Disclaimer: Do not attempt to do anything I do, or say. I have no idea, but such activity may be incriminating. This blog is only a proof of concept, not a means of material or identity theft. It is only for information about how terrible this library's security system is!
First off, let me start with the main focus of the attack. We have the 3M™ SelfCheck™ System V-Series self-service book check out station. Through empirical testing I have found that is it a V1 model (which will become obvious later). To use one of these machines you first scan the barcode on your library card, then slide the book along the V shape up to the barcode reader, and it simultaneously desensitizes the TattleTape security strip in the spine of the book and scans in the barcode of the book. You can then press 'print receipt' on the touchscreen to print out the receipt of your checked-out book, or scan more books then print the receipt.
I tested how durable the system is in many ways:
I tested to see if the height of the book off of the V changed whether it would be desensitized or not. It doesn't. You could put a telephone book under the book you are checking out, and your checked out book will still be desensitized, and you will be free to go through the security turnstiles.
I tested to see if another library book, with the TattleTape in the spine, would still allow the top book to be checked out, and desensitized. And of course it worked. This is where I found out that this particular SelfCheck system was a V1. Looking at 3M's website last night I found that they do, in fact, have more advanced machines, like the V2 and V3, that can detect the presence of another library book, eliminating the possibility that two books can be checked out under one barcode, thus having one 'free' book, and one book to return to the library. I haven't come across any of these machines yet, so I don't know how to circumvent their security. If I find one of these machines I will do further testing.
The next stage of testing, and security flaw, is not in the machine itself, but in the implementation. The barcode symbology used with this library, and many other libraries in the local area, is Codabar. I discovered it was Codabar by putting the numbers from a library book's barcode into this barcode generator and compare the barcodes with each other with some imaging software. I couldn't find any connection between the book's barcode and the catalogue system at the library, except that older books have a lower number and newer books have a larger number. So I concluded that the bar codes were assigned in somewhat sequential order to the new books added to the library. There might be some random algorithm they use, but it is unlikely.
Also, checking my library card, and another library card from a different library, I concluded that they were both Codabar. All the barcodes I studied started with an A identifier and ended with a B identifier. While the second library card's number was probably randomly chosen, the barcode and number on the first library card I have is actually my 'registration number', which is very easily obtainable.
This is where the major flaw of the system lies. There is no encoding on my library card as to who it belongs to. The barcode and number on the library card clearly identifies me and only me. This is also true of other patrons as well. And the registration numbers of other library patrons are very easy to find. I could list off about 80 of them right now, and I can obtain more without much difficulty. And of course you could print off the barcode for someones registration number on your printer, attach it to your library card, or any card for that matter, and then check books out under their name with fees having to be paid by that patron. As you can see, this is a terrible problem, and also identity theft! Furthermore, if you weren't able to get the registration number of another patron, you could fuzz the number and test each fuzzed number until you have a working number and use that one with the SelfCheck system. I haven't tried this form of attack, mainly because of lack of time, but it would be something I could test in the future.
The final major flaw in this system is in the physical location of the SelfCheck kiosk. It is not in direct sight of library personnel, so it would be difficult for them to notice two books being checked out instead of one. It is also in a position of high traffic, where you will have additional cover from library personnel (the people going through the library most likely don't even notice you, let alone notice you checking out two books at the same time). Also, there is no security cameras facing the SelfCheck kiosk. These cameras could provide incriminating evidence, and even serve as a deterrent to possible crime being committed in the first place.
All in all, I don't think that book theft at this particular library is very common, otherwise they would have a more secure system in place. I think the improvements on their system should include some, or all, of the following:
Update the SelfCheck system to V2 or V3 to prevent more than one book being desensitized at a time.
Encrypt the barcode on the library card so that someone's registration number cannot be used to steal their identity and check out books under their name.
Add security cameras, even if they are only dummy cameras, around the SelfCheck kiosk to deter theft, and increase evidence of theft that took place.
Move the SelfCheck kiosk to a location where it is more visible to library personnel, such as the desktop version of the SelfCheck system where it is placed on the main checkout counter beside library personnel.
Again I state do not attempt to do anything contained in this blog. This is only a proof of concept; an investigation into the security flaws of a local library.