than A.The symbols in O'can be much fewer than sniffed TABLE IV S1 symbols.Then the adversary picks an arbitrary sniffed S2 POWER MEASUREMENTS FOR ADVANCED RHYTHM EAVESDROPPING. symbol,denoted by s2,and uses each SI symbol in e'as a do/inch Pcw.d,/dBm PBs.d/dBm Pcw.d1-PBs,d/dBm candidate matching symbol for s2 to derive a candidate phase 10 -3.30 -27.91 24.61 of the backscattered RN16.The probability of a correct guess 40 -7.98 -27.00 20.78 is simply 1/'.Each rhythm-query round is about 2.179ms 80 -10.15 -24.02 14.53 120 -14.52 -26.43 12.29 long,and the average tapping-rhythm duration is 9.61s in our experiments.So we need about 4.410 rounds to cover and significantly raises the bar for launching successful attacks on detect an average tapping rhythm.The probability that the RFID authentication systems. adversary can recover the correct tapping rhythm from sniffed signals can be estimated by P=(1/)".For example,if F Additional Results e'=2448 72,the adversary can succeed with negligible We also evaluate the computational latency of RF-Rhythm. probability.Therefore,our phase-hopping protocol is highly Our results show that the classifier training can be done in a effective against the basic rhythm-eavesdropping attack. few seconds,and each tapping rhythm can be classified in less than 1ms.In addition,we use a questionnaire to confirm the E.Resilience to Advanced Rhythm Eavesdropping high usability of RF-Rhythm.These results are omitted here We also evaluate the resilience of RF-Rhythm to advanced due to space constraints. rhythm-eavesdropping attacks in which the adversary has two VIII.RELATED WORK sniffers at strategic locations.In Section VI-D,we identify a Rhythm-based authentication for mobile devices has been theoretical vulnerable region in which this attack can succeed. explored.RhyAuth [3]is a two-factor rhythm-based authen- In this section,we show that the vulnerable region may not tication scheme for multi-touch mobile devices.It requires a be easily found by an adversary with reasonable equipment. In this evaluation,we assume that the adversary places user to perform a sequence of rhythmic taps/slides on a device screen to unlock the device.In the follow-on work.Beat-PIN his second sniffer di from the RFID reader and d2 from [4]requires a user to tap the screen of a smartwatch to unlock the RFID card.For simplicity,we assume that the reader. it.RF-Rhythm differs significantly from RhyAuth and Beat- tag,and sniffer are on the straight line.This is a reasonable PIN in the application context,totally different rhythm-extract assumption because most commonly used RFID antennas are techniques,adversary models,and countermeasures. directional with a relatively focused and narrow radio wave There is also significant effort on RFID security.For ex- beam.We implement a EPC Gen2 RFID reader prototype [11] ample,novel cryptographic RFID authentication protocols are on an NI USRP 2954R and assume that the adversary has a presented in [12]-[14].Haitham [15]proposes RF-Cloak to similar sniffer device.We also use an R&S FSVR7 real-time prevent eavesdropping attacks by randomizing the modulation spectrum analyzer for signal measurements.Recall that Tx and and channel.Selective jamming is proposed in [16]to prevent Tdee denote the minimum signal strengths that the sniffer can unauthorized inquiries to RFID tags.Zanetti and Danev [17] detect and decode RFID signals,respectively.According to our explore the time interval error,average baseband power and measurements,Tx=-81.21dBm and Tdee =-55.98dBm. spectral features to fingerprint RFID tags.TapPrint [18]uses To emulate the attack,we vary the RFID card-reader dis- the phase of backscattered signals combined with the geomet- tance do from 10 to 40,80,and 120 inches.For each do ric relationship to fingerprint RFID tags.Hu-Fu [19]uses the value,we measure the CW signal strength Pcw.d,and the inductive coupling of two tags to fingerprint them.RF-Mehndi backscattered signal strength Pas.d at d2=40 inches from [20]identifies an RFID card and its user simultaneously by the RFID card,which also corresponds to di do+40 inches. exploring the backscattered signal changes induced by the This location is regarded as the sniffer's initial location.The user's fingertip on a specially build passive tag array.RF- results are shown in Table IV.Since we assume the reader- Rhythm explores COTS RFID tags and is complimentary to card-sniffer line topology,Pcw.d and PBs.da are attenuated the above work. by the same amount when d2 and equivalently di increase. The phase information of backscattered RFID signals has According to our analysis in Section VI-D,the advanced been explored in many applications,such as gesture recog- eavesdropping attack succeeds if and only if Pcw.d>Tdee nition [21],[22],action recognition [23],[24],orientation and PBs.d2<Trx can simultaneously hold.This requires tracking [25],mechanical features sensing [26],[27],and Pcw,d-P乃s.d2≥Tdee-Tr=25.23 dBm per our mea- localization [28].RF-Rhythm is the first work to extract surements.This requirement cannot be satisfied according to a tapping rhythm from backscattered RFID signals and is Table IV,so the advanced eavesdropping attack would fail. orthogonal to the above work. It is possible that a more capable adversary with advanced equipment can successfully overhear the legitimate user's tap- ACKNOWLEDGMENT ping rhythm.Instead of being a perfect solution,RF-Rhythm, This work was supported in part by the US National Science however,just aims to enhance the security of a traditional Foundation under grants CNS-1514381,CNS-1619251,CNS- RFID authentication system that is naturally vulnerable to 1651954(CAREER),CNS-1700039,CNS-1718078.CNS lost/stolen/cloned RFID cards.In other words.RF-Rhythm 1824355,CNS-1933047.and CNS-1933069.than Θ. The symbols in Θ0 can be much fewer than sniffed S1 symbols. Then the adversary picks an arbitrary sniffed S2 symbol, denoted by s2, and uses each S1 symbol in Θ0 as a candidate matching symbol for s2 to derive a candidate phase of the backscattered RN16. The probability of a correct guess is simply 1/|Θ0 |. Each rhythm-query round is about 2.179ms long, and the average tapping-rhythm duration is 9.61s in our experiments. So we need about 4,410 rounds to cover and detect an average tapping rhythm. The probability that the adversary can recover the correct tapping rhythm from sniffed signals can be estimated by P˜ = (1/|Θ0 |) n. For example, if |Θ0 | = 24|48|72, the adversary can succeed with negligible probability. Therefore, our phase-hopping protocol is highly effective against the basic rhythm-eavesdropping attack. E. Resilience to Advanced Rhythm Eavesdropping We also evaluate the resilience of RF-Rhythm to advanced rhythm-eavesdropping attacks in which the adversary has two sniffers at strategic locations. In Section VI-D, we identify a theoretical vulnerable region in which this attack can succeed. In this section, we show that the vulnerable region may not be easily found by an adversary with reasonable equipment. In this evaluation, we assume that the adversary places his second sniffer d1 from the RFID reader and d2 from the RFID card. For simplicity, we assume that the reader, tag, and sniffer are on the straight line. This is a reasonable assumption because most commonly used RFID antennas are directional with a relatively focused and narrow radio wave beam. We implement a EPC Gen2 RFID reader prototype [11] on an NI USRP 2954R and assume that the adversary has a similar sniffer device. We also use an R&S FSVR7 real-time spectrum analyzer for signal measurements. Recall that τrx and τdec denote the minimum signal strengths that the sniffer can detect and decode RFID signals, respectively. According to our measurements, τrx = −81.21dBm and τdec = −55.98dBm. To emulate the attack, we vary the RFID card-reader dis￾tance d0 from 10 to 40, 80, and 120 inches. For each d0 value, we measure the CW signal strength PCW,d1 and the backscattered signal strength PBS,d2 at d2 = 40 inches from the RFID card, which also corresponds to d1 = d0+40 inches. This location is regarded as the sniffer’s initial location. The results are shown in Table IV. Since we assume the reader￾card-sniffer line topology, PCW,d1 and PBS,d2 are attenuated by the same amount when d2 and equivalently d1 increase. According to our analysis in Section VI-D, the advanced eavesdropping attack succeeds if and only if PCW,d1 ≥ τdec and PBS,d2 ≤ τrx can simultaneously hold. This requires PCW,d1 − PBS,d2 ≥ τdec − τrx = 25.23dBm per our mea￾surements. This requirement cannot be satisfied according to Table IV, so the advanced eavesdropping attack would fail. It is possible that a more capable adversary with advanced equipment can successfully overhear the legitimate user’s tap￾ping rhythm. Instead of being a perfect solution, RF-Rhythm, however, just aims to enhance the security of a traditional RFID authentication system that is naturally vulnerable to lost/stolen/cloned RFID cards. In other words, RF-Rhythm TABLE IV POWER MEASUREMENTS FOR ADVANCED RHYTHM EAVESDROPPING. d0/inch PCW,d1 /dBm PBS,d2 /dBm PCW,d1 − PBS,d2 /dBm 10 -3.30 -27.91 24.61 40 -7.98 -27.00 20.78 80 -10.15 -24.02 14.53 120 -14.52 -26.43 12.29 significantly raises the bar for launching successful attacks on RFID authentication systems. F. Additional Results We also evaluate the computational latency of RF-Rhythm. Our results show that the classifier training can be done in a few seconds, and each tapping rhythm can be classified in less than 1ms. In addition, we use a questionnaire to confirm the high usability of RF-Rhythm. These results are omitted here due to space constraints. VIII. RELATED WORK Rhythm-based authentication for mobile devices has been explored. RhyAuth [3] is a two-factor rhythm-based authen￾tication scheme for multi-touch mobile devices. It requires a user to perform a sequence of rhythmic taps/slides on a device screen to unlock the device. In the follow-on work, Beat-PIN [4] requires a user to tap the screen of a smartwatch to unlock it. RF-Rhythm differs significantly from RhyAuth and Beat￾PIN in the application context, totally different rhythm-extract techniques, adversary models, and countermeasures. There is also significant effort on RFID security. For ex￾ample, novel cryptographic RFID authentication protocols are presented in [12]–[14]. Haitham [15] proposes RF-Cloak to prevent eavesdropping attacks by randomizing the modulation and channel. Selective jamming is proposed in [16] to prevent unauthorized inquiries to RFID tags. Zanetti and Danev [17] explore the time interval error, average baseband power and spectral features to fingerprint RFID tags. TapPrint [18] uses the phase of backscattered signals combined with the geomet￾ric relationship to fingerprint RFID tags. Hu-Fu [19] uses the inductive coupling of two tags to fingerprint them. RF-Mehndi [20] identifies an RFID card and its user simultaneously by exploring the backscattered signal changes induced by the user’s fingertip on a specially build passive tag array. RF￾Rhythm explores COTS RFID tags and is complimentary to the above work. The phase information of backscattered RFID signals has been explored in many applications, such as gesture recog￾nition [21], [22], action recognition [23], [24], orientation tracking [25], mechanical features sensing [26], [27], and localization [28]. RF-Rhythm is the first work to extract a tapping rhythm from backscattered RFID signals and is orthogonal to the above work. ACKNOWLEDGMENT This work was supported in part by the US National Science Foundation under grants CNS-1514381, CNS-1619251, CNS- 1651954 (CAREER), CNS-1700039, CNS-1718078, CNS- 1824355, CNS-1933047, and CNS-1933069