Tordr April 29, 2008 4:36 PM

Good idea, but I believe most areas of the world do not allow the use of characters such as ‘=() and so on.

silence April 29, 2008 4:39 PM

There probably isn’t any need to put the “license plate” on an actual car. I’d be surprised if it isn’t sufficient to create a license-plate-like-object and stick it on a telephone pole.

Tordr April 29, 2008 4:40 PM

Continuing on my previous comment:
Therefore the automatic license plate scanners are not accepting those special characters as valid input.
Therefore any license plate trying to make an SQL injection attack will be rejected and sent to a human for confirmation.

Anonymous April 29, 2008 4:49 PM

most areas of the world do not allow
the use of characters such as ‘=()

Therefore, the programmers will know an SQL attack is impossible, and therefore, the attack will work beautifully.

DarthParadox April 29, 2008 5:24 PM

More likely, the OCR used by the scanners will just fail to read the license plate, or ignore any characters that it’s not expecting as noise. It would have been foolish to allow the scanners to consider anything other than letters and numbers (and maybe the dash between blocks) as correct data anyway.

Anonymous April 29, 2008 5:43 PM

@Tordr, DarthParadox: You guys are entirely missing the point. Yes, the scanner software, if well written, will reject invalid characters. The whole point of this exercise is, are those things well written? I don’t know, but I doubt you do either, so I’m not sure why you’re so confident that they validate their inputs.

It may be perfectly obvious to you right now that such validation should occur, but that’s not the question. The question is whether that occurred to the programmers when they wrote the code.

Since there are plenty of web sites that get this wrong, it’s conceivable that a license plate scanner did too.

VWM April 29, 2008 5:46 PM

@Tordr & DarthParadox: That is the clue regarding all SQL Injection Attacks: Most of the time, special characters like ‘);– etc. are no meaningful input. Therefore they should be wiped of the input. But quite often it is just ignored that they can still occur.

It is especially dangerous to rely on the OCR here. Maybe the current version does drop illegal Characters. And maybe tomorrow this version is replaced by some faster / better / whatever component that doesn’t. Security is a local property…

DarthParadox April 29, 2008 6:47 PM

Well, yes, it does depend on whether they’re well-written or not. My point was a slightly different one, though: while it takes extra effort on the part of the software to restrict input from users to a certain set of characters, OCR has the trait that as a part of processing it must actively recognize each character image as matching against its letter patterns, and if the OCR software was written to detect license plate numbers there’s no reason it should ever detect other characters.

On the other hand, any use of off-the-shelf OCR software completely nullifies that line of argument.

Pat Cahalan April 29, 2008 6:49 PM

@ Darth Paradox

On the other hand, any use of off-the-shelf OCR software
completely nullifies that line of argument.

$5 says that’s precisely what would be used 🙂

Lawrence D'Oliveiro April 29, 2008 7:09 PM

What other situations could theoretically allow you to commit a similar attack? Malicious library cards? ATM cards? Sneak into supermarkets and stick malicious barcodes on products?

What about biometric scanners (e.g. faces, fingerprints)? If there’s a loophole in how they encode the metrics, a specially-crafted face mask or false fingertip could lead to an interesting attack. 🙂

Rich Wilson April 29, 2008 8:47 PM

In a SANS course Johannes Ullrich mentioned that a pen tester had managed to hack a rebate system via sql injection, by writing the sql on the rebate forms that got OCRed.

You’re on the Newsbytes editorial board Bruce- you want o ask him for details?

Fuzzy April 29, 2008 9:29 PM

North Dakota permits an Ampersand (&).
Texas permits Dash (-) and Period (.).
New Hampshire permits: Dash (-), Ampersand (&), and Plus (+); in their license plates.
Unfortunately, no Semicolon (;), Single Quote (‘), or Parenthesis.

Sadly, no state appears to allow the necessary characters onto a vanity license plate.

Anderer Gregor April 29, 2008 10:52 PM

Fuzzy: The question is — what happens when you/they enter this string into the system while you apply for this vanity license plate?

Stats April 29, 2008 11:52 PM

Even if the OCR does reject the input and pass the string for human for validation, this only helps the attack since the human in question is not likely to know or care why the input was rejected and will, most likely, type it in exactly as shown…

Clive Robinson April 30, 2008 12:36 AM


How about the HTML or other encoding of the missing charecters?

The chances are that “off the shelf” general purpose (re-usable) software will be used for two reasons,

1, It works and is available.
2, it future proofs the system.

So the “head end” and many points in between will allow other chars through either directly or by encoding them up.

Which gives rise to the thought about does it have to be on the license plate at all?

How about as a bumper sticker that looks sufficiently like a licence plate (ie font and size etc)?

And would such a bumper sticker be illegal (currently)?

Filias Cupio April 30, 2008 1:05 AM

Even if using an “off the shelf” OCR package, I’d expect the illegetimate characters to have been disabled, simply for reliability reasons. The more characters we are trying to recognize, the less difference there is between any character and the one it most resembles, and the greater the chance of a misreading. A “1” might get misread as a “/” if “/” is in the recoginition character set – but we know that anything midway between a “1” and a “/” must be a “1”, because “/” isn’t a legitimate character in a numberplate – so why try to recognize it?

It doesn’t take the (rare?) security mind-set to eliminate “/” from the possibilities – just the (common) test-it-and-fix-the-failures mind-set.

Paeniteo April 30, 2008 1:48 AM

@Tordr: “Therefore any license plate trying to make an SQL injection attack will be rejected and sent to a human for confirmation.”

And, awaiting confirmation, the license plate data is stored in..?

Paeniteo April 30, 2008 2:01 AM

Besides, wouldn’t the pictured license plate be an enormously stupid injection?

If the plate scanner compares to a list of “interesting” license plates, the mini will trigger the alert all the time.

(Yes, I’m aware that it’s supposed to be a joke 😉

RaSchi April 30, 2008 3:21 AM

@Paniteo: You see, this seems to be the work of an advanced script kiddie. Good idea, but just taking the code of some other SQL injection from somewhere else may not serve the purpose here… If you don’t fully understand why it works somewhere else, be careful when applying it in your area.

bob April 30, 2008 7:11 AM

@silence, Will Knott: So now all we need is a public “most wanted” list of sought license plates – then make license plate shaped/colored stickers of “hot” plates (so to speak) and plaster them at approx bumper height on every dumpster, mailbox and stray dog we can find.

Although we should probably only want to use the ones where they have 217 unpaid parking tickets rather than an actual Violent Criminal to avoid getting innocent bystanders near a suspicious telephone pole shot by overzealous police.

Bonus points if you put it on a “meter maid” vehicle. Extra bonus points if they arrest the meter maid (yes, they can be male but I dont know any other colloquialism for the function).

vvpete April 30, 2008 10:56 AM

A friend of mine who’s a license plate collector had an interesting story that could relate to this. He made a trip in his pickup with a camper shell to a recycler in a neighboring state and picked up several boxes of old license plates, many of which were still valid. On the way home he started noticing that people passing him were giving him strange looks. The next time he stopped, he looked at the back of the truck and discovered that a box had fallen over and several current plates from a couple of different states were plastered against the rear window.

The question for this discussion: If more than one license plate is visible on a car, does the automatic scanner catch only one?

Tamzen April 30, 2008 10:56 AM

In CA you can have a large variety of symbols as well as letters and numbers on your plates, including things like a star, a hand, a heart, etc. So scanners will have to accommodate these,

derf April 30, 2008 11:21 AM

The scanners and back end systems are written for government entities. It’s a miracle they work at all given that taxpayer dollars are being spent on them. There is absolutely no way there is any security built in, so your “drop table” license plate will work wonders.

wm May 1, 2008 6:42 AM

@RaSchi: “Good idea, but just taking the code of some other SQL injection from somewhere else may not serve the purpose here… If you don’t fully understand why it works somewhere else, be careful when applying it in your area.”

I’ve not had cause to use SQL myself, but I’m imagining it’s intended for the case (guessing a bit at actual SQL syntax):

Find records where licence_plate = $plate

which will cause a ticket to be sent to every car in the country. Sounds like exactly the sort of mischief that’s intended, to me!

Required disclaimer:
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.

a500poundblobbutactuallyjustaskinnyguytryingtomaskhisidentityontheinternetincasesomebodydiscoversore May 2, 2008 5:32 AM

In so many discussions like this on the internet people seem to overlook the fact that when these systems were being implemented they had a team of people sit down at a conference table and discuss many of the very things that are being discussed here, so much of what you’re saying is repeating history. People are not nec’ly dumb and you’re prob’ly not the first to think of sth. True, some security may’ve been overlooked, but it’s very likely they eliminated OCR of all other chars.

Richard Braakman May 2, 2008 3:31 PM

I just think it’s unlikely that a government database would use anything as modern as SQL. I’d expect something more like MUMPS.

ElQ May 3, 2008 10:06 AM

@a500, I dunno, I’ve found that most people are quite dumb indeed. Usually, the more “important” their jobs and their decisions, the dumber they are!

2ManyPlates May 5, 2008 12:03 PM

Amazing but true. Saw a Taxi with 2 plates, one on bumper, different states! ~Not to far from another state location. Taxi sure had a small sign, like a fake, little markup of company. Perhaps local cops are testing their camera systems this way, using a taxi as a known beacon…
Weird, perhaps some are testing this or ?
Funny, lots of years on the road, NEVER seen 2 plates on a vehicle. Now, allready. Things that make you go hum.
Interesting, and a good way to test the game.

Anonymous May 5, 2008 3:30 PM

No, these systems developed for Law enforcement are being developed by the lowest bidder…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.