SQL Injection Attacks Against Automatic License Plate Scanners

This picture is almost certainly Photoshopped, and a joke, but it's certainly a clever idea. As automatic license plate scanners become more common, why not get a SQL injection attack as a plate?

Reminds me of this xkcd cartoon.

Posted on April 29, 2008 at 3:21 PM • 39 Comments

Comments

TremaineApril 29, 2008 4:34 PM

I think those of us fortunate to live in jurisdictions that only insist on one plate could have some fun with this...

TordrApril 29, 2008 4:36 PM

Good idea, but I believe most areas of the world do not allow the use of characters such as '=() and so on.

silenceApril 29, 2008 4:39 PM

There probably isn't any need to put the "license plate" on an actual car. I'd be surprised if it isn't sufficient to create a license-plate-like-object and stick it on a telephone pole.

TordrApril 29, 2008 4:40 PM

Continuing on my previous comment:
Therefore the automatic license plate scanners are not accepting those special characters as valid input.
Therefore any license plate trying to make an SQL injection attack will be rejected and sent to a human for confirmation.

AnonymousApril 29, 2008 4:49 PM

> most areas of the world do not allow
> the use of characters such as '=()

Therefore, the programmers will know an SQL attack is impossible, and therefore, the attack will work beautifully.

DarthParadoxApril 29, 2008 5:24 PM

More likely, the OCR used by the scanners will just fail to read the license plate, or ignore any characters that it's not expecting as noise. It would have been foolish to allow the scanners to consider anything other than letters and numbers (and maybe the dash between blocks) as correct data anyway.

AnonymousApril 29, 2008 5:43 PM

@Tordr, DarthParadox: You guys are entirely missing the point. Yes, the scanner software, if well written, will reject invalid characters. The whole point of this exercise is, are those things well written? I don't know, but I doubt you do either, so I'm not sure why you're so confident that they validate their inputs.

It may be perfectly obvious to you right now that such validation should occur, but that's not the question. The question is whether that occurred to the programmers when they wrote the code.

Since there are plenty of web sites that get this wrong, it's conceivable that a license plate scanner did too.

VWMApril 29, 2008 5:46 PM

@Tordr & DarthParadox: That is the clue regarding all SQL Injection Attacks: Most of the time, special characters like ');-- etc. are no meaningful input. Therefore they should be wiped of the input. But quite often it is just ignored that they can still occur.

It is especially dangerous to rely on the OCR here. Maybe the current version does drop illegal Characters. And maybe tomorrow this version is replaced by some faster / better / whatever component that doesn't. Security is a local property...

DarthParadoxApril 29, 2008 6:47 PM

Well, yes, it does depend on whether they're well-written or not. My point was a slightly different one, though: while it takes extra effort on the part of the software to restrict input from users to a certain set of characters, OCR has the trait that as a part of processing it must actively recognize each character image as matching against its letter patterns, and if the OCR software was written to detect license plate numbers there's no reason it should ever detect other characters.

On the other hand, any use of off-the-shelf OCR software completely nullifies that line of argument.

Pat CahalanApril 29, 2008 6:49 PM

@ Darth Paradox

> On the other hand, any use of off-the-shelf OCR software
> completely nullifies that line of argument.

$5 says that's precisely what would be used :)

Lawrence D'OliveiroApril 29, 2008 7:09 PM

What other situations could theoretically allow you to commit a similar attack? Malicious library cards? ATM cards? Sneak into supermarkets and stick malicious barcodes on products?

What about biometric scanners (e.g. faces, fingerprints)? If there's a loophole in how they encode the metrics, a specially-crafted face mask or false fingertip could lead to an interesting attack. :)

Rich WilsonApril 29, 2008 8:47 PM

In a SANS course Johannes Ullrich mentioned that a pen tester had managed to hack a rebate system via sql injection, by writing the sql on the rebate forms that got OCRed.

You're on the Newsbytes editorial board Bruce- you want o ask him for details?

FuzzyApril 29, 2008 9:29 PM

North Dakota permits an Ampersand (&).
Texas permits Dash (-) and Period (.).
New Hampshire permits: Dash (-), Ampersand (&), and Plus (+); in their license plates.
Unfortunately, no Semicolon (;), Single Quote ('), or Parenthesis.

Sadly, no state appears to allow the necessary characters onto a vanity license plate.

Anderer GregorApril 29, 2008 10:52 PM

Fuzzy: The question is -- what happens when you/they enter this string into the system while you apply for this vanity license plate?

StatsApril 29, 2008 11:52 PM

@Tordr,
Even if the OCR does reject the input and pass the string for human for validation, this only helps the attack since the human in question is not likely to know or care why the input was rejected and will, most likely, type it in exactly as shown...

Clive RobinsonApril 30, 2008 12:36 AM

@fuzzy

How about the HTML or other encoding of the missing charecters?

The chances are that "off the shelf" general purpose (re-usable) software will be used for two reasons,

1, It works and is available.
2, it future proofs the system.

So the "head end" and many points in between will allow other chars through either directly or by encoding them up.

Which gives rise to the thought about does it have to be on the license plate at all?

How about as a bumper sticker that looks sufficiently like a licence plate (ie font and size etc)?

And would such a bumper sticker be illegal (currently)?

Filias CupioApril 30, 2008 1:05 AM

Even if using an "off the shelf" OCR package, I'd expect the illegetimate characters to have been disabled, simply for reliability reasons. The more characters we are trying to recognize, the less difference there is between any character and the one it most resembles, and the greater the chance of a misreading. A "1" might get misread as a "/" if "/" is in the recoginition character set - but we know that anything midway between a "1" and a "/" must be a "1", because "/" isn't a legitimate character in a numberplate - so why try to recognize it?

It doesn't take the (rare?) security mind-set to eliminate "/" from the possibilities - just the (common) test-it-and-fix-the-failures mind-set.

PaeniteoApril 30, 2008 1:48 AM

@Tordr: "Therefore any license plate trying to make an SQL injection attack will be rejected and sent to a human for confirmation."

And, awaiting confirmation, the license plate data is stored in..?

PaeniteoApril 30, 2008 2:01 AM

Besides, wouldn't the pictured license plate be an enormously stupid injection?

If the plate scanner compares to a list of "interesting" license plates, the mini will trigger the alert all the time.

(Yes, I'm aware that it's supposed to be a joke ;-)

TanukiApril 30, 2008 3:10 AM

The evil in me now wonders if it's possible to get the vanity plate DROP TABLE;

RaSchiApril 30, 2008 3:21 AM

@Paniteo: You see, this seems to be the work of an advanced script kiddie. Good idea, but just taking the code of some other SQL injection from somewhere else may not serve the purpose here... If you don't fully understand why it works somewhere else, be careful when applying it in your area.

bobApril 30, 2008 7:11 AM

@silence, Will Knott: So now all we need is a public "most wanted" list of sought license plates - then make license plate shaped/colored stickers of "hot" plates (so to speak) and plaster them at approx bumper height on every dumpster, mailbox and stray dog we can find.

Although we should probably only want to use the ones where they have 217 unpaid parking tickets rather than an actual Violent Criminal to avoid getting innocent bystanders near a suspicious telephone pole shot by overzealous police.

Bonus points if you put it on a "meter maid" vehicle. Extra bonus points if they arrest the meter maid (yes, they can be male but I dont know any other colloquialism for the function).

vvpeteApril 30, 2008 10:56 AM

A friend of mine who's a license plate collector had an interesting story that could relate to this. He made a trip in his pickup with a camper shell to a recycler in a neighboring state and picked up several boxes of old license plates, many of which were still valid. On the way home he started noticing that people passing him were giving him strange looks. The next time he stopped, he looked at the back of the truck and discovered that a box had fallen over and several current plates from a couple of different states were plastered against the rear window.

The question for this discussion: If more than one license plate is visible on a car, does the automatic scanner catch only one?

TamzenApril 30, 2008 10:56 AM

In CA you can have a large variety of symbols as well as letters and numbers on your plates, including things like a star, a hand, a heart, etc. So scanners will have to accommodate these,

derfApril 30, 2008 11:21 AM

The scanners and back end systems are written for government entities. It's a miracle they work at all given that taxpayer dollars are being spent on them. There is absolutely no way there is any security built in, so your "drop table" license plate will work wonders.

wmMay 1, 2008 6:42 AM

@RaSchi: "Good idea, but just taking the code of some other SQL injection from somewhere else may not serve the purpose here... If you don't fully understand why it works somewhere else, be careful when applying it in your area."

I've not had cause to use SQL myself, but I'm imagining it's intended for the case (guessing a bit at actual SQL syntax):

Find records where licence_plate = $plate
Send_speeding_ticket_to(records)

which will cause a ticket to be sent to every car in the country. Sounds like exactly the sort of mischief that's intended, to me!


--------
Required disclaimer:
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.

a500poundblobbutactuallyjustaskinnyguytryingtomaskhisidentityontheinternetincasesomebodydiscoversoreMay 2, 2008 5:32 AM

In so many discussions like this on the internet people seem to overlook the fact that when these systems were being implemented they had a team of people sit down at a conference table and discuss many of the very things that are being discussed here, so much of what you're saying is repeating history. People are not nec'ly dumb and you're prob'ly not the first to think of sth. True, some security may've been overlooked, but it's very likely they eliminated OCR of all other chars.

Richard BraakmanMay 2, 2008 3:31 PM

I just think it's unlikely that a government database would use anything as modern as SQL. I'd expect something more like MUMPS.

ElQMay 3, 2008 10:06 AM

@a500, I dunno, I've found that most people are quite dumb indeed. Usually, the more "important" their jobs and their decisions, the dumber they are!

2ManyPlatesMay 5, 2008 12:03 PM

Amazing but true. Saw a Taxi with 2 plates, one on bumper, different states! ~Not to far from another state location. Taxi sure had a small sign, like a fake, little markup of company. Perhaps local cops are testing their camera systems this way, using a taxi as a known beacon...
Weird, perhaps some are testing this or ?
Funny, lots of years on the road, NEVER seen 2 plates on a vehicle. Now, allready. Things that make you go hum.
Interesting, and a good way to test the game.

AnonymousMay 5, 2008 3:30 PM

@a500pound
No, these systems developed for Law enforcement are being developed by the lowest bidder...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..