received mTUD. If there is an error, an alarm is generated for the related inpatient.

A. Ambiguities, Vulnerabilities, Disadvantages of IS-RFID The IS-RFID system has some ambiguities. The first is the

use of PRNG as an encryption algorithm as in PRNG(Inpatienti, rp, rW), which is not clear. To the best of our knowledge there is no formal proof of using a PRNG as an encryption or hashing algorithm [19]. Besides, a special tag is required to give the inputs to calculate PRNG(Inpatienti, rp, rW). The public availability of PRNG functions means any PRNG(x) value can be pre-calculated, for a given input x [19]. Secondly, the signing function of generated evidence by the nurse is unexplained. Thirdly, if a complication occurs during the medication of a patient, the responsibility of the results of remaining medication by a second nurse is ambiguous. Every nurse has her own PDA and password; therefore if the second nurse makes an error, the previous gets the responsibility. If a second PDA is used, it causes a discontinuation of the tuples and the medication of patients has to be split by a special procedure.

The IS-RFID system has vulnerabilities, too. A serious vulnerability is the intentional or unintentional switching of two inpatient wristbands. Unless facial recognition is provided wrong medication detection is not possible. A photo of the inpatient on the PDA screen is a good way to differentiate patients among many in a room, because UHF tags are read in numbers, from meters away. A second vulnerability is the probability of success of a brute force attack, which is stated as being bounded by 232, due to the 16 bit PRNG of the UHF tags. But in the same work, the birthday paradox is put forward. An eavesdropper has to wait approximately 256 (2n/2) sessions to find a collision in 16 bit systems [20]. A third vulnerability is that neither the doctor nor the nurse are authenticated while their interaction with the patient and the medicine. They do not even have an identification tag.

The IS-RFID system has disadvantages, also. The first is the UHF technology used. Unintended inpatient tags in a room can also be read. A second disadvantage is dedicating a PDA for every nurse. This is costly in hospitals where there are many clinics and many shifts. A third disadvantage is the unavailability of cheap UHF readers in the form of PDAs. Another disadvantage is the repeated calculations for every inpatient in the hospital, certainly an inefficient use of digital technology [12]. Finally, the lack of consideration of HL7 standards is another disadvantage, because any incompliant solution is unlikely to be endorsed by the organization.

B. Full-Disclosure Attack on IS-RFID 1) Assumptions and Attacker Model:

It is common in RFID to assume that the channel between the reader and the server to be secure and the channel between the reader and the tag to be insecure. The reader is a resourceful hardware and has the capacity to support sophisticated cryptographic security tools. Therefore, the attackers of RFID mostly target the exchange between the reader and the tag. Our attacker or adversary model is not as strong as in the Dolev-Yao model, where the adversary is assumed to have the capability of listening, blocking, changing and even injecting messages into an exchange [21]. For our attacker it is enough to have two basic capabilities that are both used for passive eavesdropping of the messages exchanged. First, the attacker is assumed to possess an RFID reader, loaded with a pre-calculated table such as Table 1. Table 1 is assumed to contain the outputs of 216 (65,536) possible inputs of the public-deterministic PRNG of the tags. A rogue reader is assumed to be always present, in open environments [8, 14]. Second, the attacker assumedly can mimic a relative visiting a patient who mistakenly enters targeted inpatient’s room, very briefly. The same assumptions apply in Sections III and IV.

2) The Attack Scenario on IS-RFID: An attack which succeeds in full-disclosure of the secret

Inpatienti and the shared key Kinpatienti inside a tag is named as a full-disclosure attack. It is a devastating attack because it may lead to copying the disclosed secrets into a blank tag and imitate the original. A work by Yen et al. studies Peris et al’s work in detail [22]. In the work, the most important weakness of IS-RFID system is demonstrated as the possibility of generating counterfeit evidence, by the hospital. Another, weakness pointed is lack of tag secrets’ presence in the Safe Drug Administration Procedure. The danger of a cloned, illegitimate tag’s presence is pointed. We demonstrate this attack below, which leads to wrong inpatient medication.

TABLE I. A TYPICAL PRE-CALCULATED TABLE

INPUT = input Output = PRNG(input) 0000 0000 0000 0000 0000 0010 0000 0000 0000 0000 0000 0001 0010 0110 0000 0010 ...... ........ ......... ...... ........ ........ ....... ....... 1111 1111 1111 1111 0100 0111 1100 0110

According to Peris et al. (Fig. 2), the input (Inpatienti, rp,

rw) gives a deterministic output as PRNG(Inpatienti, rp, rw). Looking at Table 1, the corresponding output of an input or the corresponding input of an output can be easily found. The attacker enters the room of an inpatient with the rogue reader. The rogue reader sends a request {request, c} to the conveyer, where c is the attacker’s constant nonce. The tag answers with {rW, PRNG(Inpatienti, c, rw)}. The output column of Table 1 is searched to find the value of PRNG(Inpatienti, c, rW). When found, the corresponding input is read. Thus, input = (Inpatienti, c, rw). If (Inpatienti, c, rw) is an XOR operation then, Inpatienti = input ⊕ c ⊕ rw. If PRNG(Inpatienti, c, rw) = [PRNG(Inpatienti) ⊕ PRNG(c) ⊕ PRNG(rw)], i.e. the table has to be searched 3 times. The corresponding output values of PRNG(c) and PRNG(rW) are obtained. Then, PRNG(Inpatienti)

is obtained by XORing PRNG(Inpatienti, c, rW) with the values above. To isolate Inpatienti, Table 1 is referred again. The process takes around 10 seconds with a multi-core notebook.

Next, the evidence generation procedure is eavesdropped,

for just one round. Consider the first reply {r′W, PRNG(Inpatienti ⊕ r′W ⊕ PRNG(ti) ⊕ PRNG(KInpatienti))} to the request {ti}, in the evidence generation of Fig. 2. The Inpatienti was captured previously, r′W is sent in clear text, the value of PRNG(ti) can be obtained from Table 1. Thus the only unknown in the reply is PRNG(KInpatienti). Using Table 1 as a look-up table, the value of PRNG(Inpatienti ⊕ r′W ⊕ PRNG(ti) ⊕ PRNG(KInpatienti)) is found and the corresponding input is read; which is equal to [Inpatienti ⊕ r′W ⊕ PRNG(ti) ⊕ PRNG(KInpatienti)]. PRNG(KInpatienti) is obtained after three XOR operations. The last step is a look-up that gives KInpatienti.

Suppose two pairs of Inpatienti and KInpatienti values are captured. Each pair can be written into a hardware device with a strong RF antenna, at a different location [23]. We do not intend to implement any, but there are works on tag emulators. For not serving hackers, we stop short of listing them. As the final step of the attack, if the emulators are placed next to inpatients with switched Inpatienti and KInpatienti values, the switch of the identities is complete. The nurse cannot notice the presence of a rogue tag or the switch, because she does not come close to the UHF tag. The nurse follows normal procedure and administers wrong medicine to both patients. The evidence generation is easy and straight forward. Once the timestamp is played by the nurse PDA, the emulator calculates its reply. Next the medicine tag uses the mT to calculate the reply mUD, which is simply accepted by the emulator. Forming the last message mTUD is not difficult since all of the terms are available. The rogue tag plays the mTUD and the nurse PDA saves the evidence ei = {Inpatienti, UDi, ti, r′W, r′M, mTUD}.

Evidence generation of IS_RFID has other weaknesses, as well. The authors themselves declare that the verification phase and the evidence generation are completely independent and an improvement is necessary to link them, in order to guarantee causality. Not only causality is at risk, but all evidence generation in a clinic can be rendered void. By simply sending bogus messages instead of ti, mT, mUD or mTUD; the receiver is tricked to generate false evidence.

Just to mention briefly, although work [22] offers an alternative for IS-RFID, it has the same weakness. The inpatient tag replies with a PRNG(IDPatienti ⊕ r0 ⊕ KPatienti), where r0 is a nonce passed in clear-text and KPatienti is the inpatient tag secret. Using the Table 1 attack, first the value of (IDPatienti ⊕ KPatienti) is exposed. Later, in evidence generation, the individual values of IDPatienti and KPatienti are captured. The details of the attack are the same and will not be repeated.

IV. FULL DISCLOSURE ATTACK ON C.-L. CHEN, AND C.-Y. WU’S PROTOCOL

A second work describing a complete ubiquitous system is by Chen and Wu [11]. The work criticizes the above work for offering architecture and not a full application. Furthermore, lack of mutual authentication and the searching cost for

identifying a tag are also noted. Chen and Wu then make a grouping proof proposal that does not require a server for verification of the proof. Even though a lot of care is given to the message exchange between the reader and the server, the same care is not shown in the authentication of the tags. The authentication phase, shown in Fig. 3, does not take the known algebraic attacks on RFID authentication protocols, into consideration [16]. The failure to provide the necessary algebraic security of the exchanged messages leads to the collapse of the protocol, after our full-disclosure attack.

A. Attack scenario on the Scheme of [11] The attack on the protocol starts by identifying the weakest

algebraic messages. These are C9 (1.2), C10 (2.3), C13 (3.5) and C15 (4.4), in Fig. 3. An attacker stays briefly near an inpatient with the rogue reader. A bogus message C9 is sent to the tag. The tag calculates a R′R2 and replies with C10, C11 and C12. Sending bogus C9 can be repeated as many times as the attacker likes, because RFID tags reply every request. The attacker stores C9, C10, C11 and C12 for each C9 challenge and continues challenging the tag until C11 = {0000 0000 0000 0000, 0000 0000 0000 0001, 0000 0000 0000 0010, 0000 0000 0000 0100, ……., 1000 0000 0000 0000, 1111 1111 1111 1111}. There are 18 special values, where C11’s bits are either all zeros, all ones or only one of the bits is “1”. When a special case occurs at the mth challenge, the attacker starts analyzing the collected data. XORing equations (1.2) and (2.3) of Fig. 3 for the mth challenge and using XOR’s associative and commutative theorems:

Fig. 3. The scheme of work [11].

Cm9 ⊕ Cm

10 = RmP ⊕ Rm

R2 (8.1) Substituting for Rm

R2 in (2.4):

C11m = (S1 ⊕ Rm

P) - ((Cm9 ⊕ Cm

10) ⊕ RmP) (8.2)

For the special case when C11m = 0 or C11

m = 1111 1111 1111 1111, Equation (8.2) provides:

S1 = Cm9 ⊕ Cm

10, or S1 = (Cm9 ⊕ Cm

10) + 1 (8.3)

For other special values where Cm11 = {0000 0000 0000

0001, …….., 1000 0000 000 0000}, we can generalize: S1 = C11

m + (Cm9 ⊕ Cm

10), if RmP < C11

m (8.4)

S1 = (22 x Cm11) - (C11

m - (Cm9 ⊕ Cm

10), if RmP > C11

m (8.5)

Hence, the value of S1 is only dependent on the exchanged messages. S1 is calculated and used later in the grouping proof message C19 (6.2). We continue the attack, by XORing Cm

11 in (8.2) with Rm

P and simplifying:

C11m ⊕ Rm

P = S1 - (Cm9 ⊕ Cm

10) (8.6)

RmP = [(S1) - (Cm

9 ⊕ Cm10)] ⊕ C11

m (8.7)

Hence RmP is captured, which is also used in C19 (6.2).

Rewriting (2.3), we expose the shared constant Mgroup:

Mgroup = Cm10 ⊕ Rm

P (8.8)

Rewriting (1.2), we expose RmR2 just by XORing our bogus

message Cm9 with Mgroup:

RmR2 = Cm

9 ⊕Mgroup (8.9)

Next we use Mgroup with the recorded nth challenge values. From (8.9) we get Rn

R2 and from (2.3) we get RnP as:

RnP = Cn

10 ⊕Mgroup (9.0)

Up to now we have captured Mgroup, RnP, Rm

P, RnR2, Rm

R2, S1. Two recorded values of C12 (Fig. 3 (2.5)), are:

C12m = ((EPCInpatienti ⊕ Rm

P) - RmR2) ⊕ Mi (9.1)

C12n = ((EPCInpatienti ⊕ Rn

P) - RnR2) ⊕ Mi (9.2)

XORing (9.1) and (9.2), we get:

C12m⊕C12

n = ((EPCInpatienti ⊕ RmP) - Rm

R2) ⊕ ((EPCInpatienti⊕

RnP) - Rn

R2) (9.3)

Simplifying known values as c1= C12m⊕C12

n, c2= RmP, c3=

RmR2, c4= Rn

P, c5= RnR2, we get:

c1 = ((EPCInpatienti ⊕ c2) - c3) ⊕ ((EPCInpatienti⊕ c4) - c5)(9.4)

The value of EPCInpatienti can be obtained by using a binary calculator as follows, after a few trials. By approximating XOR (⊕) with addition (+), an approximate value for EPCInpatienti is obtained. Substituting the approximated value in (9.4) and readjusting, EPCInpatienti is exposed.

The capture of EPCInpatienti leads to a complete collapse of the protocol. Equations for C13 and C15; (3.5) and (4.4) are similar to those of C9 and C10. Equation for C16 (4.5) is similar to that of C11. Hence, after a similar analysis as in Section III, S2 is captured. In the next step, RM is exposed as in RP, and finally RR3 is exposed. The value of Mgroup is known, already. The shared secret of the medicine pack’s tag keyMedicinei is captured from C14 (3.6) with a similar table to Table 1. The output column is searched for the value of C14. When found, the input value inputC14 is obtained. The keyMedicinei is obtained by XORing inputC14 with the previously captured values:

keyMedicinei = inputC14 ⊕ EPCMedicinei ⊕ RR3 (9.5)

Following the same procedure above and using equation C18 (5.5) keyPatienti can be exposed because, the terms EPCInpatienti, RR2, S1, have been previously captured:

keyPatienti = inputC18 ⊕ EPCPatienti ⊕ RR2⊕ S1 (9.6)

With EPCPatienti and keyPatienti, the attacker is capable of creating a rogue tag as in Section III. The administration of wrong medication to the target inpatient without being detected is now complete.

The probability of identifying inpatients is important. The probability of a specific nonce value is 1/216, assuming a perfect PRNG function. However, it is worth mentioning that an imperfect PRNG starts repeating same nonce values, well before its full period of 216. The probability of capturing EPCPatienti is 18/216, because of the condition on message C12 values (8.3), (8.4), (8.5). In theory a UHF RFID reader, reads approximately 1000 tags/sec [24]. Hence, theoretically a rogue reader can challenge the target tag 1000 times a second. Thus, the probability of meeting the condition on C12, where n is the number of seconds that pass, becomes:

Probability of condition to hold = (1000 × 18 × n) / 216 (9.7)

The probability becomes 1 in 3.64 seconds. Hence, an attacker has to only spend around 3.64 seconds in the room, to capture enough data for analysis. And after recording just one round of medication, the keyPatienti is exposed.

V. DISCUSSIONS The IS-RFID and proposal [11] fail to meet their goal of

enhancing inpatient medication safety, because our full-disclosure attack can harm a patient. This outcome contradicts the major patient safety goals in [4]. The weaknesses of authentication protocols using the EPC Gen-2 tag PRNG is also studied in many works. These can be found at a regularly updated site at http://www.avoine.net/rfid/index.php. But we keep the scope on works studying safe patient medication.

The attacks demonstrated against protocols using the CRC as an encryption algorithm have been presented in many works, also enlisted in http://www.avoine.net/rfid/index.php. While describing IS_RFID, Peris et al. demonstrates an attack on a CRC based protocol. Work [16] reveals the general properties of the CRC function and shows how its use introduces weaknesses into a number of protocols. Therefore, it can be generalized that medication safety based on protocols which use the CRC or the PRNG of an EPC Gen-2 tag is not safe [13, 14, 16, 19]. The weak encryption obtained by the CRC or the PRNG is the main reason of critical data disclosure. But, CRC and PRNG are the only available functions, in the EPC Gen-2 tags. For confidentiality of critical data, alternatives which contain true encryption algorithms are necessary. This means contrary to claims by Peris et al., tags with higher security standards than the IS-RFID tags are needed.

Another characteristic that would have prevented the attacks is the operating distance. The nurse does not have to approach the tag of an inpatient, in UHF technology. If the nurse had used a technology which required her to come very close to the tag, she might have been protected from the

diversion of the rouge tag. Such a physical requirement removes the danger of reading a rogue tag and eavesdropping of an adversary from meters away.

Our attack is not the only one against ISO 18000-6 RFID tags. There are four types attacks that are discussed in works [8, 16, 23]. In brief, they are interception, interruption, modification and fabrication attacks. Each attack has some counter measures, but recommendations are not enough to guarantee patient safety, because of the limited resources of ISO 18000-6 tags. In other words, a better technology with shorter reading distances and strong cryptographic resources for encryption and integrity is required.

The use of strong cryptographic primitives instead of a simple 16-bit PRNG function would increase the security level but also lead to other hardware requirements. Normally, one would expect to see a considerably more expensive cost for a higher technology solution. Alternative tag prices may be higher, but the same is not true for a complete solution. In his cost analysis, Peris et al. calculate a total cost for a floor with 5000 inpatients/year, 3 unit-dose/day, 3 nurses on each floor and an average hospital with 8 floors. The cost of the HIS and AMD are excluded, because those are included in the overall cost of the hospital. The cost of an EPC Gen-2 tag is given as $0.5/tag, including the plastic package of each unit-dose. Every nurse is equipped with a PDA, astonishingly priced at $300. To the best of our knowledge a mobile UHF Gen-2 reader costs around $1027. On the other hand, a popular Near Field Communication (NFC) enabled tablet (Google Nexus 7) costs around $199. The prices of UHF RFID readers are not in a plunging trend, as in the NFC technology. Therefore, the dropping costs of alternative tag types and readers make their initial investment increasingly compatible to UHF tags.

VI. CONCLUSION The use of grouping proof protocols with EPC Gen-2 tags

in inpatient medicine administration has been questioned. Analysis of two protocols using the available PRNG in EPC Gen-2 shows that the proposed protocols are not safe. The cryptographic weakness of the PRNG, the reading distance and numerous other analyses demonstrate that grouping proof proposals using the PRNG in EPC Gen-2 type tags put inpatient medication safety into jeopardy. Smarter tags with shorter operating distance, longer key size and better cryptographic primitives are needed.

REFERENCES [1] J. L. Bootman et al., Preventing Medication Errors: Quality Chasm

Series [Online]. Available: http://www.iom.edu/~/media/Files/ Report%20Files/2006/Preventing-Medication-Errors-Quality-Chasm-Series/medicationerrorsnew. pdf, July 2006.

[2] J. Hickner, A. Zafar, G. M. Kuo, et al., “Field test results of a new ambulatory care medication error and adverse drug event reporting system—MEADERS,” Ann. Fam. Med., vol. 8, pp. 517–525, 2010.

[3] The Joint Commission on Accreditation of Healthcare Organizations., 2010 National Patient Safety Goals (NPSGs) [Online]. Available: http://www.allhealth.org/BriefingMaterials/Joint Commission -Oct2009-2010NationalPatientSafetyGoals-1722.pdf, 2009.

[4] K. G. Shojania, B. W. Duncan, K. M. McDonald, et al., “Safe but sound: Patient safety meets evidence-based medicine,” J. Am. Med. Assoc. vol. 288, pp. 508–513, 2002.

[5] J.K. Aronson, “Medication errors: what they are, how they happen, and how to avoid them,” An International Journal of Medicine, vol. 102 (8), pp. 513–521, 2009.

[6] A. Juels, “Yoking-proofs for RFID tags,” in Proceedings of the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops., Orlando, PerSec ’04, Florida, 2004, pp. 14-17, 138–143.

[7] J. Saito, K. Sakurai, “Grouping proof for RFID tags,” in Conference on Advanced Information Networking and Applications, Taichung, AINA, 2005, vol. 2 pp. 621–624.

[8] P. P. Lopez, A. Orfila, J. C. Henandez-Castro, and J. C. A. van der Lubbe, “Flaws on RFID grouping-proofs guidelines for future sound protocols”, J. of Network and Computer Appl., vol. 34(3), pp.833–845, 2011.

[9] F. Wu, F. Kuo, and L.-W. Liu, “The application of RFID on drug safety of inpatient nursing healthcare,” in: Proceedings of the 7th International Conference on Electronic Commerce, New York, ICEC ’05, pp. 85–92, 2005.

[10] P.R. Sun, B.H. Wang, and F. Wu, “A new method to guard inpatient medication safety by the implementation of RFID,” Journal of Medical Systems, vol: 32 (4), pp. 327–332, 2008.

[11] C.-L. Chen, and C.-Y. Wu, “Using RFID Yoking Proof Protocol to Enhance Inpatient Medication Safety,” Journal of Medical Systems, vol. 36(5), pp. 2849-2864, 2012.

[12] H.-H. Huang, and C.-Y. Ku, “A RFID grouping proof protocol for medication safety of inpatient,” Journal of Medical Systems, vol. 33 (6), pp. 467-474, 2009.

[13] H.-Y. Chien, C.-C. Yang, T.-C. Wu, and C.-F. Lee, “Two RFID-based solutions to enhance inpatient medication safety,” Journal of Medical Systems, vol: 35(3), pp. 369-375, 2011.

[14] P. P. Lopez, A. Orfila, A. Mitrokotsa, and J. C. A. van der Lubbe, “A comprehensive RFID solution to enhance inpatient medication safety,” International J. of Medical Informatics, vol. 80(1), pp. 13–24, 2011.

[15] Health Level Seven International [Online]. Available: http://www.hl7.org/implement/standards/index.cfm?ref=nav, 2013.

[16] T. van Deursen, and S. Radomirovic, "Algebraic Attacks on RFID Protocols," in Information Security Theory and Practices. Smart Devices, Pervasive Systems, and Ubiquitous Networks, Brussels, WISTP, pp. 38-51, 2009.

[17] D.M. Benjamin, “Reducing medication errors and increasing patient safety: case studies in clinical pharmacology,” Journal of Clinical Pharmacology vol: 43(7) pp. 768–783, 2003.

[18] B.J. Wakefield, D.S. Wakefield, T. Uden-Holman, and M.A. Blegen, “Nurses’ perceptions of why medication administration errors occur,” MedSurg Nursing vol: 7 (1), pp. 39-44, 1998.

[19] A-K. Wickboldt, and S. Piramuthu, "Patient Safety through RFID: Vulnerabilities in Recently Proposed Grouping Protocols," Journal of Medical Systems, vol: 36 (2), pp. 431-435, 2012.

[20] W. Stallings, “Mathematical Basis of the Birthday Attack” in Cryptography and Network Security, 4th Edition, Upper Saddle River: Pearson Education, pp. 346-350, 2006.

[21] D. Dolev, A.C. Yao, "On the security of public key protocols", IEEE Transactions on Information Theory, vol. 29, pp.198-208, 1983.

[22] Y.-C Yen, N.-W Lo, and T.-C. Wu, “Two RFID-Based Solutions for Secure Inpatient Medication Administration,” Journal of Medical Systems, vol: 36(5), pp. 2769-2778, 2012.

[23] P. J. Hawrylak, N. Schimke, J. Hale, and M. Papa, “Security Risks Associated with Radio Frequency Identification in Medical Environments,” Journal of Medical Systems, vol. 36(6), pp. 3491-3505, 2012.

[24] White Paper, EPC Global Class1 Gen2 RFID Specifications [Online]. Available: http://www.alientechnology.com/docs/AT_wp_EPCGlobal _WEB.pdf, 2005.