rfid technology and library security: emerging ...

RFID TECHNOLOGY AND LIBRARY SECURITY: EMERGING CHALLENGES G. Rathinasabapathy1 and L.Rajendran2

ABSTRACT RFID (Radio Frequency Identification), the quintessential pervasive computing technology, has been around us for many years and used by various organizations including library and information centres. RFID started replacing the traditional barcodes as its wireless identification capabilities promise to revolutionize the inventory control task. RFID based automatic checkout systems might tally up and pay the bills from supermarkets to library and information centres. RFID offers a number of advantages including inventory efficiency, security to library collections and minimal vulnerability to damage. However, RFID is not free from problems and it has a number of shortcomings including virus threat. This paper attempts to report the emerging challenges associated with RFID technology as it will be very much useful for the LIS professionals who are planning to introduce RFID in their library and information centres to take precautious measures. Keywords:

RFID, Library security, Inventory control,Computer Virus, RFID Tags

INTRODUCTION RFID (Radio Frequency Identification), the quintessential pervasive computing technology, has been around us for many years and used by various organizations including library and information centres. RFID started replacing the traditional barcodes as its wireless identification capabilities promise to revolutionize the inventory control task. RFID based automatic checkout systems might tally up and pay the bills from supermarkets to library and information centres. RFID offers a number of advantages including inventory efficiency, security to library collections and minimal vulnerability to damage. There is no doubt that RFID technology with its fast registration, wireless data collection, and communication abilities, offers far-reaching benefits to many industries including Library and Information Centres. But, it is not an infallible technology for Libraries as it has lot of disadvantages and shortcomings too. The disadvantages and shortcomings of RFID include orientation problems, dead areas, security concerns, ghost tags, proximity issues, unread tags, vulnerable to damage and high cost. Recent studies reported that the RFID chips may be vulnerable to viral attack and underscore the threat that malicious code can pose to all types of systems. It is shocking to know from the scientists of Amsterdam’s Free University that a RFID chip infected with a virus can infect the backend database used by the RFID software and from there it can be easily spread to other RFID tags.

1. Assistant Librarian (Senior Scale) 2. Assistant Librarian, Department of Library Science, Madras Veterinary College, Tamil Nadu Veterinary and Animal Sciences University, Chennai–600 007, India. email: [email protected] Journal of Lib. Inf. & Comm. Technology

Vol. 1 No.1 (2009)

35 In this context, this paper attempts to report the emerging challenges associated with RFID technology as it will be very much useful for the LIS professionals who are planning to introduce RFID in their library and information centres to take precautious measures. RFID TECHNOLOGY: AN INTRODUCTION RFID was developed out of the radar experiments and development during the Second World War. The actual date of invention is 1948 but this was followed by decades of development and experimentation before commercial applications were implemented. If we trace they history of RFID, probably the work of Harry Stockman entitled “Communication by Means of Reflected Power”, exploring RFID is the landmark paper which was published in the Proceedings of the IRE in 1948. Thirty years would pass before Harry’s vision would begin to reach fruition and a lot has happened in the 53 years since Harry Stockman’s work. The 1950s were an era of exploration of RFID techniques following technical developments in radio and radar in the 1930s and 1940s. Several technologies related to RFID were being explored such as the long-range transponder systems of “identification, friend or foe” (IFF) for aircraft. The wheels of RFID development were turning and the 1960s were the prelude to the RFID explosion of the 1970s. Commercial activities were beginning in the 1960s. Sensormatic and Checkpoint were founded in the late 1960s. These companies, with others such as Knogo, developed electronic article surveillance (EAS) equipment to counter theft. These types of systems are often use ‘1-bit’ tags – only the presence or absence of a tag could be detected, but the tags could be made inexpensively and provided effective anti-theft measures. EAS is arguably the first and most widespread commercial use of RFID. In the 1970s developers, inventors, companies, academic institutions, and government laboratories were actively working on RFID. The 1980s became the decade for full implementation of RFID technology, though interests developed somewhat differently in various parts of the world. The greatest interests in the United States were for transportation, personnel access, and to a lesser extent, for animals. In Europe, the greatest interests were for short-range systems for animals, industrial and business applications, though toll roads in Italy, France, Spain, Portugal, and Norway were equipped with RFID. The 1990’s were a significant decade for RFID since it saw the wide scale deployment of electronic toll collection in the United States. Today, Radio Frequency Identification (RFID) technology is used for hundreds of applications in our daily life such as preventing theft of articles, collecting tolls without stopping, gaining entrance to buildings, automating parking, controlling access of vehicles to gated communities, corporate campuses and airports, dispensing goods, providing ski lift access and the growing opportunity to track a wealth of assets in supply chain management. The following RFID Timeline shows the major developments taken place in the field of RFID technology.

Journal of Lib. Inf. & Comm. Technology

Vol. 1 No.1 (2009)

36 TIME LINE OF RFID DEVELOPMENT Decade

Development

1940-1950

Radar refined and used, major World War II development effort. RFID invented in 1948.

1950 - 1960

Early explorations of RFID technology, laboratory experiments.

1960 – 1970

Development of the theory of RFID. Start of applications field trials.

1970 – 1980

Explosion of RFID development. Tests of RFID accelerate. Very early adopter implementations of RFID.

1980 – 1990

Commercial applications of RFID enter mainstream

1990 – 2000

Emergence of standards RFID widely deployed RFID becomes a part of everyday life.

RFID: HOW IT WORKS? A RFID tag is a very small electronic device, often the size of a seed or as thin as a piece of paper, which is capable of storing data and transmitting that data up to several meters. The reading device transmits a query signal. When the RFID tag senses the signal, it transmits the contents of its memory to the reading device. Many tags are not selfpowered. Instead, they get their power from the query signal. The information received by the reading device is transmitted to a server for processing. RFID tags have two primary advantages over the ubiquitous bar code. RFID tags carry unique identifiers. Unlike bar codes that typically provide a general product number, RFID tags allow vendors to serialize each individual item. This allows for significant granularity in distribution control. While bar codes must be read one at a time and at close range, multiple RFID tags can be read at once without any visibility to human or mechanical reading devices. RFID IN LIBRARIES Librarians are always in the forefront to use the new technologies which suits their requirements. The first Library suppliers started to market RFID systems in the mid 1990’s. So, RFID technology was implemented in libraries in the late 1990s for varied library operations across the globe.


Vol. 1 No.1 (2009)

37 RFID has slowly begun to replace the traditional barcodes on library items viz., books, Back volumes, CDs, DVDs, etc. The RFID tag can contain identifying information, such as a book’s title or material type, without having to be pointed to a separate database. The information is read by an RFID reader, which replaces the standard barcode reader commonly found at a library’s circulation desk. It can also act as a security device, taking the place of the more traditional electromagnetic security strip and not only the books, but also the membership cards could be fitted with an RFID tag. It is important to note that Singapore was certainly one of the first to introduce RFID in libraries and Rockefeller University in New York may have been the first academic library in the United States to utilize this technology, whereas Farmington Community Library in Michigan may have been the first public institution, both of which began using RFID in 1999. The top RFID using countries are USA, UK and Japan. In 1990s, Indian libraries also started using RFID and mostly the academic libraries attached to IITs, IISc, Universities are now widely using RFID technology. RFID has many library applications that can be highly beneficial, particularly for circulation staff. Since RFID tags can be read through an item, there is no need to open a book cover or DVD case to scan an item. This could reduce repetitive-motion injuries. Where the books have a barcode on the outside, there is still the advantage that borrowers can scan an entire pile of books in one go, instead of one at a time. Since RFID tags can also be read while an item is in motion, using RFID readers to check-in returned items while on a conveyor belt reduces staff time. But, as with barcode, this can all be done by the borrowers themselves, meaning they might never again need the assistance of staff. Next to these readers with a fixed location there are also portable ones. With these, inventories could be done on a whole shelf of materials within seconds, without a book ever having to be taken off the shelf. Smart Shelves can be used to pinpoint the exact location of books. However, as of 2008 this technology remains too costly for many smaller libraries, and the conversion period has been estimated at 11 months for an average-size library. That is why still the technology is not implemented by a large number of libraries in India. RFID APPLICATIONS IN LIBRARY: ADVANTAGES Librarians will find RFID very useful as the technology provides a lot of advantages in the daily library management. The following are some of the major advantages that RFID technology offers to the Libraries. (i) Fast circulation services: Application of RFID technology in libraries reduces the amount of time required to perform circulation operations. (ii) Easy self-charging/discharging: For library members using self-charging, there is a marked improvement because they do not have to carefully place materials within a designated template and they can charge several items at the same time. (iii) Fast inventorying: Another unique advantage of RFID systems is their ability to scan books on the shelves without tipping them out or removing them. Since it is using wireless technology, it is possible not only to update the inventory, but also to identify items which are out of proper order.


Vol. 1 No.1 (2009)

38 (iv) (v)

(vi)

(vii)

Greater reliability: The RFID readers are highly reliable and RFID library systems claim an almost 100 percent detection rate using RFID tags. Long tag life than Barcodes: It is important to note that RFID tags last longer than barcodes because nothing comes into contact with them. According to RFID vendors, the lifetime of a tag is about a minimum of 100,000 transactions which is better than barcodes. Automated materials handling: Automated materials handling is another advantage of RFID technology which includes conveyer and sorting systems that can move library materials and sort them by category into separate bins or onto separate carts. This significantly reduces the amount of staff time required to ready materials for re-shelving in libraries. Economy: Earlier implementation of RFID in libraries was costly but now it becomes economy while considering the advantages it offers to the library management.

EMERGING CHALLENGES Though the RFID technology provides a lot of benefits to the libraries, like all electronic processing systems, it is not free from problems and security concerns and the LIS professionals are facing a number of challenges while using RFID in library environment. Generally, the RFID threats include Spoofing identity, tampering with data, repudiation, information disclosure, denial of service, elevation of privilege, etc. But, the recent addition in this list is virus threat which is a very serious challenge for all those concerned with RFID. We will discuss here some of the major challenges faced by LIS professionals across the globe who are using RFID. (i)

Virus Threats The latest and one of the major problems of RFID technology is the virus threat. A study undertaken by Dutch university scientists revealed that an infected RFID tag is able to disrupt the database that reads information on the chip. As of now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, these assumptions are proved as wrong. The Scientists at Amsterdam’s Free University were able to create a chip infected with a virus, and then use it to infect the database. Before this study, supporters of RFID assumed that the technology could not modify the back-end software that reads it. But, it their research they have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionally) infected with a virus and this virus can infect the backend database used by the RFID software. The major threat is that from the RFID software, the virus can be easily spread to other RFID tags. It is reported that an RFID virus could be very dangerous, such as a prankster uploading a virus to a supermarket computer that could be used to change prices, or using his cat to pass a computer virus from animal to computer


Vol. 1 No.1 (2009)

39 and back to animal through another RFID tag. The scariest of all is the potential airline scenario, where a virus could be used to disrupt baggage-handling systems, potentially hiding suspicious cargo. According to the study, an RFID virus could also carry a payload that did other damage to the database, for example, helping drug smugglers or terrorists hide their baggage from airline and government officials. Normally, people in most cases raise privacy issues but the scientists’ discovery of potentially malicious ways to use the technology is even more troubling. Therefore, it is need of the hour that the RFID industry should take some war footing efforts to ensure complete secure RFID systems. (ii)

Privacy Threats RFID automates information collection about individuals’ locations and actions, and this data could be abused by hackers, retailers, and even the government. There are a number of well-established RFID security and privacy threats. Therefore, Civil liberties groups are very much concerned about RFID technology being used to invade people’s privacy. The US Department of State plans to issue passports with RFID chips containing personal information. But, the American Civil Liberties Union has expressed vehement opposition because of the potential for exposed personal information. They have pointed out that an RFID virus could be developed that make tags vulnerable. It is important to note that RFID tags enable unethical individuals to snoop on people and surreptitiously collect data on them without their approval or even knowledge.

(iii)

Bleeding Edge Technology Another major challenge is the immaturity of the industry. As far as the RFID technology is concerned, the standards are only just being developed. On the other hand, tags and readers are being modified and improved at a rapid rate. Further, competing technologies and non-cross compliant systems still exist. Under the circumstances, the ongoing development could make equipment and tags obsolete, rendering investments in older equipment useless, and requiring expensive conversions and upgrades to sustain the development. This is a serious problem specially for multi-unit and multi-campus libraries that may implement one branch at a time over several years. Thus, bleeding edge technology is an important challenge of RFID technology.

(iii)

Costly RFID is supposed to replace bar coding, but putting a bar code on a package costs nothing. On the other hand putting on an RFID tag costs a minimum of Rs.20+, and then we need all the ancillary technology and software tools. Though the RFID vendors say that RFID implementation becomes cheaper, still the costs of the tags are relatively high. Hence, most of the libraries including academic libraries are unable to implement RFID technology. In India, few libraries of IITs, IISc, IIMs and a limited number of universities and R&D institutes like Anna


Vol. 1 No.1 (2009)

40 University, Chennai; Indira Gandhi Centre for Atomic Research (IGCAR), Kalpakkam, alone implemented RFID because it is still costly affair. (iv)

Fragile Tags vulnerable to damage and vandalism Fragile tags are another problem faced by LIS professionals while implementing RFID. But, this problem may be solved in the process of being solved with new technology that makes for a smooth label with no bumps or other protrusions. It is notable that the bumps and protrusions of the chip and antenna make the tags vulnerable to damage and vandalism. In libraries, the older tags still have this problem but several new designs reduce protrusions very well and limit potential damage, in the near future tags may be as thin as paper because of the technological developments taking place in this industry.

(v)

Dual Use Tags defeats security Using the tag for both circulation and security means that once the tag system has been beaten the security is also defeated.

(vi)

Tag Interference Vulnerability It is a known fact that Radio waves cannot be read through metal. So, simply wrapping several layers of aluminum foil around an item can defeat the security system. Further, placing two tags close together can interfere with the signal disabling the read capability of the scanner. Though most of the RFID suppliers have software systems in place to limit this possibility, the interference cannot be removed entirely at this time and further development of technology may solve this problem in future.

(vii)

Tag Collision RFID Readers may become confused when too many signals are received at the same time. This may be a big problem for huge library systems like university libraries where huge number of transactions taking place at a time. Though the RFID System providers have developed complex algorithms to minimize this problem but the vulnerability remains.

RFID VULNERABILITY: FEW RECENT EVENTS Though the RFID industry claims that the technology is secured one, some of the recent events have proved that RFID is vulnerable and not foolproof technology. A few such incidents are listed below for information. It is known that the United Kingdom has issued biometric passports for their citizens. Recently, a security expert has cracked one of the UK’s new biometric passports that use RFID to store personal information.


Vol. 1 No.1 (2009)

41 IOActive, a company recently demonstrated an RFID cloner which can steal codes from building access cards at the RSA Security 2007 Conference which created very serious concerns over RFID security. WAYS AND MEANS TO OVERCOME RFID THREATS We cannot see a single technology which is free from problems. Each and every technology has got its own merits and demerits, advantages and disadvantages. So, we have to find out the ways and means to overcome the problems of the technology. In this case, we the LIS professionals should be very careful to overcome the problems associated with RFID technology. The literatures suggest that the following measures will help us to defend against RFID threats. (i)

Checking the Bounds Under this measure, all middleware applications written in languages that allow the use of indexes that lie outside the bounds of an array should be compiled with bounds checking enabled.

(ii)

Sanitizing the input This is nothing but ensuring the RFID input received contains data we expect. Any unusual characters, character strings, etc. should at a minimum send an alert to the system or security administrator so that we can take appropriate action to combat the problem.

(iii)

Disabling back-end scripting languages Using of Hypertext transmission protocol based middleware can reduce the risk of script injection, or cross-site scripting, by turning off client-side script execution.

(iv)

Limiting database permissions and segregate users In addition to enforcing the principle of least privilege, database implementation shouldn’t allow the execution of multiple SQL statements in a single query. It is very risky building SQL statements on-the-fly. Instead, access databases with stored procedures with parameter binding to ensure better security.

(v)

Isolating the RFID middleware server Under this measure, access to the middleware server should not provide access to the rest of the network. As with any perimeter device, middleware servers should be placed in a containment zone.

(vi)

Performing regular code reviews To avoid vulnerabilities, like all applications, the middleware application code should be regularly reviewed to ensure vulnerabilities have not crept in during routine maintenance or major upgrades of the system.


Vol. 1 No.1 (2009)

42 The above security measures will help the LIS professionals to avoid the RFID threats to a greater extent. However, new standards and protocols are highly essential to ensure foolproof RFID security. Since it is still an infant technology, more standards and protocols will emerge to suit the needs of the clients who are using RFID as the market for RFID is skyrocketing. CONCLUSION LIS professionals who are facing a lot of challenges concerned with library security will find RFID system more useful since it offers some great advantages over barcodes. Though there were some complaints about the tag life expectancy, improvements in tag life expectancy and durability have improved substantially in the past few years. Most of the problems cautioned against RFID technology can mostly be dealt with through careful planning and questioning of RFID service providers. Those LIS professionals who are looking at RFID can plan for success by ensuring that the system chosen is scaleable and has interoperability so that the system can go grow with the technology and ensure better safety and security to the invaluable library collections. The national level agencies concerned with library and information science viz., INFLIBNET may come forward to help at least academic libraries in India to implement RFID technology in a better way to avoid the problems. Since INFLIBNET plays a vital role in implementing Software for University Libraries (SOUL) which helped more than 1000 libraries in this country to automate the library services, they can also concentrate on RFID implementation to ensure economy and flawless RFID installation. One thing we must remember that the benefits of RFID technology cannot be ignored in today’s tight staffing and funding climate across the globe. So, we, the LIS professionals should come forward to reap the benefits that the RFID offers in terms of library security. REFERENCES Garretson, C (2007). Making sense of RFID threats: Don’t be alarmed, but be aware. Available at http://www.techworld.com/security/features/index.cfm? featureid= 3274 Accessed on 10.12.2008 Kumar, R. (2008). Role of RFID in Academic Libraries. In: Proceedings of the 6th International CALIBER 2008, INFLIBNET-University of Allahabad, Allahabad. pp.120-126. Lindquist, M.G. (2003). RFID in Libraries: Introduction to the issues. Available at http://www.ifla.org/IV/ifla69/papers/161e-Lindquist.pdf Accessed on 13.12.2008 Molnar, D. and Wagner, D. Privacy and Security in Library RFID: Issues, Practices, and Architectures (2004). In: Proceedings of the 11th ACM Conference on Computer and Communications Security. pp.210-219. Available at http://www.cs.berkeley. edu/~dmolnar/library.pdf Accessed on 15.12.2008


Vol. 1 No.1 (2009)

43 Narayanan, A. Singh, S and Somasekharan, M. (2005). Implementing RFID in Library: Methodologies, advantages and disadvantages. Available at http://library. igcar.gov.in/readit-2005/conpro/lgw/s5-8.pdf Accessed on 12.12.2008 Olzak, T. (2006). Securing RFID Tags. Available at http://it.toolbox.com/blogs/ adventuresinsecurity/securing-rfid-tags-9329 Accessed on 15.12.2008 Rajendran, L. and G. Rathinasabapathy (2007). Role of Electronic Surveillance and Security Systems in Academic Libraries. In: Proceedings of the Conference on Recent Advances in Information Science and Technology (READIT 2007), MALA & IGCAR, Kalpakkam. pp. 111-117. Rathinasabapathy, G. (2005). Application of Radio Frequency Identification Technology (RFID) in Libraries. In: Proceedings of the VII Tamilnadu Librry Conference, Dr.MGR-JCFW, Chennai. TLA. Rieback, M.R., Crispo, B., Tanenbaum, A.S. Is Your Cat Infected with a Computer Virus?. Available at http://www.rfidvirus.org/papers/percom.06.pdf Accessed on 12.12.2008 Rieback, M.R., Simpson, P.N.D., Crispo, B., Tanenbaum, A.S (2006). RFID Viruses and Worms. Available at http://www.rfidvirus.org/index.html. Accessed on 14.12.2008. Sarma, S.E., Weis, S.A. and Engels, D.W. (2003). RFID Systems and Security and Privacy Implications. Lecture Notes in Computer Science, Vol. 2523. pp.1-19. Schneier, B. (2003). Fatal flaw weakens RFID passports. Wired NEWS, pp.1- 2. Thompson, D.R., Chaudhry, N and Thompson, C.W. RFID Security Threat Model. Available at http://comp.uark.edu/~drt/pubs/2006/rfid-threats-alar-060303.pdf Accessed on 10.12.2008


Vol. 1 No.1 (2009)