Schneier on Security

A blog covering security and security technology.

« Virtual Kidnapping | Main | DHS "Neighborhood Watch" Hoax »

April 29, 2008

SQL Injection Attacks Against Automatic License Plate Scanners

This picture is almost certainly Photoshopped, and a joke, but it's certainly a clever idea. As automatic license plate scanners become more common, why not get a SQL injection attack as a plate?

Reminds me of this xkcd cartoon.

Posted on April 29, 2008 at 3:21 PM • 39 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

I think those of us fortunate to live in jurisdictions that only insist on one plate could have some fun with this...

Posted by: Tremaine at April 29, 2008 4:34 PM

Good idea, but I believe most areas of the world do not allow the use of characters such as '=() and so on.

Posted by: Tordr at April 29, 2008 4:36 PM

There probably isn't any need to put the "license plate" on an actual car. I'd be surprised if it isn't sufficient to create a license-plate-like-object and stick it on a telephone pole.

Posted by: silence at April 29, 2008 4:39 PM

Continuing on my previous comment:
Therefore the automatic license plate scanners are not accepting those special characters as valid input.
Therefore any license plate trying to make an SQL injection attack will be rejected and sent to a human for confirmation.

Posted by: Tordr at April 29, 2008 4:40 PM

> most areas of the world do not allow
> the use of characters such as '=()

Therefore, the programmers will know an SQL attack is impossible, and therefore, the attack will work beautifully.

Posted by: Anonymous at April 29, 2008 4:49 PM

More likely, the OCR used by the scanners will just fail to read the license plate, or ignore any characters that it's not expecting as noise. It would have been foolish to allow the scanners to consider anything other than letters and numbers (and maybe the dash between blocks) as correct data anyway.

Posted by: DarthParadox at April 29, 2008 5:24 PM

@Tordr, DarthParadox: You guys are entirely missing the point. Yes, the scanner software, if well written, will reject invalid characters. The whole point of this exercise is, are those things well written? I don't know, but I doubt you do either, so I'm not sure why you're so confident that they validate their inputs.

It may be perfectly obvious to you right now that such validation should occur, but that's not the question. The question is whether that occurred to the programmers when they wrote the code.

Since there are plenty of web sites that get this wrong, it's conceivable that a license plate scanner did too.

Posted by: Anonymous at April 29, 2008 5:43 PM

@Tordr & DarthParadox: That is the clue regarding all SQL Injection Attacks: Most of the time, special characters like ');-- etc. are no meaningful input. Therefore they should be wiped of the input. But quite often it is just ignored that they can still occur.

It is especially dangerous to rely on the OCR here. Maybe the current version does drop illegal Characters. And maybe tomorrow this version is replaced by some faster / better / whatever component that doesn't. Security is a local property...

Posted by: VWM at April 29, 2008 5:46 PM

Bruce - you are a genius,pure genius!

Posted by: Tenchie at April 29, 2008 6:15 PM

Well, yes, it does depend on whether they're well-written or not. My point was a slightly different one, though: while it takes extra effort on the part of the software to restrict input from users to a certain set of characters, OCR has the trait that as a part of processing it must actively recognize each character image as matching against its letter patterns, and if the OCR software was written to detect license plate numbers there's no reason it should ever detect other characters.

On the other hand, any use of off-the-shelf OCR software completely nullifies that line of argument.

Posted by: DarthParadox at April 29, 2008 6:47 PM

@ Darth Paradox

> On the other hand, any use of off-the-shelf OCR software
> completely nullifies that line of argument.

$5 says that's precisely what would be used :)

Posted by: Pat Cahalan at April 29, 2008 6:49 PM

What other situations could theoretically allow you to commit a similar attack? Malicious library cards? ATM cards? Sneak into supermarkets and stick malicious barcodes on products?

What about biometric scanners (e.g. faces, fingerprints)? If there's a loophole in how they encode the metrics, a specially-crafted face mask or false fingertip could lead to an interesting attack. :)

Posted by: Lawrence D'Oliveiro at April 29, 2008 7:09 PM

@Lawrence D'Oliveiro

It's been done: http://www.hackaday.com/2007/12/30/...

Posted by: Anonymous at April 29, 2008 7:42 PM

In a SANS course Johannes Ullrich mentioned that a pen tester had managed to hack a rebate system via sql injection, by writing the sql on the rebate forms that got OCRed.

You're on the Newsbytes editorial board Bruce- you want o ask him for details?

Posted by: Rich Wilson at April 29, 2008 8:47 PM

North Dakota permits an Ampersand (&).
Texas permits Dash (-) and Period (.).
New Hampshire permits: Dash (-), Ampersand (&), and Plus (+); in their license plates.
Unfortunately, no Semicolon (;), Single Quote ('), or Parenthesis.

Sadly, no state appears to allow the necessary characters onto a vanity license plate.

Posted by: Fuzzy at April 29, 2008 9:29 PM

Fuzzy: The question is -- what happens when you/they enter this string into the system while you apply for this vanity license plate?

Posted by: Anderer Gregor at April 29, 2008 10:52 PM

@Tordr,
Even if the OCR does reject the input and pass the string for human for validation, this only helps the attack since the human in question is not likely to know or care why the input was rejected and will, most likely, type it in exactly as shown...

Posted by: Stats at April 29, 2008 11:52 PM

@fuzzy

How about the HTML or other encoding of the missing charecters?

The chances are that "off the shelf" general purpose (re-usable) software will be used for two reasons,

1, It works and is available.
2, it future proofs the system.

So the "head end" and many points in between will allow other chars through either directly or by encoding them up.

Which gives rise to the thought about does it have to be on the license plate at all?

How about as a bumper sticker that looks sufficiently like a licence plate (ie font and size etc)?

And would such a bumper sticker be illegal (currently)?

Posted by: Clive Robinson at April 30, 2008 12:36 AM

Even if using an "off the shelf" OCR package, I'd expect the illegetimate characters to have been disabled, simply for reliability reasons. The more characters we are trying to recognize, the less difference there is between any character and the one it most resembles, and the greater the chance of a misreading. A "1" might get misread as a "/" if "/" is in the recoginition character set - but we know that anything midway between a "1" and a "/" must be a "1", because "/" isn't a legitimate character in a numberplate - so why try to recognize it?

It doesn't take the (rare?) security mind-set to eliminate "/" from the possibilities - just the (common) test-it-and-fix-the-failures mind-set.

Posted by: Filias Cupio at April 30, 2008 1:05 AM

@Tordr: "Therefore any license plate trying to make an SQL injection attack will be rejected and sent to a human for confirmation."

And, awaiting confirmation, the license plate data is stored in..?

Posted by: Paeniteo at April 30, 2008 1:48 AM

Besides, wouldn't the pictured license plate be an enormously stupid injection?

If the plate scanner compares to a list of "interesting" license plates, the mini will trigger the alert all the time.

(Yes, I'm aware that it's supposed to be a joke ;-)

Posted by: Paeniteo at April 30, 2008 2:01 AM

The evil in me now wonders if it's possible to get the vanity plate DROP TABLE;

Posted by: Tanuki at April 30, 2008 3:10 AM

@Paniteo: You see, this seems to be the work of an advanced script kiddie. Good idea, but just taking the code of some other SQL injection from somewhere else may not serve the purpose here... If you don't fully understand why it works somewhere else, be careful when applying it in your area.

Posted by: RaSchi at April 30, 2008 3:21 AM

Just wondering, could a licence place scanner be fooled in to reading a large, plate sized bumpersticker?

Posted by: Will Knott at April 30, 2008 4:58 AM

@silence, Will Knott: So now all we need is a public "most wanted" list of sought license plates - then make license plate shaped/colored stickers of "hot" plates (so to speak) and plaster them at approx bumper height on every dumpster, mailbox and stray dog we can find.

Although we should probably only want to use the ones where they have 217 unpaid parking tickets rather than an actual Violent Criminal to avoid getting innocent bystanders near a suspicious telephone pole shot by overzealous police.

Bonus points if you put it on a "meter maid" vehicle. Extra bonus points if they arrest the meter maid (yes, they can be male but I dont know any other colloquialism for the function).

Posted by: bob at April 30, 2008 7:11 AM

It's time for the T-shirts...

What about QR codes? Now that would be cool.

Posted by: Alex at April 30, 2008 8:47 AM

A friend of mine who's a license plate collector had an interesting story that could relate to this. He made a trip in his pickup with a camper shell to a recycler in a neighboring state and picked up several boxes of old license plates, many of which were still valid. On the way home he started noticing that people passing him were giving him strange looks. The next time he stopped, he looked at the back of the truck and discovered that a box had fallen over and several current plates from a couple of different states were plastered against the rear window.

The question for this discussion: If more than one license plate is visible on a car, does the automatic scanner catch only one?

Posted by: vvpete at April 30, 2008 10:56 AM

In CA you can have a large variety of symbols as well as letters and numbers on your plates, including things like a star, a hand, a heart, etc. So scanners will have to accommodate these,

Posted by: Tamzen at April 30, 2008 10:56 AM

The scanners and back end systems are written for government entities. It's a miracle they work at all given that taxpayer dollars are being spent on them. There is absolutely no way there is any security built in, so your "drop table" license plate will work wonders.

Posted by: derf at April 30, 2008 11:21 AM

I've thought about that joke when in Milan they created one of the biggest plate scanner system around (for the Ecopass stuff): http://blackfire.soup.io/post/356848/...

:-))

Posted by: Claudio C at April 30, 2008 1:35 PM

Well,

' AND 1=0;--

might not be so enormously stupid.

Posted by: Anonymous at May 1, 2008 12:41 AM

@RaSchi: "Good idea, but just taking the code of some other SQL injection from somewhere else may not serve the purpose here... If you don't fully understand why it works somewhere else, be careful when applying it in your area."

I've not had cause to use SQL myself, but I'm imagining it's intended for the case (guessing a bit at actual SQL syntax):

Find records where licence_plate = $plate
Send_speeding_ticket_to(records)

which will cause a ticket to be sent to every car in the country. Sounds like exactly the sort of mischief that's intended, to me!

--------
Required disclaimer:
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.

Posted by: wm at May 1, 2008 6:42 AM

In so many discussions like this on the internet people seem to overlook the fact that when these systems were being implemented they had a team of people sit down at a conference table and discuss many of the very things that are being discussed here, so much of what you're saying is repeating history. People are not nec'ly dumb and you're prob'ly not the first to think of sth. True, some security may've been overlooked, but it's very likely they eliminated OCR of all other chars.

Posted by: a500poundblobbutactuallyjustaskinnyguytryingtomaskhisidentityontheinternetincasesomebodydiscoversore at May 2, 2008 5:32 AM

just wondering bout that.

Posted by: me' OR 1=1;-- at May 2, 2008 5:43 AM

I just think it's unlikely that a government database would use anything as modern as SQL. I'd expect something more like MUMPS.

Posted by: Richard Braakman at May 2, 2008 3:31 PM

@a500, I dunno, I've found that most people are quite dumb indeed. Usually, the more "important" their jobs and their decisions, the dumber they are!

Posted by: ElQ at May 3, 2008 10:06 AM

Amazing but true. Saw a Taxi with 2 plates, one on bumper, different states! ~Not to far from another state location. Taxi sure had a small sign, like a fake, little markup of company. Perhaps local cops are testing their camera systems this way, using a taxi as a known beacon...
Weird, perhaps some are testing this or ?
Funny, lots of years on the road, NEVER seen 2 plates on a vehicle. Now, allready. Things that make you go hum.
Interesting, and a good way to test the game.

Posted by: 2ManyPlates at May 5, 2008 12:03 PM

@a500pound
No, these systems developed for Law enforcement are being developed by the lowest bidder...

Posted by: Anonymous at May 5, 2008 3:30 PM

This could almost work in North Carolina, which allows any of the following on personalized plates: &?$/=*+@!:.-,'"

The order page off of https://edmv-sp.dot.state.nc.us/sp/SpecialPlatesPortal.html has the details.

Posted by: AndyHat at May 8, 2008 4:25 PM

Subscribe to comments on this entry