With the exponential increase of Internet of things (IoT) connected devices, important security risks are raised as any device could be used as an attack channel. This preoccupation is particularly important with devices featuring limited processing power and memory capabilities for security purposes. In line with this idea, Xu et al. (2018) proposed a lightweight Radio Frequency Identification (RFID) mutual authentication protocol based on Physical Unclonable Function (PUF)-ensuring mutual tag-reader verification and preventing clone attacks. While Xu et al. claim that their security protocol is efficient to protect RFID systems, we found it still vulnerable to a desynchronization attack and to a secret disclosure attack. Hence, guidelines for the improvements to the protocol are also suggested, for instance by changing the structure of the messages to avoid trivial attacks. In addition, we provide an explicit protocol for which our formal and informal security analysis have found no weaknesses.
Keywords: IoT; RFID; authentication protocol; desynchronization attack; physical unclonable function; security.