Schneier on Security
A blog covering security and security technology.
« Virtual Kidnapping |
| DHS "Neighborhood Watch" Hoax »
April 29, 2008
SQL Injection Attacks Against Automatic License Plate Scanners
This picture is almost certainly Photoshopped, and a joke, but it's certainly a clever idea. As automatic license plate scanners become more common, why not get a SQL injection attack as a plate?
Reminds me of this xkcd cartoon.
Posted on April 29, 2008 at 3:21 PM
• 39 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think those of us fortunate to live in jurisdictions that only insist on one plate could have some fun with this...
Good idea, but I believe most areas of the world do not allow the use of characters such as '=() and so on.
There probably isn't any need to put the "license plate" on an actual car. I'd be surprised if it isn't sufficient to create a license-plate-like-object and stick it on a telephone pole.
Continuing on my previous comment:
Therefore the automatic license plate scanners are not accepting those special characters as valid input.
Therefore any license plate trying to make an SQL injection attack will be rejected and sent to a human for confirmation.
> most areas of the world do not allow
> the use of characters such as '=()
Therefore, the programmers will know an SQL attack is impossible, and therefore, the attack will work beautifully.
More likely, the OCR used by the scanners will just fail to read the license plate, or ignore any characters that it's not expecting as noise. It would have been foolish to allow the scanners to consider anything other than letters and numbers (and maybe the dash between blocks) as correct data anyway.
@Tordr, DarthParadox: You guys are entirely missing the point. Yes, the scanner software, if well written, will reject invalid characters. The whole point of this exercise is, are those things well written? I don't know, but I doubt you do either, so I'm not sure why you're so confident that they validate their inputs.
It may be perfectly obvious to you right now that such validation should occur, but that's not the question. The question is whether that occurred to the programmers when they wrote the code.
Since there are plenty of web sites that get this wrong, it's conceivable that a license plate scanner did too.
@Tordr & DarthParadox: That is the clue regarding all SQL Injection Attacks: Most of the time, special characters like ');-- etc. are no meaningful input. Therefore they should be wiped of the input. But quite often it is just ignored that they can still occur.
It is especially dangerous to rely on the OCR here. Maybe the current version does drop illegal Characters. And maybe tomorrow this version is replaced by some faster / better / whatever component that doesn't. Security is a local property...
Bruce - you are a genius,pure genius!
Well, yes, it does depend on whether they're well-written or not. My point was a slightly different one, though: while it takes extra effort on the part of the software to restrict input from users to a certain set of characters, OCR has the trait that as a part of processing it must actively recognize each character image as matching against its letter patterns, and if the OCR software was written to detect license plate numbers there's no reason it should ever detect other characters.
On the other hand, any use of off-the-shelf OCR software completely nullifies that line of argument.
@ Darth Paradox
> On the other hand, any use of off-the-shelf OCR software
> completely nullifies that line of argument.
$5 says that's precisely what would be used :)
What other situations could theoretically allow you to commit a similar attack? Malicious library cards? ATM cards? Sneak into supermarkets and stick malicious barcodes on products?
What about biometric scanners (e.g. faces, fingerprints)? If there's a loophole in how they encode the metrics, a specially-crafted face mask or false fingertip could lead to an interesting attack. :)
In a SANS course Johannes Ullrich mentioned that a pen tester had managed to hack a rebate system via sql injection, by writing the sql on the rebate forms that got OCRed.
You're on the Newsbytes editorial board Bruce- you want o ask him for details?
North Dakota permits an Ampersand (&).
Texas permits Dash (-) and Period (.).
New Hampshire permits: Dash (-), Ampersand (&), and Plus (+); in their license plates.
Unfortunately, no Semicolon (;), Single Quote ('), or Parenthesis.
Sadly, no state appears to allow the necessary characters onto a vanity license plate.
Fuzzy: The question is -- what happens when you/they enter this string into the system while you apply for this vanity license plate?
Even if the OCR does reject the input and pass the string for human for validation, this only helps the attack since the human in question is not likely to know or care why the input was rejected and will, most likely, type it in exactly as shown...
How about the HTML or other encoding of the missing charecters?
The chances are that "off the shelf" general purpose (re-usable) software will be used for two reasons,
1, It works and is available.
2, it future proofs the system.
So the "head end" and many points in between will allow other chars through either directly or by encoding them up.
Which gives rise to the thought about does it have to be on the license plate at all?
How about as a bumper sticker that looks sufficiently like a licence plate (ie font and size etc)?
And would such a bumper sticker be illegal (currently)?
Even if using an "off the shelf" OCR package, I'd expect the illegetimate characters to have been disabled, simply for reliability reasons. The more characters we are trying to recognize, the less difference there is between any character and the one it most resembles, and the greater the chance of a misreading. A "1" might get misread as a "/" if "/" is in the recoginition character set - but we know that anything midway between a "1" and a "/" must be a "1", because "/" isn't a legitimate character in a numberplate - so why try to recognize it?
It doesn't take the (rare?) security mind-set to eliminate "/" from the possibilities - just the (common) test-it-and-fix-the-failures mind-set.
@Tordr: "Therefore any license plate trying to make an SQL injection attack will be rejected and sent to a human for confirmation."
And, awaiting confirmation, the license plate data is stored in..?
Besides, wouldn't the pictured license plate be an enormously stupid injection?
If the plate scanner compares to a list of "interesting" license plates, the mini will trigger the alert all the time.
(Yes, I'm aware that it's supposed to be a joke ;-)
The evil in me now wonders if it's possible to get the vanity plate DROP TABLE;
@Paniteo: You see, this seems to be the work of an advanced script kiddie. Good idea, but just taking the code of some other SQL injection from somewhere else may not serve the purpose here... If you don't fully understand why it works somewhere else, be careful when applying it in your area.
Just wondering, could a licence place scanner be fooled in to reading a large, plate sized bumpersticker?
@silence, Will Knott: So now all we need is a public "most wanted" list of sought license plates - then make license plate shaped/colored stickers of "hot" plates (so to speak) and plaster them at approx bumper height on every dumpster, mailbox and stray dog we can find.
Although we should probably only want to use the ones where they have 217 unpaid parking tickets rather than an actual Violent Criminal to avoid getting innocent bystanders near a suspicious telephone pole shot by overzealous police.
Bonus points if you put it on a "meter maid" vehicle. Extra bonus points if they arrest the meter maid (yes, they can be male but I dont know any other colloquialism for the function).
It's time for the T-shirts...
What about QR codes? Now that would be cool.
A friend of mine who's a license plate collector had an interesting story that could relate to this. He made a trip in his pickup with a camper shell to a recycler in a neighboring state and picked up several boxes of old license plates, many of which were still valid. On the way home he started noticing that people passing him were giving him strange looks. The next time he stopped, he looked at the back of the truck and discovered that a box had fallen over and several current plates from a couple of different states were plastered against the rear window.
The question for this discussion: If more than one license plate is visible on a car, does the automatic scanner catch only one?
In CA you can have a large variety of symbols as well as letters and numbers on your plates, including things like a star, a hand, a heart, etc. So scanners will have to accommodate these,
The scanners and back end systems are written for government entities. It's a miracle they work at all given that taxpayer dollars are being spent on them. There is absolutely no way there is any security built in, so your "drop table" license plate will work wonders.
' AND 1=0;--
might not be so enormously stupid.
@RaSchi: "Good idea, but just taking the code of some other SQL injection from somewhere else may not serve the purpose here... If you don't fully understand why it works somewhere else, be careful when applying it in your area."
I've not had cause to use SQL myself, but I'm imagining it's intended for the case (guessing a bit at actual SQL syntax):
Find records where licence_plate = $plate
which will cause a ticket to be sent to every car in the country. Sounds like exactly the sort of mischief that's intended, to me!
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.
just wondering bout that.
I just think it's unlikely that a government database would use anything as modern as SQL. I'd expect something more like MUMPS.
@a500, I dunno, I've found that most people are quite dumb indeed. Usually, the more "important" their jobs and their decisions, the dumber they are!
Amazing but true. Saw a Taxi with 2 plates, one on bumper, different states! ~Not to far from another state location. Taxi sure had a small sign, like a fake, little markup of company. Perhaps local cops are testing their camera systems this way, using a taxi as a known beacon...
Weird, perhaps some are testing this or ?
Funny, lots of years on the road, NEVER seen 2 plates on a vehicle. Now, allready. Things that make you go hum.
Interesting, and a good way to test the game.
No, these systems developed for Law enforcement are being developed by the lowest bidder...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.