Attack and defense mechanisms of malicious EPC event injection in EPC discovery service

A supply chain usually involves collaboration among multi-national companies and it is well-known that information sharing is a critical success factor in supply chain management. Electronic Product Code Discovery Service (EPCDS) is a newly proposed concept which allows supply chain companies to search for their unknown partners globally and share information efficiently. As EPCDS contains critical business information about partnership relationship and product movement, access control systems are integrated into EPCDS for privacy protection. Although currently proposed access control systems include authentication and authorization of supply chain companies, they do not consider authentication of business information published by the companies. This vulnerability enables malicious EPC event injection attack, where forged business information are registered to EPCDS by malicious parties. With such exploitation, adversaries can impersonate as legitimate supply chain partners, bypass the access control systems of EPCDS and get access to previously unauthorized information. To the best of our knowledge, our paper is the first to discover the possibility of such attack in EPCDS. Our paper discusses threat model and different types of adversaries for the attack. We then present general defense mechanisms and define the security requirements of preventive measures. We also propose a new prevention mechanism, where pseudo-random numbers are generated by EPC tags and serves as authentication tokens for registering EPC events. Moreover, our paper analyzes how existing solutions, such as tailing, can be modified to detect malicious EPC event injection in EPCDS.