DoS, impersonation and de-synchronization attacks against an ultra-lightweight RFID mutual authentication protocol for IoT

In recent years, RFID (radio-frequency identification) systems are widely used in many applications. One of the most important applications for this technology is the Internet of things (IoT). Therefore, researchers have proposed several authentication protocols that can be employed in RFID-based IoT systems, and they have claimed that their protocols can satisfy all security requirements of these systems. However, in RFID-based IoT systems we have mobile readers that can be compromised by the adversary. Due to this attack, the adversary can compromise a legitimate reader and obtain its secrets. So, the protocol designers must consider the security of their proposals even in the reader compromised scenario. In this paper, we consider the security of the ultra-lightweight RFID mutual authentication (ULRMAPC) protocol recently proposed by Fan et al. They claimed that their protocol could be applied in the IoT systems and provide strong security. However, in this paper we show that their protocol is vulnerable to denial of service, reader and tag impersonation and de-synchronization attacks. To provide a solution, we present a new authentication protocol, which is more secure than the ULRMAPC protocol and also can be employed in RFID-based IoT systems.