Analysis on Security and Privacy Guidelines: RFID-Based IoT Applications

The Internet of Things (IoT) comprises many technologies, among them is Radio Frequency Identification (RFID), which can be used to track single or multiple objects. This technology has been widely used in healthcare, supply chain, logistics, and asset tracking. However, such applications require a high level of security and privacy and are unfortunately vulnerable to various attacks and threats that need to be addressed in order for RFID-based IoT applications to reach their full potential. To this end, we propose a set of security and privacy guidelines for RFID, supported by modelling guidelines, mitigations, and the attack vectors cohesively. We compare to the state of the art and point out their shortcomings on known guidelines and reason to address these in our model. The overall methodology is as follows: (i) identify the security and privacy guideline features, (ii) highlight the security goals for RFID-based IoT applications, (iii) analyze the features in relation to RFID industrial standards, and relate them to security goals, (iv) summarize attacks and threats against RFID applications and correlate them with violated security goals, (v) derive a set of security and privacy guidelines for RFID applications in accordance with security and privacy by design frameworks. We also describe our derived guidelines in connection with the involved stakeholders, and (vi) outline the existing mitigation strategies to implement our proposed guidelines. Finally, we describe the main limitations of our work that should be investigated in the future and identify the multiple challenges that concern current security strategies.


I. INTRODUCTION
Radio Frequency Identification (RFID) has been around for decades [1]. Ever since its first application, the number of RFID enabled objects has been steadily growing. It can be considered as a sensor technology that can reduce the cost and complexity of data collection. Especially with the concept of Internet of Things (IoT), its market growth is expected to reach 'USD 35.6 billion by 2030 [2]. In fact, IoT improves the communication between applications and humans with the aim of making physical objects easily integrated into it. Furthermore, IoT can be seen as a universal network that provides communication between objects-and-objects, The associate editor coordinating the review of this manuscript and approving it for publication was Cong Pu . human-to-human, and human-to-object by assigning each physical object a unique digital identity [3], [4]. Therefore, every object in the world must be associated with a unique identity to achieve the ultimate goal of IoT. For this purpose, the RFID technology can be considered as a candidate platform to address this problem [5]. This is because each RFID tag contains a unique identification that can be embedded or attached to an object. Its popularity for IoT stems from one of the main requirements, namely providing any digital asset with a unique identity, which in turn makes them addressable for exchanging information. Integrating RFID tags into IoT applications will support the unique identification of billions of objects estimated to be connected to Internet. This type of object connectivity can be achieved using the Internet Protocol version 6 (IPv6) addressing scheme, which can be used in a number of applications and can be assigned hundreds of billion addresses [6].
RFID enabled solutions have found their way into almost any environment where digital assets need some kind of identification, tracking, and control, e.g., retail, smart homes, health care, smart traffic/city, industry 4.0, agriculture, electricity. However, with it comes a plethora of security risks, which have been an ongoing challenge since its inception [7]. While various solutions have been provided to specific problems and risks, a well-defined set of guidelines on cybersecurity and RFID enabled devices remains highly demanded by RFID stakeholders, such as developers, customers, and manufacturers.
To date, a few research efforts in the state-of-the-art have been conducted toward this objective, all of which, however, have some limitations, described below.
In [8], Ann Cavoukian proposes a set of privacy guidelines for RFID such as protecting critical information, preventing physical tempering, and preventing tracking. Manufacturers and providers can use these guidelines when designing and implementing RFID applications. The main goal of these guidelines is to allow RFID technology to reach its full potential by addressing some of its privacy concerns (e.g., tracking and monitoring). However, she does not provide a comprehensive set of security and privacy guidelines (e.g., secure kill command) or identify the mitigation strategies necessary to implement the privacy guidelines. Furthermore, attackers and threats against RFID applications remain untouched.
In [9], National Institute of Standards and Technology (NIST) proposes a set of security and privacy guidelines for RFID systems, such as encrypting tags data, secure tags disposal, preventing tracking, and minimizing interference. NIST also discusses some of the RFID standards and their security approaches. NIST, however, does not identify RFID stakeholders who may benefit from its guidelines, nor does it discuss mitigation techniques that can be used to implement its guidelines. Furthermore, NIST does not address all known attacks and threats against RFID systems, nor does it investigate their violations of security goals, such as confidentiality, integrity, availability, and others.
In [10], the authors highlight some of the RFID applications suitable for smart home environments. More importantly, they identify some of the security and privacy requirements, such as secure kill command, using strong authentication, and preventing tracking. These requirements are suitable for smart home environments. However, the authors propose only a few security and privacy requirements mentioned above and develop a security framework to fulfill their suggested requirements. Furthermore, they neither identify attacks and threats against RFID, nor state their violations of security goals. In addition, they do not specify these requirements based on what they propose.
In [11], Smart Border Alliance (SBA) conducted a study on RFID security and privacy, the main objectives of which are: (i) investigating privacy and security issues that may arise from the use of such technology, (ii) offering some recommendations that could be used to achieve its security and privacy requirements, (iii) highlighting only four security goals related to RFID applications, namely confidentiality, integrity, availability, and non-repudiation, and (iv) identifying some attacks on RFID.
However, SBA does not provide a comprehensive set of security and privacy guidelines for RFID, nor does it discuss all of their corresponding implementation approaches. For example, some RFID guidelines, such as supporting distancebased information, verifying all readers' requests to tags, using unique security parameters, and secure disposal of tags, are not investigated, along with their appropriate countermeasures. Furthermore, SBA does not identify the RFID stakeholders who can use its guidelines, nor does it define based on what it states its guidelines.
In [12], the authors suggest some of the security and privacy requirements for RFID-based IoT applications, such as the secure kill command, preventing tracking, and separating personal information from the tag identifier. The authors also highlight and discuss some of the security goals of RFID-based IoT applications. These security goals include confidentiality, integrity, authenticity, availability, and reliability. However, the authors do not discuss attacks and threats against RFID applications or identify their breached security goals. Furthermore, the authors identify neither the RFID stockholders who may use their requirements, nor state the principles under which they derive their requirements.
In our previous work in [13], published in the Sensor and Actuator Network Journal, in which we proposed a comprehensive set of security and privacy guidelines for IoT, covering computing nodes, protocols, and RFID. The main contribution of our previous work was to reinforce IoT security and privacy by design by shifting the mind set of IoT stakeholders (e.g., developers and manufacturers) to properly integrate our derived guidelines into their applications from the start, along with their corresponding mitigation techniques.
However, this work will focus only on addressing these limitations as follows. (i) provides a rationale under which each derived RFID guideline is stated, (ii) provides a reasoning under which RFID attacks can violate certain security goals, (iii) identifies security by design or privacy by design principles, (iv) discusses industrial standards for RFID and their recommended security mechanisms, (v) states all RFID guidelines (e.g., encrypt data on tags), and (vi) identifies all mitigation techniques (e.g., physical security controls). Table 1 shows a summary of previous research efforts in RFID and our intended objectives represented as ''addressed features'', of which the most obvious can be classified as follows: (i) investigating the vast landscape of RFID along with its common attacks, (ii) identifying required security goals to protect RFID, (iii) suggesting a set of security and privacy guidelines for RFID applications, and (iv) discussing existing mitigation strategies to implement the proposed guidelines.

A. MOTIVATION AND OBJECTIVES
It is not hard to observe many limitations (see Table 1) as you go through them. Therefore, our research is devoted to overcome those drawbacks that can be categorized as follows.
1) The lack of a complete list of security and privacy guidelines, followed by to whom such guidelines are targeted for use in practice.
2) The need to identify appropriate mitigation strategies to implement guidelines. 3) The need to investigate attacks associated with RFID and their violation of security goals.

B. CONTRIBUTION
A contribution breakdown of this work can be summarized as follows. 1) Highlight the security goals for RFID-based IoT applications and briefly discuss two widely known security and privacy by design frameworks.
2) Summarize possible threats and attacks against RFIDs and correlate them with violated security goals. 3) Define the following concepts in the scope of RFID-based IoT applications, namely security attack, secure device/application, security guideline, and privacy guidelines. 4) Review and analyze the security mechanisms recommended by RFID industrial standards. 5) Propose a set of security and privacy guidelines for RFID-based IoT applications and provide 'reasoning through which each guideline is derived based on one or two principles of security by design or privacy by design frameworks 6) Discuss the main limitation of our work and identify the many problems and challenges that current security strategies face.

C. RESEARCH QUESTIONS
This article addresses the following questions: 1) RQ1: What are the key security goals required for RFID-based IoT applications? Can such security goals help define a secure device and a security attack within the scope of RFID-based IoT? 2) RQ2: What are the main current RFID industrial standards and their recommended security features? Are these recommended security features adequate to protect RFID systems? 3) RQ3: What are the main principles of security and privacy by design of RFID-based IoT systems? Can such principles help define a security guideline and a privacy guideline for such systems? 4) RQ4: What are common attacks against RFID applications and their violation of security goals such as confidentiality, integrity, availability, and so on? 5) RQ5: What are the mitigation strategies suggested for RFID applications? Can these mitigation techniques be attributed to identified attacks? 6) RQ6 What are the security and privacy guidelines suggested for RFID-based IoT? Is it possible to develop an RFID-based IoT security framework that links these mitigation techniques, guidelines, and attacks?

D. MANUSCRIPT ORGANIZATION
The remainder of the work is organized as follows.
In Section II, we give an overview of RFID in terms of its components, business model in the scope of IoT, applications, and key security challenges. In Section III, we outline RFID security goals and stakeholders in the IoT scope. In Section IV, we describe some of the RFID standards and analyze their recommended security mechanisms.
In Section V, we present current research on security and privacy by design frameworks in the scope of RFID-based IoT applications. In Section VI, we recognize attacks on RFID applications, as well as their violation of security goals. In Section VII, we discuss all countermeasures available to prevent possible attacks against RFID. In Section VIII, we propose guidelines for RFID-based IoT applications in association with interested stakeholders. In Section IX, we explain the main drawback of this paper and discuss the open issues and challenges facing current security mechanisms. Finally, we describe our conclusion in Section X.

II. RFID BACKGROUND
This section first discusses the primary components of RFID technology and then describes the business model of RFID-based IoT applications. It also identifies the scope of RFID-based IoT applications and the key challenges of RFID security.

A. RFID SYSTEM COMPONENTS
Applications using RFID technology typically consist of four main elements (see Figure 1), described below.

1) AN RFID TAG
Sometimes it is called a transponder, which holds data for object identification. In general, a tag is a small electronic object attached to an antenna designed specifically for wireless data transmission. A tag is embedded or assigned to an object and transmits data over the air in response to a reader request [14]. Each tag contains a unique identifier and may also contain other features, such as environmental sensors, security features, and memory to store additional data. The market of RFID tags consists of several types of tags, each type of tag having its own size, security mechanisms, cost, and performance [15]. Although some tags are designed to meet certain standards, they are often customized according to specific application requirements. Identifying the key aspects of a tag can help those responsible for RFID applications recognize the key aspects of the tag needed in their application and environment. The main aspects of tags include the format of the identifier, the operational frequencies, the power source and the functionality [16].
The format of tag identifier used in different industries is Electronic Product Code (EPC) developed by the EPCglobal industry group [17]. The tag identifier format includes four data fields. (i) The header uses to specify the type of EPC. (ii) The EPC manager ID, which uniquely recognizes the organization responsible for assigning the serial number bits and object class. (iii) The object class uses to identify the class of objects (e.g., a particular model of television set). (iv) Serial numbers, which uniquely define the item of that class of objects, such as a certain television set [18].
Tags require a power source to execute their operations, such as storing and retrieving data, sending radio waves to a reader, and executing other computations (e.g., security mechanisms). Tags can be powered by electromagnetic signals sent by readers or by an on-board battery. Tags can be classified into four categories (passive, active, semi-active and semi-passive) based on their power sources [19].
Passive tags utilize the electromagnetic energy received from the reader's transmission to respond to the reader. The response signal of a passive tag, called the backscattered signal, contains only a small portion of the power of the reader's signal, which significantly limits the operating range of the tag and only backs data processing in a simple manner.
Active tags depend on internal batteries, which are used to power broad circuits, interact with the reader, and perform other operations. Unlike passive tags, these tags can communicate over a wider range and are expensive. However, they have a predefined battery life [20].
Semi-active tags are active tags that remain inactive or dormant until they receive the reader's wake-up signals. Similarly to active tags, they can use their batteries to communicate with readers over longer distances. Unlike active tags, the battery life of semi-active tags can last longer. However, in some instances (for example, when a tag passes quickly from a reader), the awakening method can result in undesirable time delays.
Semi-passive tags are passive tags that use batteries to power on-board circuitry. However, such tags cannot generate return signals. These tags are often known as sensor tags because they can use their own batteries to power sensors. Unlike passive tags, they are expensive and larger. However, semi-passive tags possess more functions than passive tags [21].

2) AN RFID TAG READER
It writes and reads tag data, and a tag and a reader must follow the same standard so they can communicate with each other. In some cases, if a tag is based on a proprietary protocol, the reader also has to implement the same protocol to communicate with that tag. Despite this, it should be noted that the reader does have some characteristics that are independent of a tag. Such aspects include: (i) duty cycle and power output, (ii) mobility, and (iii) antenna design.
The reader's duty cycle is most often determined by standard and regulation. The duty cycle can be described as the percentage of time that a RFID reader emits energy over a given period of time. For example, a reader that sends radio waves for 30 seconds every minute will have 50% duty cycle. Readers require more energy power when communicating with passive tags compared to when communicating with active tags. This is because the signal should be strong enough to get the tag and allow the backscatter to return to the reader.
The reader's mobility depends on a back-end database interface, which could be wireless or wired. In most cases, wired readers are placed in fixed locations, whereas wireless readers can be placed in different environments, and more importantly, they can support different applications as they move.

3) AN RFID ANTENNA
Readers can use a wide variety of antenna types, and the coverage pattern can differ from tag to tag depending on the type of antenna. To minimize the risk of eavesdropping and, at the same time, to reduce interference, it is recommended to limit the reader's coverage area to only reach the intended tags. Antennas may be embedded in an object or detachable [22].

4) A BACK-END DATABASE
It holds records associated with the tag content. Generally, a reader decodes the tag data and passes them to local applications through a middleware that acts as an interface between RFID applications and the reader [22]. This part is beyond the scope of this article as we do not intend to propose guidelines for RFID data at rest. Therefore, we are not going to discuss this in detail.

B. BUSINESS MODEL OF RFID-IoT
The emerging RFID technology has inspired IoT to connect physical objects to wireless networks to exchange raw data on object status, movement, position, and process [23]. The IoT is described as a large dynamic global network where each physical and digital asset is individually recognized by its unique identifier that is used to quickly track its status [24]. IoT has allowed devices to be remotely accessible to users. As a result of the IoT, the technologies of RFID and sensor networks will lead to new challenges where information and communication systems are becoming integrated into our daily lives.Interactions between objects and machines allow them to autonomously respond to certain situations. One of these is that the device can intelligently make decisions through other machine inputs. In general, the IoT ecosystem consists of three main layers: a perception layer, a network layer, and an application layer [25]. According to a study by [26], RFID-IoT systems should have five types of layered architecture to integrate RFID-IoT into business models. The five-layer architecture includes the perception, network, middleware, application, and business layers as shown in Figure 2.
The aspects of each layer are described below. 1) Perception layer: It is commonly known as the object layer, which consists of physical objects and sensor devices. According to object identification techniques, sensor objects may be infrared sensors, RFID, or barcodes. The main purpose of this layer is to collect and identify information from various IoT objects attached to an item and other IoT sensors such as proximity sensors, gyroscopes, and optical sensors. The information collected is then passed over to the network layer to be encrypted and transmitted to the information processing system. 2) Network layer: The network layer can also be referred to as a 'transmission layer.' It helps to transfer sensor object information to an information processing system in a secure environment. Depending on the sensor devices, the transmission medium can be wireless (e.g., WiFi, infrared, Bluetooth) or wired. It transmits information from the perceptual layer to the middleware layer. 3) Middleware Layer: IoT objects implement various types of service. Each object communicates and connects only to the other objects that implement the same service type. It is responsible for managing services and has a connection to the database. It obtains information from the network layer and stores it in the database. It processes the information and performs ubiquitous calculations. More importantly, it automatically makes decisions based on the results. 4) Application layer: This layer offers global application management based on information about objects that are being handled within the middleware layer. IoT-adopted applications can be smart home, smart agriculture, smart agriculture, etc. 5) Business layer: It is responsible for managing the entire IoT ecosystem, including applications and services. Based on the data received from the application layer, this layer constructs business models, graphs, flowcharts, and more. A good business model determines the real success of IoT technologies. In particular, the determination of future actions and business plans depends on the analysis of results.

C. RFID-BASED IoT APPLICATIONS
RFID-based IoT applications can generally be classified into three categories: (i) supervising, (ii) monitoring, and (iii) tracking. Supervising evaluates and monitors the activities and behaviors of objects or users that are generally achieved without their knowledge [58], for example, by recording objects' movements in the database. Monitoring observes the current state of the object by periodically examining it and provides a warning in the event of a change. For example, hospitals can use this technique to detect suspicious activities in objects and report them immediately [15]. Tracking identifies where moving objects are. Recent published studies related to RFID-based IoT applications can be found in [59], [60], [61], [62], [63], and [64]. Table 2 classifies and summarizes RFID-based IoT applications according to their identification goals, abbreviations, and recently published articles.

D. RFID-BASED IoT CHALLENGES
Although RFID-based IoT applications appear promising, their technical and operational aspects also present a range of challenges, as discussed below.

1) SECURITY ISSUES
Due to their limited cost, the tags themselves do not have the ability to adequately ensure security. According to [65], this can lead to unauthorized users using the legal reader or the purchased reader to communicate directly with the tag. After discovering tags with their information, they can use the RFID system without permission through illegal means, such as counterfeits. In addition, the tags can be encoded and copied. For read-write tags, they may face the risk of data rewriting. Several researchers have participated in the implementation of low-cost privacy and security protocols to increase their applicability [66], [67]. Many lightweight RFID solutions have been proposed, but they are still expensive, vulnerable to security risks, and do not fully address security issues [58]. To this point, the author of [68] states that security concerns related to RFID tags can have major implications for individuals and organizations. Tags that are not properly protected are always easy targets for eavesdropping, DoS attacks, traffic analysis, and other things.

2) COLLISION PROBLEMS
The communication link between the tags and the readers is wireless and therefore can be exposed to electromagnetic interference. Simultaneous transmission over RFID can lead to collisions, as readers and tags usually connect to the same wireless channel. Therefore, when building large-scale RFID applications, it is very important to use efficient collision detection protocols that simultaneously identify multiple tags [69]. Many anticollision protocols have been proposed to identify RFID tags, such as the query tree (QT) [70], binary tree (BT) [71], frame-slotted ALOHA protocol (FSA) [72]. Despite this, most protocols have an overall detection efficiency of less than 50% [73].The development of new and better protocols requires the best characteristics of the identification protocol.

3) PRIVACY CONCERNS
As the connection between objects becomes closer and the connection between people and objects becomes even closer, the privacy of large amounts of data and users becomes an urgent task in RFID-based IoT applications. The ability to read personally correlated information without consent poses serious privacy concerns such as tracking, as tags can be embedded or inserted into anything or any living being. In addition to this, unauthorized readers could even violate privacy by accessing tags without adequate access controls. Although the content of the tag is secure, privacy issues, such as tracking, are possible due to predictable tag responses. For example, a traffic analysis attack can affect location privacy. RFID applications still require privacy policies that take into account the total cost [68].

4) DESIGN AND INTEGRATION CHALLENGES
Two other problems have also been the main hurdles to the widespread adoption of RFID. The first problem is the design, since RFID technology still requires tags and readers designed to ensure a very reliable identification. The second challenge of RFID is its integration with existing applications. To do this, efficient RFID middleware should be developed to connect new RFID systems to existing infrastructure back-ends [74]. For interested readers, the authors of [75] provide an overview of the most well-known technologies, as well as applications that have recently been integrated with RFID.

III. DEFINITION OF SECURITY GOALS AND STAKEHOLDERS IN THE SCOPE OF RFID
To answer RQ1, the following section outlines RFID security goals, stakeholder, and, above all, defines a secure object and a security attack.
The literature divides traditional security goals into three main groups. (i) Confidentiality, (ii) Integrity and (iii) Availability, referred to as CIA-triad. Confidentiality guarantees that sensitive data can only be obtained from legitimate users or objects. The confidentiality of RFID sensitive data, such as credit cards and medical records, must be protected. The authors of [77], stated that the detrimental consequences of fraudulent access to medical objects can range from the disclosure of personal data to life-threatening situations. The integrity of RFID enabled devices is also an essential requirement for providing reliable services, as it ensures that such devices always receive authorized commands and data. However, lack of data integrity in any RFID application can cause undesirable effects, such as attacks on insulin pumps [78]. The availability of RFID applications is also  fundamental, as it ensures that their data is always available and accessible to their valid users.
Although Confidentiality, Integrity and Availability triad (CIA-triad) is well known, it is not efficient to investigate new threats that may appear in a cooperative environment such as IoT or RFID, according to [79]. To address this issue, the authors in [79] suggest a complete set of security goals, known as Information, Assurance, and Security octave (IAS), by studying a huge amount of current information in terms of security. Table 3 summarizes the security goals suggested by the IAS octave, along with their abbreviations and definitions in connection with RFID-based IoT applications.
According to Table 3, we define: Security attack: An attack that violates at least one of the security goals of the RFID applications.
Secure object/application: An object/application that achieves all of the RFID-based IoT security goals.
To build a framework of security and privacy guidelines that reflects all aspects of the life cycle of RFID-based IoT applications, we first propose a classification of identified RFID stakeholders into four groups, depicted in Table 4. We then relate key stakeholders to their respective roles to determine the degree to which the guidelines are adapted and the impact on stakeholders.

IV. RFID STANDARDS
To answer RQ2, the following section provides an overview of some of the RFID standards, analyzes their recommended security mechanisms, and links them to the security goals shown in Table 3.

A. INDUSTRY STANDARDS FOR RFID AND THEIR SECURITY MECHANISMS
The interoperability of RFID-based IoT applications can only be achieved when tags and readers follow the same standard, which facilitates, for example, object updates and communications. EPCglobal standards and specifications, suggested for patient safety and supply chain systems, are the most popular industry standards. EPCglobal proposes several specifications, such as the Class-0 Ultrahigh Frequency (UHF), Class-1 Generation -1 High Frequency (HF) and Class-1 Generation-2 UHF specifications. The class-1 Generation-2 was selected as the standard by EPCglobal [9].

1) (EPC0) CLASS-0 UHF
EPCglobal initially developed it for the supply chain. The main objective of this class was to build an inexpensive identification tag, and it offers two basic security aspects. A self-destructive feature, and a 16-bit cyclic redundancy check (CRC). The self-destructive aspect is known as the kill command (a 24-bit password) issued by a reader to permanently deactivate a tag. In this case, the tag no longer responds to commands.

2) (EPC1) CLASS-1 GENERATION-1
This class has two specifications. One is for HF operations and the other is for UHF operations. For example, the HF specification identifies a tag operated at 13.56 MHz and is equipped with two security features: a 16 bit CRC and a self-destruct feature, which is 24 bits.

3) (EPC1S) CLASS-1 GENERATION-2 VERSION 1 STANDARD
EPCglobal selects this specification as a standard and includes two basic security mechanisms, the kill command and cover coding method. The number of bits used in the kill command and the access password is 32 bits [80]. Cover coding obscures the data transmitted from the reader to the tag and works as follows. (i) A reader sends the message to a tag asking for a key, (ii) the tag creates a random 16 bit number and sends it back to the reader, (iii) the reader generates the ciphertext by implementing an exclusive-OR (XOR) function on the plain text and the key, (iv) the reader transmits the ciphertext to the tag, and (v) the tag implements the XOR function that uses the key and the ciphertext to obtain the plain text. Moreover, this standard comes with an optional password-protected access control, the main objective of which is to temporarily or permanently make some parts of a tag memory read-and-write protected or write-safeguarded.
In 2013, EPCglobal released EPC1S2 to address some security issues found in EPC1S and supports backward compatibility with EPC1S [81]. This standard offers a novel framework that facilitates the design and implementation of secure applications and protocols. EPC1S2 provides new commands for untraceable file management and privacy and security protection. EPC1S2 also comes with several optional commands, such as SecureComm, ReadBuffer, TagPrivilege, ReadBuffer, Authenticate, Challenge, and KeyUpdate. Authcomm can be used to build authenticated messages and tagprivilege can be used to set appropriate tag privileges. SecureComm can be used to encrypt messages. Untraceable and new File-management commands (e.g., FileOpen, FilePrivilege, FileSetup, FileList) can be used to protect privacy, since user memory can be divided into one or more files. Maximum files cannot exceed 1023 and maximum file size cannot exceed 2044 kilobytes each. Readers can allow access to certain or all files. Memory partitioning can be used to store product life cycle data on a tag. The assignment of data to certain files will grant access to some of those data, which will be limited to certain users [82].

B. ANALYSIS ON RFID STANDARDS 1) THE SECURITY ANALYSIS ON EPC0 AND EPC1
The implementation of these specifications into RFID-based IoT applications will, for sure, violate all the security goals suggested in Table 3. For example, CONF is violated, as the communication link between tags and a reader is not encrypted at all. Therefore, if the attacker is in close proximity, eavesdropping may be possible. Not only that, the memory of writable tags can be easily modified as it lacks access controls. INTG is also violated, as the unique identifier of a tag can be altered and spoofed. The CRC feature of this class protects only against random failures. Typically, tags do not have tamper-proof technology.
Although this specification comes with a self-destructive function called the kill command, it can be used to violate AVAl by disabling a tag for all, since it lacks an access control technique and a key management infrastructure. Last but not least, PRIV is not respected, as an attacker may use the unique identifier to track objects or individuals holding tags.

2) THE SECURITY ANALYSIS ON EPC1S
Due to its security features, some of the security goals can be achieved. For example, CONF and PRIV can be achieved using a cover coding method that obscures passwords and data written to tags using a write command. If security mechanisms-lock commands to protect all memory and CRC error detection commands-to send with parity bits-are properly implemented, then INTG can also be achieved.
It should be noted that managing and creating random numbers in EPC1S is a necessary requirement to ensure CONF, PRIV, and INTG of RFID applications. This is because EPC1S does not specifically define a random number generator method. Using a less secure method from the reader, an attacker can break the cover coding process and then easily eavesdrop on the communication link [83].
Furthermore, EPC1S is vulnerable to various threats and attacks, and its level of security needs to be improved according to many studies [84], [85], [86], [87]. These vulnerabilities arise from the lack of explicit authentication techniques and security functionalities [88]. For example, EPC1S does not support heavy weight symmetric and asymmetric algorithms, nor does it support even hash functions [89]. Therefore, complex cryptographic encryption mechanisms cannot be implemented on an EPC tag for security reasons. EPC1S is also not explicitly integrated into anti-cloning mechanisms and does not have a mechanism by which the reader can verify the identification of scanned tags. Furthermore, EPC1S does not support flexible file management, according to [82].

3) THE SECURITY ANALYSIS ON EPC1S2
Like EPC1S1, this standard supports the use of a CRC function, a pseudo random number generator (PRNG), and XOR function. Furthermore, EPC1S2 offers a new architecture that simplifies the creation and implementation of secure applications and protocols by providing several optional commands (e.g., AuthComm, and KeyUpdate).
The authors in [82] and [101] stated that although this architecture is very flexible and powerful, both industry and academia are currently not familiar with its features and have had some difficulties integrating these optional functions into promising applications. To date, several research efforts have been conducted to do so. For example, many research studies [102], [103], [104], [105], [106], [107] have been conducted to develop different authentication protocols that meet the EPC1S2 standard.

V. SECURITY AND PRIVACY BY DESIGN PRINCIPLES FOR RFID-BASED IoT
To answer RQ3, the following section highlights security and privacy by design principles for RFID in the scope of IoT and, above all, defines a security guideline and a privacy guideline.

A. DEFINITION OF PRIVACY PRINCIPLES IN THE SCOPE OF RFID-BASED IoT
In the literature, several frameworks have been suggested to facilitate the process of eliciting privacy requirements and integrating privacy capabilities into applications. In [8], Ann Cavoukian, proposed the original privacy by design framework. The framework provides seven principles, and developers should follow these principles when developing privacy-sensitive applications. These principles are as follows: (i) privacy as the default setting, (ii) privacy embedded into design, (iii) respect for user privacy, (iv) proactive not reactive, (v) full life-cycle protection, (vi) full functionality positive-sum, and (vii) visibility. However, these principles are commonly suggested for computer systems, and software engineering that develops IoT applications may find it difficult to adopt such principles into their applications, as they are given at high abstraction levels and do not provide enough information to implement them.
In [108], Hoepman proposes eight simple principles of privacy by design that traditional software developers can use to improve their applications from the start. Due to its simplicity and clarity for the real use cases given, this work will depend on this framework to state our derived privacy guidelines for RFID-based IoT applications, Table 5 summarizes the privacy by design principles proposed by Hoepman and provides their definitions in the context of RFID-based IoT applications and abbreviations.
According to Table 5, we define: Privacy guideline: A guideline that derives at least from one of the principles of privacy by design.

B. DEFINITION OF SECURITY BY DESIGN PRINCIPLES IN THE SCOPE OF RFID-BASED IoT
In [109], European Union Agency for Network and Information Security (ENISA) indicates that attacks and threats against the IoT ecosystem stem from the complexity and heterogeneity of its enabling technologies. Indeed, ENISA emphasizes the importance of incorporating security best practices or security requirements to secure applications from the ground up. To this end, Open Web Application Security (OWASP) in [110] proposes security by design principles that developers can use to build secure applications. This work relies on these principles to state our derived security guidelines for RFID-based IoT applications. Table 6 summarizes the security by design principles proposed by OWASP and provides their definitions in the context of RFID-based IoT applications and abbreviations.
According to Table 6, we define: Security guideline: A guideline that derives at least from one of the security by design principles.

VI. POSSIBLE ATTACKS AGAINST RFID TAGS
To answer RQ4, the following section describes attacks and threats applicable for RFID and correlates them with RFID security goals, identified in Table 3. More specifically, it annotates with ' ' when the security goal in question is violated by the described attack. An overview of RFID attacks and their violations of security goals can be found in Table 7.
A. (AT1) PHYSICAL ATTACK RFID tags are susceptible to physical attacks, as some RFID enabled objects can be deployed in uncontrolled VOLUME 10, 2022 environments and, more importantly, may have poor physical security. In such scenarios, an adversary may have full physical access to such objects and could bring them to their laboratory for modification. Various attacks and threats on RFID tags have been investigated in the literature [111]. The most well-known are listed below.
• Tag removal: Some RFID tags attached to items can be easily removed due to lack of physical security. This prohibits all legitimate readers from interacting with vandalized tags [112].
• Tag switching: In this scenario, attackers target tags associated with valuable objects, such as products in stores. Due to the lack of physical protection, tags that are not protected against outside invaders can be easily captured, removed, altered, or swapped. In this attack, attackers replace the tags on expensive RFID products with cheaper items, allowing them to reduce prices at checkout. Such attacks are possible because some back-end servers cannot ensure and create accurate associations between tags and items. Therefore, it poses an important security concern and such attacks cannot be massively scaled [113].
• Tag destruction: Due to lack of physical security, tags can be physically destroyed by attackers, even if they do not receive a specific benefit. An RFID destroyer with the purpose of embarrassing people or disrupting operations can easily damage the RFID tag with inadequate physical protection. This action can involve applying pressure, chemical exposure, or even removing all visible antennas [113].
• Tag modification: Most RFID tags utilize writable memory, so attackers can exploit this functionality to alter or delete valuable data from the tag's memory [114].
• Reverse engineering: To save costs, most of the RFID tags in the estimate do not have a tamper-resistant mechanism for long periods of time. In this case, attackers could take the tags apart, copy them, or physically inspect them to extract valuable information [115].
An example of such attacks is the shoplifting attack. Several retail locations have installed Electronic Article Surveillance (EAS) systems at the main entrance of the store. The main purpose of the system is to differentiate EAS-tagged products that are purchased from a retail store and are not disabled. For example, EAS alerts are activated if a product is accidentally or intentionally taken from the store without paying its price. Shoplifting is treated as an RFID attack, not related to the theft of an item from a store, but rather the theft of the RFID tag for further reverse engineering [116].
• Distance fraud: This attack enables tags to function outside the legitimate zone by convincing the reader that they are within the legal range. Tags use malicious antennas or begin sending out replies before challenges are received to minimize delays caused by being outside the legitimate range. This attack can be mitigated by sending several challenges with strict conditions under which responses should depend on the challenges.This attack has a greater impact on RFID applications where access permissions can vary depending on location [116]. This attack directly violates all security goals (see Table 7), as the attacker has full control and access to the physical object.

B. (AT2) DOS ATTACK
This is a type of attack that can affect communication between authorized readers and the tags. This attack occurs when the attacker simultaneously sends different signals to the server as responses, preventing a system from communicating further. Dos attacks on RFID systems can be classified into four categories: • Kill command attack: This is a command that authorized readers can use to disable tags when they are not needed to perform their functions. However, an attacker may use this feature to launch more commands that permanently deactivate tags [117].
• Jamming: With RFID tags that listen to each radio within their coverage range, adversaries can transmit electromagnetic waves in the form of noise to interrupt their communication and block tags from communicating with readers [118].
• Tag data modification: This type of Dos attack occurs when an adversary has the ability to alter the EPC data on a tag to a meaningless number that the reader does not recognize anymore [117].
• Desynchronization attack: The main goal of this type of Dos attack is to block the update of secret keys transferred between the tag and the reader. A scenario occurs when an attacker can sabotage the synchronous state between the tag and the reader by preventing the message updates, causing the tag and the reader to store different values [119]. AT2 affects the AVAL, as implied by the attack definition. ACNT is no longer guaranteed due to the low response times of the system. For INTG, the guaranteed transmission can be compromised, especially for real-time applications. The AUDI is also violated because the system cannot continuously monitor objects' activities. Table 7 represents the security goals violated by AT2.

C. (AT3) EAVESDROPPING
Although eavesdropping attacks are typically linked to communication protocols, they can be explicitly carried out for the RFID tags. The main objective of this type of attack is to intercept, read, and even modify RFID application messages. Threats posed by eavesdropping on RFID tags have been considered in many published reports (e.g. [11]). In addition to these reports, several published surveys can be found in [16] and [120]. In [120], the authors discussed some practical attacks and their experimental settings.
AT3 violates CONF and PRIV, as the attacker indirectly intercepts and reveals the private data generated and processed by the RFID enabled objects. Additionally, NREP is affected, as the attacker can drop some packets, preventing the system from validating the incidence of its events. Table 7 represents the security goals violated by AT3.

D. (AT4) TAG COUNTERFEITING
In such attacks, attackers can change the object's identity with tag-modifying methods. Unlike cloning attacks that require more information to be initiated, counterfeit attacks require less information to be lunched. In such attack, a tag is partially modified [111]. AT4 violates all security goals (see Table 7), as the attacker operates directly on the RFID tag by modifying its identity.

E. (AT5) TAG CLONING
This type of attack occurs when attackers read data from authorized RFID tags, then design tags or objects to mimic the behaviors of authorized tags. Such attacks are very valuable for hackers and, at the same time, too risky for the company's reputation. By cloning tags, attackers gain access to sensitive data and closed areas [121]. An example of this attack is found in [122], where the authors demonstrate their technical abilities in attacking the Texas Instruments Digital Signature Transponder (DST) system. In fact, they can obtain a secret cryptographic key from a DST object by collecting only two pairs of challenge-response. Since they were able to recover the key, they simply used a low-cost RFID object to copy the target DST so that it simulates its radio output to fool the reader.
Similar to tag counterfeiting attacks, AT5 violates all security goals (see Table 7) since the attacker operates directly on the RFID tag by cloning its functions.

F. (AT6) TAG TRACKING
This is one of the most common threats against RFID tags, since each tag has a unique identifier that is transmitted to nearby readers. A malicious reader could simply read a tag attached to a person or object, leading to strong tacking information [121], [123], [124]. This tracking approach is possible even if the tag identifier is random and does not contain identifiable data. The simplest form of such attacks can be achieved by using malicious readers to read the identifiers of fixed tags. This attack could be amplified if the identification of the tag was combined with personal data. For example, according to [18], when a customer purchases some products with his credit card, a merchant can associate his identity with a tag. In this case, the merchant could use the networks of RFID readers installed inside or outside the store to identify and profile customers. This attack violates PRIV as the attacker is indirectly capable of attributing the private data to specific identities. Additionally, NREP is violated because an attacker can change the identity of a tag, making it difficult for the system to verify the frequency of their events. Table 7 represents the security goals violated by AT6

G. (AT7) TAG INVENTORYING
Several types of tags that contain sensitive information are easily integrated into multiple objects. For this purpose, the EPC tag consists of two fields: the product code and the manufacturer code. Therefore, individuals with the EPC tag are susceptible to inventorying [125]. For example, by identifying which type of medical object is attached to a patient (such as an insulin pump), an attacker can guess his/her medical condition. Like the tag tracking attack, PRIV and NREP (see Table 7) are affected by AT7.

H. (AT8) SIDE CHANNEL ATTACK
With RFID technology, a side-channel attack can even occur when the communication link between the tags and the reader is encrypted. In this scenario, an attacker can use a ready-to-use tool to intercept messages between tags and readers to extract information from various patterns. For example, an attacker could estimate the number of people living in a house after reading the tags at the entrance of that house [126].
Similar to eavesdropping attacks, a set of security goals (see Table 7), namely CONF, NREP, and PRIV are violated by AT8.

I. (AT9) REPLAY ATTACK
Replay attacks are one of the most significant threats facing RFID systems. This type of attack, depending on the system configuration, is possible when the data is transmitted from one component to another. This kind of attack can be achieved by interrupting the communication route and manipulating the information between different RFID components [127]. For example, an attacker can copy valid RFID communication responses in such attacks and then send them to one or more parties, trying to impersonate another. Typically, copied packets are retrieved by the adversary by eavesdropping or creating sessions. A good example of such attacks is the broadcast of correct copies of radio signals transmitted by valid tags to readers that allow access via authentic tags. An RFID application is particularly susceptible to replay attacks due to the small and inexpensive tags, leading to a lack of in-depth security measures [115], [128].
AT9 could violate all security goals (see Table 7), if the packets exchanged between a tag and a reader lack any fresh nonces. In this case, an adversary could reuse or modify the old packets and replay the old ones again in order to obtain similar privileges or access.

J. (AT10) SPOOFING
This attack is a kind of fraudulent attack in which an adversary installs a vicious device on a communication link. Since an attacker impersonates a real tag, the attacker can gain all privileges and information about that tag. This information is then stored by the adversary on the malicious node [129].  Because attackers can impersonate a legitimate tag and store its sensitive information, AT10 could violate all security goals (see Table 7).

K. (AT11) RELAY ATTACK
This type of attack can be viewed as a man-in-the-middle attack, in which an illegal tag attempts to interact with a legitimate reader and persuades the reader to believe that it is a valid tag; it is authentic to communicate with it. In this scenario, the security mechanism of the system is violated, and the main parties do not know about the breach. This attack becomes more dangerous if RFID tags are not equipped with cryptographic algorithms [130].
If the tags are not protected by encryption mechanisms, then AT11 can violate all security goals (see Table 7).

L. (AT12) DISCLOSURE ATTACK
In this type of attack, an attacker can guess secret information (e.g., shared keys, IDs and other secret data) from RFID applications. Identity disclosure and full disclosure attacks are two different types of such attacks on RFID applications. In a full disclosure attack, the attacker can recover all the information stored in the tag, while in an identity disclosure attack, the attacker can steal the tag's identity [131]. Typically, the disclosure attack is carried out through two methods, namely a recursive linear attack and a recursive differential attack. Recursive differential attacks consist of probabilistic attacks and require multiple authentication sessions to carry out such attacks. Recursive linear attacks are passive attacks that require only one authentication session to carry out such attacks [132].
AT12 can violate all security goals (see Table 7) as an attacker can guess secret information, such as shared keys.

M. (AT13) JAMMING
In a jamming attack, an attacker can block communication between legitimate tags and readers to prevent nodes from interacting with readers.Attackers build signals that are identical to readers, making tags unreadable for readers [21].
AT13 violates AVAL as the attacker could prevent the tags from communicating with a reader. It also violates NREP, AUDI, ACNT, and RFID because the RFID system fails to validate and monitor its incidents, hold objects responsible for their actions, and verify the identities of objects. The violations of the security goals can be found in Table 7.

VII. MITIGATION TECHNIQUES FOR PROTECTING RFID TAGS
To answer RQ5, this section reviews the mitigation techniques in the RFID tags and attributes them for the attack vectors, identified in Section VI. An overview of the countermeasures proposed for RFID applications is presented in Table 8.

A. (MT1) CRYPTOGRAPHIC SCHEMES
Attributed to attack AT2, AT3, AT4, AT5 and AT6. In RFID tags, a straightforward implementation of full encryption algorithms is not possible due to the need for low-cost tags (e.g., 10 cents), which limits their computing power and memory. It should be noted that the implementation of Advanced Encryption Standard (AES) algorithms requires 5000 to 10000 gates, while RFID tags can support 1000 to 2000 gates [133]. Nevertheless, Jung et al. [134] suggest a novel AES implementation that only requires 3595 gates. The recently proposed RFID encryption technique is described in [135]. However, in RFID tags, there is no fully implemented version of AES. Cryptographic schemes can be divided broadly into various categories:

1) LIGHTWEIGHT HASH FUNCTION
Being widely used to address security concerns of RFID applications, different solutions have been proposed in the literature [135], [136], [137], [138]. The most common lightweight hash functions available for RFID applications are SPONGENT [139], L-CAHASH [140], Quark [141], and Hash-One [142]. Aumasson et al. proposed a lightweight hash function, known as Quark, in 2013. In fact, the authors proposed three types of quarks: D-Quark, T-Quark, and U-Quark. D-Quark has 80 bits of security and T-Quark has 112 bits of security, so it requires 2296 gates. U-Quark supports 64-bit security and requires 1379 gates.

2) LIGHTWEIGHT PROTOCOLS
Low-cost tag requirement is essential for RFID technology, making it difficult to implement traditional cryptographic algorithms. However, several lightweight cryptographic protocols have been proposed [145], [146]. For example, the authors of [125] suggest a lightweight mutual authentication protocol for the tags RFID, which requires only 300 gates. More importantly, the authors argue that this protocol provides an accepted level of security for certain applications.

3) KEY MANAGEMENT
Symmetric cryptography has been used in most RFID applications (e.g., 3 Data Encryption Standard (DES) in epassport). Key management techniques are used in such situations. The reason is that tags and readers share a unique tag-specific secret key that no one of the two parties can begin to identify with the other. It should be noted that secret key sharing is a problem with RFID applications. If a tag, on the one hand, begins to distinguish and express its identity in plain text, then all other readers working at the same frequency can read and track this identity. If a reader, on the other hand, begins verifying itself with the tag without knowing which tag to interrogate, it cannot identify the secret key to use. To this end, several mechanisms have been proposed in the literature to solve this paradox [165], [166], [167], [168], [169].

4) LIGHTWEIGHT BLOCK CIPHER
Unlike stream ciphers, which encrypt only a single bit, block ciphers encrypt the entire block. Depending on the block cipher structure, researchers identify various types of structure such as the generalized Feistel network (GFN), substitution permutation networks (SPN), and Feistel networks. In the literature, multiple lightweight block ciphers have been proposed, the most notable of which are RECHANGLE [170], LILLIPUT [171], LRBC [172], SFN [35], BORON [173] and LICI [174].

5) LIGHTWEIGHT STREAM CIPHER
A light stream cipher consumes minimal computational effort, but provides high levels of security by creating a cipher text based on a given plaintext. This merges a pseudo-random shared key with the plaintext to enable plaintext encryption. Depending on its structure, there are a variety of stream ciphers, such as Shift Register with Carry Feedback (FCSR), linear Feedback Shift Register (LFSR), addition/rotation/XOR (ARX), Nonlinear Feedback Shift Register (NFSR), and random shuffle [175]. In the literature, several lightweight stream ciphers have been proposed, of which the most notable are Fruit-80 [176], SVH [177], ALE [178], and WG-8 [179].

6) AUTHENTICATION
For authentication, RFID applications use challenge-response based authentication protocols. The symmetric key is initially shared between a tag and a reader. The tag ensures that the reader knows that the key belongs to them without revealing it. This process involves transferring a reader's challenge to a tag. Then the tag uses the shared key to perform some cryptographic functions to generate a response and send it back to the reader. The reader runs the same cryptographic functions with the shared key to verify if the results of its calculations match those received from the tag. Having the same results, the reader authenticates the tag. Note that this process is performed in reverse when mutual authentication is needed. Symmetric cryptography was used in existing authentication protocols [180], [181], [182], while asymmetric cryptography was less adopted [183].

7) DISTANCE-BOUNDING PROTOCOL
It is a lightweight authentication protocol that not only verifies that a communication entity (e.g., tag or reader) has the correct key, but also determines whether the distance between readers and tags is below a certain threshold [184]. Measurement of this distance can be achieved using RTT (round trip time), which measures the time it takes for a reader to send a challenge and receive a reply from a tag, or using signal strength RSSI (Receiving Signal Strength Indicator) [185]. Generally, a distance-bounding protocol works in three stages. (i) This stage is called the initial setting, where session parameters (eg, nonces) are defined by readers and tags. (ii) This phase is called the time phase, in which the challenge-response cycles take place, and the round trips are measured by the reader. (iii) This stage is called the final authentication stage, and in this stage, the reader is ensured that the second stage has been faithfully carried out so that the reader can utilize RTT to determine the distance. This is accomplished by verifying the accuracy of all round trip times and proving that the tag signature is valid.

B. (MT2) KILL COMMAND
Attributed to attack AT2, AT4, AT5, AT6, AT7 and AT8. It is one of the simplest mechanisms proposed by the Auto-ID Center and EPCglobal to safeguard the client's privacy [80]. During the manufacturing process, some of the RFID tags may be equipped with a kill command, which VOLUME 10, 2022 is a distinct Personal Identification Number (PIN) (e.g., a 32-bit password). Having received the correct PIN from the reader, the RFID tags can be deactivated forever. In this case, such a tag cannot send further information. This process is irreversible. An alternative mechanism known as a sleep command can be used to make the RFID tags inactive for a period of time. To design and implement such approaches, a complex and secure PIN management technique is required. The author in [12] states that killing the RFID tags is not feasible for various IoT based applications, as it could violate one of the IoT security goals, which is AVAL.

C. (MT3) ISOLATION
Attributed to attack AT3, AT5, AT6, AT7 and AT8. One of the most efficient approaches to safeguard the privacy of RFID tags is to isolate them from electromagnetic waves. One way is to build and use separation rooms. However, this approach is highly expensive [148]. An alternative technique is suggested in which an isolation container made of metal is utilized to impede electromagnetic waves. This container is called the Faraday cage [151]. Another approach of blocking specific radio channels using an active radio frequency jammer is proposed.

D. (MT4) CUSTOMER RESPONSIBILITIES
Attributed to attack AT1. Customers have a basic rule to prevent some attacks on the RFID tags. For example, customers are responsible for not buying RFID tags from nonreputable manufacturers. Another example is the prevention of the RFID-Tag switch attack in retail stores. In this scenario, the cashiers need to know the approximate supermarket prices for the items to determine whether the tag is turned on or not [116].

E. (MT5) ANONYMOUS TAG
Attributed to attack AT6 and AT7. In [152], the authors suggest a new technique based on table lookup mapping to protect the privacy of RFID tags. The main goal of this technique is to store a mapping between an anonymous ID and a genuine ID to prevent an adversary from revealing the mapping schema to recognize a genuine ID from the anonymous one. Despite emitting anonymous IDs through tags, attackers can still track an RFID tag if its ID does not change over time. Therefore, anonymous ID must be frequently altered to avoid the tacking problem [125].

F. (MT6) HARDWARE-BASED SOLUTIONS
Attributed to attack AT1 and AT2. It can be achieved by integrating PUF into the circuit. The process of adding noise functions to integrated circuits is known as PUF. Having queried with a challenge z, a PUF generates a reply x that depends on both z and the unique intrinsic physical feature of the object [186]. PUFs should be physically unclonable, and tamper-proof [187]. Furthermore, PUFs offers unique object identification and authentication [157], [187].

G. (MT7) PERSONAL FIREWALL
Attributed to attack AT2, AT3, AT4, and AT6. A personal RFID firewall can be utilized to monitor all incoming reader requests and can be implemented in an RFID object that has powerful hardware capabilities in terms of storage capacity and computational power (e.g., mobile phones) [158]. Such a firewall provides highly complex rules or policies that need to be implemented; an example of such policies is given in [188], indicating that ''my tag should not release my personal information when I am not within 50 meters of my workplace''.

H. (MT8) BLOCKING
Attributed to attack AT3, AT4, AT5, AT6, AT7 and AT8. In [121], the authors propose an effective approach, called blocking, to preserve the privacy of tags RFID. In such a method, a modifiable bit, called a privacy bit, is attached to each tag. Changing a privacy bit to '0' indicates that the tag will be exposed to public scanning, while changing the privacy bit to '1' means that the tag is private. This approach requires a specific type of tag, called a blocker tag. Another approach called soft blocking has been suggested in [162]. It largely depends on the configuration of the reader to force a group of policies to be implemented in an RFID application. This group of policies ensures that readers only read public tags. A reader's violation of the tag policy can be detected using a monitoring object.

I. (MT9) DISTANCE ESTIMATION
Attributed to attack AT5. The authors in [88] suggest a method to determine the distance between a tag and a reader based on the signal-to-noise ratio. They claim to be able to infer a metric in which the distance between readers trying to read a tag is predicted. This allows the tag to provide only distancebased information. For example, upon scanning at 10 meters, the tag will publish only public data, but it will provide its unique identifier at 1 meter.

J. (MT10) PHYSICAL ACCESS CONTROLS
Attributed to attack AT1, AT3, and AT5. Attackers, in some cases, need to be close enough to some of RFID enabled devices to perform destructive activities to compromise its data INTG and AVAL by damaging and modifying its components. Therefore, it is imperative to prevent, or at least limit, an attacker's ability to have a direct physical access to such devices. Physical security controls such as walls, gates, surveillance cameras and locked doors must therefore be applied to all RFID devices.
According to [9], the implementation of physical access controls could mitigate several threats, such as physical destruction of RFID tags and readers, denial of service due to illegal commands or radio interference, and cloning tags. However, it should be noted that physical access controls, within a perimeter, do not prevent radio interference emitted by legitimate tags and readers, nor do they alleviate threats triggered by an insider attacker.

VIII. ANALYSIS ON SECURITY AND PRIVACY GUIDELINES FOR RFID
To answer RQ6, the following section describes our derived guidelines, some of which have been suggested in our earlier work [13], for RFID in relation to the stakeholders involved. Table 9 determines the degree of adoption of guidelines and their impact on stakeholders. This section also provides the 'reason' used to formally state each guidance. Consecutively, the overall structure of the guidelines is presented with links between the guidelines, mitigation techniques, and attacks, as shown in Figure 3.

A. (G1) MINIMIZE INTERFERENCE
This guideline suggests minimizing interference between the RFID tags and a reader as much as possible. The deployment of RFID tags far from other objects generated radio frequency noise (e.g., microwaves) can mitigate such interference. In addition, interference may occur due to the high duty cycle of the RFID reader, which depends on regulations and standards. According to [9], readers with more power and duty cycles can read tags more precisely, more quickly, and at greater distances. However, the use of high-energy power VOLUME 10, 2022 will increase the risks of eavesdropping. This guideline can be achieved by MT4, MT3, and MT8.
Reasoning: This guideline is formulated according to the MAS principle proposed in the security by design framework. Table 9 represents the stakeholders who might use this guideline. For instance, CNS, DEV and PRV could conduct pilot installations that evaluate the performance of RFID applications in planned environments. Also MAN could implement RFID Anti-Collision Protocols (e.g., Abramson's Logic of Hiring Access (ALOHA) protocol or tree-based algorithms) [72]. For interested readers, all types of RFID collisions can be found in [189].

B. (G2) PROTECT CRITICAL INFORMATION
This guideline suggests that each RFID tag must be equipped with specific mechanisms (e.g., a side-channel analysis) to inhibit fraudulent attempts to obtain its vital information. Several patterns, such as power analysis, can be utilized by an adversary to reveal sensitive information about an object, even if its communication link is encrypted. For example, if an attacker, using any technique, could read the tags at the entrance of a home, the attacker could guess the number of people in the home at any time by computing the number of communications [190]. This guideline requires that different mitigation techniques (MT5, MT2, MT3, and MT8) to be implemented in RFID applications.
Reasoning: This guideline is derived in accordance with two principles DD and HID proposed in the security by design framework and the privacy by design framework, respectively. Table 9 represents the stakeholders who may utilize this guideline. This guideline is not applicable to CNSs, as they cannot equip their RFID enabled objects with special countermeasures, such as side channel analysis, to prevent illegal attempts to obtain their personal information.

C. (G3) PREVENT REVERSE ENGINEERING
Since some RFID-based IoT objects may be deployed in remote environments (e.g., gas and oil industry), such objects are prone to physical attacks such as reverse engineering. An adversary, for example, could gain access to an object and then the attacker could take it apart to uncover its key security parameters and components. Therefore, this guideline suggests that each RFID-based IoT object should be equipped with a tamperproof mechanism to prevent reverse engineering attacks [191]. It can be implemented by MT6.
Reasoning: This guideline is derived in accordance with the DD principle proposed in the security by design framework. Table 9 represents the stakeholders who may utilize this guideline. This guideline is not applicable for Provider (PRV) and Consumer (CNS) as they cannot equip their RFID objects with a tamper-proofing mechanism.

D. (G4) PROVIDE DISTANCE-BASED INFORMATION
This guideline indicates that an RFID tag must provide its information to a reader if and only if it is located within its predefined range. For example, a tag could only publish public data if it is scanned at 10meter, while it could offer its unique identifier if it is scanned within 1meter [18]. This guideline can be implemented by MT9.
Reasoning: This guideline is stated in accordance with the HID principle and the MAS principle proposed in the privacy by design framework and the security by design framework, respectively. Table 9 shows the stakeholders that may benefit from this guideline.

E. (G5) CHECK ALL READERS' REQUEST TO TAGS
To prevent unwanted scanning of RFID tags, the authors in [158] indicated the importance of examining all the requests from the readers. For this purpose, an object with high hardware capacity in terms of memory, computing power, and storage capacity can be used. It can be implemented by MT7.
Reasoning: This guideline is stated in accordance with the DD principle proposed in the security by design framework. Table 9 identifies the stakeholders who may utilize this guideline.

F. (G6) CHANGE ANONYMOUS ID FREQUENTLY
In [192], a technique based on a lookup table was proposed to inhibit attackers from revealing real IDs of tags after changing them to anonymous ones. Nevertheless, adversaries could still track RFID applications as long as anonymous IDs are not replaced over time. Two mitigation approaches (MT5 and MT1) can be used to achieve this guideline.
Reasoning: This guideline is derived in accordance with the HID principle proposed in privacy by design framework. Table 9 identifies the stakeholders who may utilize this guideline.

G. (G7) SECURE KILL COMMAND
During the manufacturing process, the tags are designed with a kill command, which is unique PIN (e.g., a 23-bit password). Due to this feature, the tags can be permanently killed or disabled by the reader if they receive a valid PINs. For instance, a tag on a supermarket product might be killed or deactivated by the supermarket employer upon the sale of the product, protecting client privacy and preventing tracking [193]. This guideline therefore suggests that the kill command in each RFID tag should be secured and cannot be killed by unauthorized readers. Isolation of tags, as well as blocking, can be considered as direct ways to protect a secure kill command, as attackers cannot reach such tags. The authors in [159], indicated the importance of using a personal RFID firewall to make kill commands more secure. This guideline can be implemented by MT3, MT7, and MT8.
Reasoning: This guideline is formulated in accordance with the CON principle proposed in the privacy design framework. Table 9 recognizes the stakeholders who may utilize this guideline.

H. (G8) PREVENT PHYSICAL TAMPERING
In some cases, RFID enabled objects can be installed and operated in remote or hostile environments in which direct access to such objects can be possible, making them susceptible to hardware/software attacks [194]. Therefore, this guideline suggests that each IoT object should be equipped with a suitable tamper-resistant measure. It can be implemented by MT6 Reasoning: This guideline is stated according to the DD principle proposed in the security by design framework, as well as the HID principle proposed in the privacy by design framework. Table 9 recognizes stakeholders who can use this guideline.

I. (G9) IMPLEMENT HARDWARE TRUST
Trust data in RFID-based IoT applications is of paramount importance, as such applications are developed to communicate with each other to accomplish certain tasks. If the data INTEG of a single sensor has been compromised, the entire RFID-based IoT application may be considered insecure. For example, a humidity sensor could be modified to always give a certain inattentive value of the real one [195]. Therefore, this guideline suggests the use of hardware trust in each object, such as PUF. It can be implemented by MT6 and MT1.
Reasoning: This guideline is formulated according to the DD principle proposed in security by design framework. Table 9 shows the stakeholders who may utilize this guideline.

J. (G10) AVOID UNTRUSTED MANUFACTURER
The growing demand for RFID applications and services led to the development of various manufacturers, some of which (untrusted ones) may develop some products to perform malicious activities from the ground up. Such products can later be used by attackers to compromise the applications where these products are being deployed. Thus, this guideline suggests that customers and developers are advised to avoid purchasing RFID components or products from untrustworthy manufacturers [191]. This guideline can be implemented by MT4.
Reasoning: This guideline is formulated according to the DTS principle proposed in the security by design framework. Table 9 presents the stakeholders who may utilize this guideline.

K. (G11) USE UNIQUE SECURITY PARAMETERS
This guideline indicates that security parameters, such as a kill command for each tag, should be unique. The main advantage of this guideline comes from the fact that the disclosure of security parameters on an RFID object cannot be used to compromise other objects. This guideline can be achieved by MT1 Reasoning: This guideline is derived in accordance with the ESD principle proposed in security by design framework. Table 9 identifies the stakeholders who may utilize this guideline.

L. (G12) SEPARATE PERSONAL INFORMATION FROM TAG IDENTIFIER
There are some types of tags that can contain valuable or sensitive data on the board about objects and people attached to them. This tag is known as an EPC tag, consisting of two components: a manufacturer code and a product code. As a consequence, people or objects equipped with the EPC tag are vulnerable to inventory attacks [88]. In [196], the authors stated that threats and attacks on RFID systems can increase exponentially if the tags' identifiers are combined with personal information. Therefore, this guideline recommends that personal information (e.g., credit card and personal profile) should be separated from tag identifiers. The main goal of this guideline is to mitigate privacy issues while increasing the acceptance and transparency associated with RFID systems. Therefore, the security of this type of tag is essential. Two mitigation techniques, namely MT5, and MT1 can be used to carry out this guideline.
Reasoning: This guideline is stated based on HID, SEP and ENF principles proposed in the privacy by design framework. Table 9 presents the stakeholders who may this guideline.

M. (G13) PREVENT TAGS COUNTERFEITING
In [125], the authors showed that the only scenario in which an adversary could counterfeit a tag in RFID applications is by modifying the identity of the tag using tag manipulation techniques (e.g., side channel analysis and eavesdropping). Therefore, this guideline suggests that each RFID tag should be equipped with a lightweight anti-counterfeit technique to protect its identity. It can be implemented by MT1 and MT8.
Reasoning: This guideline is formulated in accordance with the DD principle proposed in the security by design framework. Table 9 recognizes the stakeholders involved in this guideline.

N. (G14) PREVENT TRACKING
Since most RFID tags contain unique identifiers related to people or physical objects, attackers can track their information. Thus, this guideline suggests that tags' identifiers should not be read by unauthorized readers [196]. Four countermeasures, namely MT5, MT8, MT3 and MT2 can be used to carry out this guideline.
Reasoning: This guideline is stated in accordance with the HID principle proposed in the privacy by design framework. This guideline can be used by all IoT stakeholders (see Table 9).

O. (G15) SECURE DISPOSAL OF TAGS
Discarding RFID tags when they are no longer required to perform their desired functions could pose several privacy risks. For example, an attacker could utilize the existence of tags to track people or products, and, more importantly, the attacker could obtain access to sensitive data stored on the tag. The secure disposal of RFID components physically or electronically is an indispensable requirement to prevent such threats. When a tag supports an electronic disabling technique, a tag's kill command or a strong electromagnetic field could be used to achieve physical destruction. In this case, the tag circuitry is permanently unusable. Shredding or manual tearing could also be used to perform physical destruction. Disabling tags before disposal is recommended, as it can be achieved without physical access to each tag. This guideline can be achieved using MT4, MT2, and MT10.
Reasoning: This guideline is derived in accordance with the CON principle and the DD principle proposed in the privacy by design framework and the security by design framework, respectively. This guideline can be used by all IoT stakeholders (see Table 9).

P. (G16) ENCRYPT THE DATA ON TAGS
Encrypting sensitive data stored on tags is essential to prevent attackers and unauthorized persons from reading or misuse of such data. Data encryption process does not have to be accomplished by tags; it can be achieved by either a reader or a middleware, instead. This is because data encryption necessitates a key management approach, which is very complicated to implement and manage by the tag. When encryption/ decryption is carried out by the reader or middleware, network access is required to read data content stored on the tag. This technique is not suitable for dynamic readers whose real-time access to the network is missing. Furthermore, sending tag data to network components to be encrypted/decrypted will lead to network delay in RFID applications that require fast writing and reading transactions. This guideline can be implemented by MT1 Reasoning: This guideline is developed on the basis of the ENF and AGG principles proposed in the privacy by design framework. Also it is stated based on the DD principle proposed by the security by design framework. Table 9 presents the stakeholders who may utilize this guideline.

Q. (G17) USE STRONG AUTHENTICATION
This guideline is very important to separate fake tags from legitimate ones by a tag reader. Note that standard EPC tags lack any access control mechanisms. To this end, an attacker could use an RFID simulator to emulate certain tags to fool a tag reader. However, mutual authentication, which is the procedure by which the identity of the tag and the reader is verified by each other, can be used to enhance the security of RFID applications. Due to the limitations of the RFID tags in terms of computational power and memory, heavy-weight encryption techniques cannot be implemented on the RFID tags to accomplish the security goals [143]. To contribute to this objective, a set of lightweight encryption approaches, such as straightforward one-way hash function and pseudorandom number generator for RFID tags, has been proposed. Currently, there are ongoing efforts to develop a lightweight protocol to securely authenticate RFID tags and a reader, which can be found in Table 8.
Reasoning: This guideline is stated based on the DD principle proposed in the security by design framework. Table 9 identifies the stakeholders who may utilize this guideline.

R. (G18) MINIMIZE DISTANCE BETWEEN READER AND TAG
In RFID applications, distance requirements play an important role in determining the type of tag to be deployed. The distance requirement between the tag and the read may also have some security implications. For example, an attacker could easily eavesdrop on their communications due to the longer distances between them. Furthermore, long distances give attackers the chance to use their own readers to perform illegal transactions more simply and efficiently. In some RFID applications, setting the correct distance between the tag and the reader requires considerable effort from the developers. For example, the authors of [197] state that an RFID application that authorizes access to a garage may require drivers to install an RFID-enable card within inches of the reader or may need a proximity of several feet to the RFID-enabled transponder within the car. This choice needs to consider various factors such as price and convenience. This guideline requires that different mitigation techniques (MT10, MT4, MT3, and MT8) to be implemented in RFID systems.
Reasoning: This guideline is formulated according to the MAS principle proposed in the security by design framework. Table 9 identifies the stakeholders who may use this guideline. Figure 3 summarizes the connection between our proposed guidelines for RFID tags, followed by their appropriate mitigation techniques and associated attack vectors.

IX. DISCUSSION AND FUTURE WORK A. THE ABSENCE OF AWARENESS AMONG RFID STAKEHOLDERS
The lack of awareness of the security benefits of RFIDbased IoT objects is widespread among all stakeholders. This is because some of them do not have enough knowledge about attacks and threats they may face in the future, nor do they know the mitigation strategies required to prevent them. For example, most customers do not only lack a basic understanding of their objects, but also do not comprehend the impact of such objects on their environments in the event of being hacked or misused [198]. As a consequence, several objects may not be patched and therefore may be subjected to different attacks and threats. Manufacturers also must educate and inspire their employees to adopt security best practices [199]. Therefore, it is necessary to raise awareness among RFID stakeholders of the consequences of existing RFID attacks and threats, the use of appropriate mitigation techniques, and more importantly, the advantages of leveraging security and privacy guidelines in the early stages of RFID development.

B. LACK OF GUIDELINES FOR RFID DATA AT REST
The main objective of this work is to suggest a set of security and privacy guidelines and their mitigation techniques for RFID-based IoT applications. However, these guidelines are specifically designed to protect tags, readers, and their communications. Protecting data at rest of RFID-based IoT applications, either in the back-end database or in the cloud, is a major limitation of our work and is beyond the scope of this paper. Data protection at rest is absolutely necessary, as different applications can collaborate to perform certain tasks and services. In this case, if data INTG of a single application at rest has been compromised, then there is a very high risk of working with a cascading effect of data breach. For example, the authors in [188] indicate that thermostats operated in smart homes depend entirely on smoke detectors data to turn off heating systems in case of emergency. However, if an attacker could access these data, he/she might expose the entire smart home to danger.
Furthermore, once RFID-based IoT applications store their data in the cloud, there is no guarantee that only legitimate objects or users will have access to these data. The ENISA (https://www.enisa.europa.eu/) gives an example, where an employee (adversary) due to given access rights at the Sharplocks company was able to push a malicious update from the client's server to all of its connected objects.
To mitigate individual privacy violations and unauthorized access associated with IoT data at rest, we proposed, in our previous work in [76], a set of security and privacy guidelines for IoT data at rest. Such guidelines can be used by IoT stakeholders to develop secure IoT applications from the outset, and thus reinforce security and privacy by design. However, our framework was specifically designed for IoT applications. Theoretically, our framework could also be used to partially protect RFID-based IoT applications. This is due to some of our derived guidelines, such as minimizing data storage, encrypting data storage, and minimizing data retention, could be utilized to protect data at rest of any applications, let alone RFID-based IoT applications. However, a list of security and privacy guidelines must be explicitly derived to protect RFID data at rest in the future.

C. OPEN ISSUES AND CHALLENGES
Researchers and scientists have developed various security measures in recent decades to make RFID applications resistant to a variety of threats and attacks. However, currently there is no fully tested mechanism to protect RFID applications against all possible attacks. As soon as a new security technique is introduced by some scientists, attackers change their approach to attack a system. Thus, existing security mechanisms are always open to improvement and, at the same time, many issues need to be addressed. Therefore, researchers are motivated to work in this critical area of implementing complete solutions for the RFID system. This subsection presents several problems and challenges facing current security strategies.

1) NEED OF ULTRA-LIGHTWEIGHT SECURITY TECHNIQUES
Due to RFID-enabled devices' limitations, such as small battery sizes and small memory capacity, it is always a challenge to develop ultra-lightweight security solutions that can cope with these constraints and at the same time provide security against all types of RFID attacks. Section VII introduces multiple lightweight security methods for RFID objects that utilize OR and XOR operations. However, such security approaches do not ensure security against a variety of attacks (e.g., desynchronization and tracking attacks) [200], [201]. Therefore, developing an approach that can withstand a variety of attacks remains an open challenge. Furthermore, researchers can constantly work to minimize the battery and memory requirements of RFID-enabled devices.

2) NEED OF SECURE AUTHENTICATION TECHNIQUE
Verifying the identity of communication objects in RFID applications is a mandatory requirement.To date, researchers have used several mechanisms [202], [203], [204] to ensure authentication for RFID applications, such as elliptic curve cryptography, symmetric key cryptography, and others. However, the development of a single mechanism that takes into account all types of authentication problems remains an open challenge for researchers to come up with.

3) NEED OF HASH FUNCTIONS WITH LESS COMPUTATION OVERHEAD
Hash functions are widespread in some of the RFID security methods proposed by scientists to implement the authentication and integrity of the RFID system. However, hash functions are computationally intensive, while the computing power of RFID objects is limited, making it difficult to provide protection against a variety of security threats [200]. This means that the hash function must be smaller in output size and communicate securely with low computational costs. Therefore, the development of hash functions with fewer computational complexity is another research challenge.

4) NEED OF LIGHTWEIGHT CIPHER WITH OPTIMAL KEY SIZE
To develop lightweight ciphers, it is necessary to take into account key size and block size. The size of keys and blocks amplifies the overall computing power demands of RFID objects. However, as the size of the key or block decreases, an attacker can easily break a cipher by quickly guessing its security key. For this reason, the block cipher size must be optimized so that attackers cannot easily break through the cipher [205]. The new approach must be hardware efficient, consume minimal computing power, and resist all types of security attack.

5) NEED OF SECURE AND EFFICIENT STREAM CIPHERS
The design of stream ciphers in the present situation is based on round functions, operations, components, and structures.The main structure of the stream cipher is a permutation of the fixed hash function. Many existing stream ciphers have been presented by different researchers [206], [207], [208]. However, such stream ciphers have many limitations [175], [209]: they are vulnerable to an associated key attack, for example. Therefore, researchers working in the area of creating secure and effective RFID applications find it challenging to build a stream cipher capable of addressing all of these shortcomings. To contribute to this goal, the development of new solutions requires taking into account various matrices such as power consumption, throughput, interface, etc., as well as several security issues.

X. CONCLUSION
The article starts out with mentioning the growth and influence of IoT in various domains, and a crucial component based on RFID-technology being responsible for its success in a large part. However, while guidelines, known mitigations, and attacks identification exist and have been researched over the past years, security and privacy threats and attacks are not well addressed as a whole. Therefore, the major contribution of this work lies in providing the first review and modelling of its kind that analyzes the vast landscape of RFID-based IoT, its existing threats, mitigations, and common security and privacy practices, bringing it together into a singular security framework (Figure 3).
To fully accomplish this contribution, a set of research questions are introduced, which serve as the road map for this study. In RQ1 and RQ3, we outline security goals and discuss security and privacy by design frameworks for RFID-based IoT applications. From there, we define several concepts in the scope of RFID-based IoT applications: (i) a security attack, (ii) a secure object/application, (iii) a privacy guideline, and (iv) a security guideline.
In RQ2, we highlight the relevant RFID standards, analyze their recommended security features, and link them to security goals. This research question illustrates that many studies have been conducted to develop various authentication protocols that meet the EPC1S2 standard.
In RQ4 and RQ5, we provide the reader with the opportunity to explore which attacks against RFID-based IoT applications have been initiated and which security goals such as CONF, INTG, and AVAL have been violated, and more importantly, how they have been mitigated. Furthermore, these two research questions show that researchers have worked hard to develop effective and secure RFID systems. However, there is room for improvement in some areas. Therefore, this article also provides some open issues and challenges that researchers working in this important area should address in the future.
In RQ6, we aim to improve security and privacy by design for RFID-enabled devices with a number of guidelines. Each of the presented guidelines is analysed and provided with a reasoning on why we think a certain guideline is appropriate for issuing one or more mitigations for certain attacks. As a whole this synthesizes and structures the security framework into a helpful tool for the security and privacy by design concept.
As pointed out in the previous section, providing guidelines for RFID data at rest would be an extension of this work and future work. It was deemed out of scope for this work as we focus on the communication technology RFID itself and thus not the data within the IoT device. engineering from Geneva University, Switzerland, in 2019. His research interests include the Internet of Things (IoT), security and privacy by design for IoT, cyber security, and use and misuse models, and more importantly, security and privacy guidelines for IoT. In addition to his educational background and having published many articles in peer-reviewed journals, he has more than four years of experience in teaching and more specifically in software engineering.
NIELS ALEXANDER NIJDAM received the Ph.D. degree in computer science from the MIRALaboratory, University of Geneva. His research topics included collaborative systems, distributed networking, remote simulations and rendering, and programmable graphics with the University of Geneva. He is currently a Computer Scientist and a Senior Researcher and is leading the Information Security Group (I-Sec Laboratory). Beyond that, he has been active in the medical domain (MRI imaging), avatar systems, cyber security, the Internet of Things, and more recently on autonomous shuttles and smart cities (with a focus on cyber security and privacy).
DIMITRI KONSTANTAS is currently a Professor at the Geneva School of Economics and Management (GSEM), University of Geneva (CH), and the Director of the Information Science Institute (ISI) and a member of the Information Service Science Institute, University Center of Computer Science (CUI), having served for seven years as the Vice Dean of the Faculty of Social and Economic Sciences, CH. He has been active, since 1987, in research in the areas of object oriented systems, e-commerce services, information security, mobile services, e-health and m-health services of elderly, and recently in shared mobility solutions. He has more than 150 publications in international conferences, journals, books, and book chapters, a long participation and leadership in numerous European projects, many nominations as a consultant and a scientific expert for several international companies and governments, and has launched three start-ups and acted as coach to numerous university start-ups. Since May 2018, he has been coordinating the H2020 European Project AVENUE, which targets in the validation of autonomous vehicles for public transportation.