Shostack + Friends Blog Archive


Threat Modeling The Library

books.jpgIn a long interesting article in Wired on “The RFID Hacking Underground,” I came across this quote:

While it may be hard to imagine why someone other than a determined vandal would take the trouble to change library tags, there are other instances where the small hassle could be worth big bucks.

The article went on to describe how checking out books is automated. So, here’s the an interesting attack:

  1. Discover which out of print books sell for a lot on Ebay. (I once paid $50 for a copy of Vernor Vinge’s True Names and Other Lies. It’s hard to buy gifts for some folks.)
  2. Discover which libraries have the book in question.
  3. Enter library, replace the ID in the tag with the ID of Harry Potter and the Discount Bin Paperback.
  4. Check out the book as normal.
  5. Return Harry Potter and the Discount Bin Paperback.
  6. Profit.
  7. Repeat indefinitely.

This is actually a variant of an attack which happens today. Jerks People steal first editions, rare books, and expensive books from libraries all the time. The automation of the check out process means that they don’t even need to hide the book in a foil-lined bag.

(Image from Stock.Echng.)

4 comments on "Threat Modeling The Library"

  • Anonymous says:

    That wasn’t a gift for Tim May, was it? Inquiring minds want to know!

  • Adam says:

    It was not.

  • Scott says:

    Is it my imagination or does the automation of the checkout process do exactly nothing to the theives (who are easily stealing the books anyway, as you point out, via a method that defeats the RFID as easily as the mag stripe) and does in fact make it a lot easier/faster for everyone else to get through the process?
    Sounds to me like the perfect application of RFID. No imaginary security benefit and lots of process improvement for the consumer.

  • Adam says:

    The RFID enables thieves to conceal their activity a bit better. Today, they need to slip the books into a bag. With RFID they don’t.
    I was responding to the “hard to imagine” bit.

Comments are closed.