I recently attended the FE User Conference – FE is an Australian company providing RFID to libraries. One of the speakers was Alan Butters who is an Australian RFID expert and was invited to the Conference to talk two projects. This was the first one and is well worth knowing about.
Near field communications (NFC) is a form of RFID – contactless communications built into smart phones.
There are three modes: (he showed short video clips to help demonstrate each)
Reader/Writer mode – http://youtu.be/LfkFgtoQtFQ (this is of interest to libraries)
Card Emulation mode – http://youtu.be/pzDSQkNQWXQ
Peer to Peer mode – http://www.youtube.com/watch?v=XWyAycCAga4
NFC has lots of interesting applications and has been installed in smart phones to enable all these applications. It’s not new – the first phone came out with it in 2006.
Why the concern now? Standards. NFC originally was based on ISO 14443 – the standard for proximity cards. This standard is designed for close operation and is used by Melbourne’s public transport Myki system.
The standard for library RFID is ISO 15693 – vicinity cards. This gives the range of up to 80cms, but has little inbuilt security. A 2006 phone couldn’t access tech using this standard as it used the ISO 14443 standard.
There is also ISO 28560 – the data format standard, which is how information is recorded on library tags. It uses the tag’s Application Family Identifier (AFI) for security and is contained in the system memory of the tag. Eg. A value of C2 – circulating is toggled with a value of 07 which is on-shelf. All other RFID systems ignore this because it is not one of their AFIs.
What has changed for library RFID?
NXP, the largest manufacturer or NFC Controllers (and also RFID tags), decided to include support for ISO 15693 (our RFID Standard) in their controllers. This gives them the potential for long read applications and is now supported in Read/Write mode. Apps have also begun to appear using their capability.
People have been unable to interfere with library tags until now, unless they could source the necessary hardware, understand the technology, get the software and isolate the tags. A process that is both too time consuming and expensive.
The threat context has changed. There are now millions of devices that now have RFID hardware in them, it only takes 1 person to write an app, which could be rapidly distributed, resulting in widespread incidents.
· Change the security status of an item
· Lock an item (security – denial of service)
· Overwrite library data
· Delete data and lock user memory (denial of service)
The threat is now more real. Nine out of the ten most popular phones support NFC. (does not include the iPhone 5). The means is there, but the motive?
NFC Apps and what people can do now.
From Google Play you can download:
· TagInfo app. If you touch a tag to the phone, it will provide you the maker of the chip in the tag, the application type and what the AFI is set to. Tap the tech button, then list and you will get a Hex list of the tag. There are 28 blocks of information on a 1024 tag and we usually only use 10. Could use this app to check if security is working and is advisable for libraries to use this app.
· NFC-V Reader (which supports our standard) app. Is a reader/writer. Open the app, put next to a library tag and the first block displays the item ID.
Apple phones don’t have NFC at this time. Banks are particularly upset about this because they have a range of services ready to go that use NFC. However, you can buy an NFC case for the iPhone. Eg. iCard off eBay, comes with the iCarte Reader app (cost $10).
What do we do? It depends on your threat assessment. We need to protect some or all of our ISO 28560 data, need to protect the integrity of the AFI value or must use a different item security system, as we don’t want to lose the interoperability benefits of ISO 28560 – being able to read other library’s RFID Tags.
Not all RFID tags have the same features – the chip type determines what you can do.
The Standard recommends that you:
· Lock the user memory – or at least the primary ID (item no). You can choose to select one or more or all, whatever you choose will not be able to be overwritten.
· Encrypt the memory – however this is not supported by the standard.
· Use electromagnetic (EM) for security.
· Use passworded EAS (electronic article surveillance – the RFID security) and AFI – can only be done on SLIX chips only. Alan recommends that libraries purchase SLIX tags, so others can not change the tags in any way.
Threat assessment has to be local, consider current and future trends, must be balanced by interoperability requirements and the cost of the response should reflect the risk. New vendor apps such as Mobile Circ, could increase the risk of tag interference.