Library Self-Checkout Machine Exploit
by Byron Bussey
I love the library and what it stands for (I am more a poet/writer than a hacker, but at the core I don't think there is much difference between to two ideologically, perhaps just in their method).
So I would be the first to speak against stealing books from the library.
But nevertheless, there has come to me via that thing called curiosity a very simple way to do just that which involves nothing more than a simple manipulation of the self-checkout machine.
I write this then as a warning to library staff and the engineers who design such machines. As they now stand, these devices could be used by nefarious persons to steal books and walk right out the door with them scot-free.
The machines in question, which I assume are in all large libraries, are in use both at my university and in my city library. Walking up to the checkout with book in hand, there will be a huge line of people waiting for the librarian/monkey-drone to scan out their books.
To the right will be six of these machines that most people are too afraid to try and figure out. (Every time I go to the library there is at least one person trying to do it and failing miserably). Anyways, the process is simple.
You put in your library card and then enter the last four digits of the telephone number associated with the card. You are then presented with a screen prompting you to scan each book.
Basically you lie the book down on the tabletop of the machine and, sliding it forward, line up the bar code reader with the bar code affixed to the front cover of the book. If it scans correctly there is a clunking sound (it sounds as if it is a physical motor) and the book is demagnetized and recorded into the network as "checked out."
A receipt is generated at the end of the session and you are free to leave. Of course, the hacker in us immediately wonders: maybe there could be a way to trick the machine into demagnetizing a book for us without having it be linked to our card to give ourselves an unlimited amount of time to use and peruse any book we wished?
But of course, one just needs to simply take two books, place the book they wish to own down on the table-top, and then put the second book on top of it. As the machine scans the top book as checked out, it demagnetizes the bottom book. The book you can now take past the alarm sensors is not checked out at all whereas the one that is checked out is still magnetized.
Now obviously there is a little logistical problem here, for if you walked out the door the alarm would ring. But it's not too hard to figure out a solution to this one. If we watch the security guard who deals with the alarm all day, we notice that upon alarm (it is tripped at my library at least ten times an hour), he will take the person's check out slip and compare it with the books he has in his hands.
So if we put our demagnetized book in a backpack and walked out with our check out slip and the checked out copy of Charlotte's Web, the alarm would sound and he would ask us to pass it around the sensors and have us walk through again to see if we could go through without setting it off again.
Of course we could do so without problem and with a little friendly banter, be right on our merry way. For larger scale operations (a book ratio of 1:1 is necessary), this could be worked with an accomplice who takes all the demagnetized ones out while the other sets the alarm off with the checked out ones.
Now why would anyone do this besides having a zealous and misguided love for books? Well if you go and learn a little about book collecting you will find that your library actually has a number of rare books, or first editions, that they have amassed over the years, and which hold a considerable value.
Even if we stick to modern hard covers and check out AbeBooks for the three volumes of Dante Alighieri's Inferno, Purgatory, and Paradise translated by Allen Mandelbaum, we find a minimum price of $65 and a top of $175 for each book.
Of course, more digging might turn up some higher values. All this highlights is that the motivation for book stealing could be, at core, economic, and we all know we live in an era where any infamy perpetrated in the pursuit of wealth can (somehow) find justification.
Now what interests me most about this whole thing is not that I can steal books (which would be pointless because I can simply borrow them), but that for years stealing books from the library must have been fairly easy.
Before there were alarms and the like, nothing was stopping you. And yet here in the present, one technology in the form of self-checkout machines can be manipulated to defeat another technology in the form of security sensors - which brings us back to the same situation as before!
Perhaps no matter how many layers of technology we pile atop our daily lives, at the end of the day our freedom is ours to make, and that is the human choice.
Keep thinking!