SQL Injection Fools Speed Traps and Clears Your Record

18mpenleoksq8jpg

Typical speed camera traps have built-in OCR software that is used to recognize license plates. A clever hacker decided to see if he could defeat the system by using SQL Injection…

The basic premise of this hack is that the hacker has created a simple SQL statement which will hopefully cause the database to delete any record of his license plate. Or so he (she?) hopes. Talk about getting off scot-free!

The reason this works (or could work?) is because while you would think a traffic camera is only taught to recognize the license plate characters, the developers of the third-party image recognition software simply digitize the entire thing — recognizing any and all of the characters present. While it’s certainly clever, we’re pretty sure you’ll still get pulled over and questioned — but at least it’s not as extreme as building a flashbulb array to blind traffic cameras…

What do you guys think? Did it work? This image has been floating around the net for a few years now — if anyone knows the original story let us know!

Comments

  1. Matt says:

    ZUO666 = EVIL666. Greetings from Poland ;)

  2. Z says:

    Reminds me of Little Bobby Tables… http://xkcd.com/327/

  3. Mohonri says:

    If this works, I will laugh my head off. Not only does it attempt to drop a table, it attempts to drop the ENTIRE DATABASE. Given the structure of the injection string, it would also appear that the person not only knew the structure of the table and database, he/she also knew the format of the actual SQL statement that was doing the injection! (IF it’s real, of course)

  4. No Hack says:

    haha this is really great :)

  5. Petiepooo says:

    Hrmm… Looks like Bobby Tables has reached driving age!

    For those that don’t get the reference, the obligatory xkcd: https://xkcd.com/327/

  6. greenbacks says:

    photoshoop?

  7. henry says:

    This photo is at least 5 years old.

  8. RodgerDodger says:

    Aww, Lil’ Bobby Tables!

  9. asheets says:

    It could work. Every once in awhile I’ll run into a spammer that offers automatic removal of email addresses. I feed into the field “*@*.com” to see what will happen.

  10. 0xfred says:

    Brilliant. It doesn’t really matter if it would work. The fact that it just *might* is funny enough.

  11. r4nd0m says:

    BTW: the license plate numbers starting with “ZU O” are a slang term for “evil” in Polish :-)

  12. TinkThank says:

    I don’t think it’s going to work. I work a lot with check image processing (similar to mobile deposit on your phone) and when images are captured by a camera, the first thing done is finding the object you are trying to read. In my case, it is a check, so we find the edges in the image and then “guess” what the check is by finding 4 edges that make a rectangle and could match the aspect ratio of a check. This gives us the values we need to then make the check “flat” in the image so that character recognition is easier. I am sure that license plate recognition works the same way. His banner certainly does not match the aspect ratio of a license plate. Novel idea, but I think it will always be a just a novelty :)

    • Hybridblue says:

      So. What you are saying is that we could make a border around the plate that would add an extra number or offset a number by tricking the system to see a false start/end which would cause a failure to properly read the plate? Sounds kind of easy to fool.

  13. Grunk says:

    Can’t work. Most ANPR software are looking for a short number of char to read depending of the type of plate expected. For exemple in France an ANPR will look for 7 or 9 char , not more. Everything above that will be read by the OCR but not saved to the DB.

    • Grunk says:

      Two more points :
      ANPR searching fo rectangle in image to know where to fin char (won’t work here)
      Most of ANPR (at least good one) works with IR light , so printed paper won’t work ::)

    • phuzz says:

      Which then begs the question, what could you paint on either side of your real number plate to cause the OCR to fail? Ideally without being so obvious that police pulled you over.
      Does ANPR use visible light, or IR? If it’s IR you could paint ON the plate and it wouldn’t be visible to humans.

  14. Shakipu says:

    One of my co-worker says it doesn’t work. And i’m pretty sure he’s right. He saws that years ago on a french website (yes it’s a french crappy car). There is “prepare statements” in order to avoid anything like that. Brilliant idea however and it looks fun.

    • mindaugasz says:

      And there is no commercial ANPR engine that could recognize punctuation symbols.

    • AKA the A says:

      However that crappy French car is found throughout pretty much all of Europe, more likely to the east, since it’s a fairly old model :P

      • German cars rule says:

        If I had to drive that old Renault, I’d rather use “Please kill me” as a registration plate.

        • Coligny says:

          That’s funnay because you’re making fun of french cars tee hee heee
          Hey droolies, the Renault group is the 4th biggest automotive group on this planet…

          • mikethezipper says:

            GM makes three times the amount of cars that Renault makes, and I will make fun of my crappy Saturn any day. Also, you should double check your “4th biggest” factoid.

            Even if it was the number 1 producer, that doesn’t mean anything. Case in point: Tata everything they make is crap and yet they are the most popular company in India.
            People will buy what is cheapest a lot of times. Of course something that is cheap is probably crappy.
            But it is true that making fun of the French is as obnoxious as how they make fun of us all the time.

    • Elle P. says:

      SQL prepare statements only work if the programmer was wise enough to use them. That is the whole point of the joke, that bobby tables would have been a non-issue if the programmer properly sanitized the input data.

  15. orz says:

    This was made in Poland – home of people who has minds set to hacking mode since birth – common thinking is that you need to know how to cheat absurdities of The System.

    The “TABLICE” in DROP DATABASE part means “number plates”.

    This picture is just a joke, of course.

  16. Last week news websites posted a story that our (Belgian) king had dozens of speeding tickets coming from France. It turned out the French system couldn’t read the new Belgian license plate format (1-ABC-123) and defaulted to the plate “1”, which belongs to the king.

  17. Don says:

    I can tell you I have a coworker who has an injection on his license plate. He thought it was really clever at the time. He’s been pulled over twice since and both times the cops couldn’t run the plate. Once he was detained for a period because the plate didn’t come up in the system and they thought it was stolen. The last time he was up for renewal he couldn’t do it at the DMV.

    • ka1axy says:

      Details, please!

      • Don says:

        Don’t want to give his plate number out, but it starts with a double tic. It’s supposed to be illegal to have multiple special characters here, so they should never have issued the plate in the first place. I suspect it went through because it failed to register as a “bad” combination. The cops obviously have no clue. The first time running it allegedly crashed the MDT application on the laptop. The second time it just didn’t resolve to a valid plate and came back as “no record found”. Of course the cop just assumed that meant it wasn’t a valid plate, probably because it was stolen previously. He had to manually call it in, which took a while and the DMV finally just said they couldn’t figure out what was going on so they eventually let him go. In both cases they didn’t write a ticket because they couldn’t run the plate, so I guess it was a win. Apparently it wasn’t too much hassle, because he still has the plate today.

    • Rob says:

      inquiring minds want to know…

    • Sean says:

      I’m also eager to hear more about this.

    • mikethezipper says:

      …. Really people? obviously SQL injection doesn’t work on humans, it’s a joke.

  18. I can tell you that this picture was taken in Poland (you can see ‘PL’ written at the beginning of the real licence plate).

    Also “ZU O666″ can be interpreted as “ZŁO 666″ (pronounced the same), which means “EVIL 666″.

    The database in the query is called called “Tablice” which means “[licence] plates” in Polish.

  19. Rick says:

    was this idea “borrowed” from XKCD? Kudos if so

    http://xkcd.com/327/

  20. Mike Szczys says:

    As everyone else is say, yes this is old. Also someone on Twitter mentioned that it’s been thoroughly debunked.

    But click through and read the article that is linked. He makes a really good point about systems that take automatic input like this license plate scraper, or airline baggage tag scanners. Are these systems which don’t allow keyboard input being tested for injection attacks?

  21. MrLebowski says:

    Without going all the way to SQL injection you could imagine putting stickers with lots of alphanumeric characters the same size and shape as the license plate. That way the system wouldn’t be able to tell what the plate is amongst all the gibberish.

  22. etet says:

    As others already stated none of the ANPR systems on the market should read this as a plate. Mainly because the plate has invalid dimensions and by far to many characters. But certainly sometimes they will at least partially read it!

    Concerns about reflection in IR range are only an issue at night. At daytime even IR-only systems will read non-reflective items. Recognition rate will drop but reading is still possible and will work in a lot of cases. Furthermore such systems will regularly read text from banners on trucks by accident from time to time even tough these banners are not designed to be reflective in IR-range.

    Syntax checks for licence plates are based on a good guess because they may not be unique when handling many different countries which is the default case in such systems most of the time. So you can’t throw away the plate if syntax doesn’t match any known syntax. You will therefor end up with funny readings from time to time.

  23. ka1axy says:

    NOPLATE
    NONE
    BLANK

    • Galane says:

      There was a guy in New York City who got NOTAGS as a vanity plate. Kept getting fines for not having a license because stupid meter readers and stupid DMV people would either write the plate data in the wrong spot or if it was in the right spot on the form they wouldn’t pay attention to where on the form NOTAGS was written. He finally gave up combating stupidity and got something different.

      Right now there’s a guy in Florida who has never been to Miami yet has received at least one ticket from that city. He has a pickup truck. Someone in Miami has a car with a plate number that is the same as his except for an O, 0 or Q. I don’t recall which character is on his plate, but the stupid idiots at Miami DMV refuse to kill the ticket. The traffic camera photo was taken in either the morning or evening and is too grainy to make out whether or not the suspect character is a Q or not.

      You’d think that once shown the difference between a pickup truck and a car, they’d just forget it, and go to their database and search for a CAR, registered in Miami, with a plate that’s almost but not quite exactly like the one they mistakenly sent the ticket to.

  24. Will says:

    I doubt it would work. What’s more, if any actual cop saw that on the road, he could pull him over for not displaying proper plates. I’d bet the fine for that is more than the speeding fine would be.

    • George Johnson says:

      And finally somebody states the obvious.
      Reading the comments, that’s what I kept thinking. None of their arguments matter, because this person is going to get pulled in a matter of hours anyway.

  25. I do this for a living says:

    I would reckon that ALPR systems have error checking like others have said for “does plate have proper number of digits” and “does plate have proper characters in string” types of gotchas. I would also imagine that they would capture an image of the cars they can’t read for further investigation, if not for criminal activity, then for troubleshooting data. Capturing the plate to text and databasing it is one part of the system, they do keep the actual pictures as well. This is like getting a plate that says 1111111 to commit a crime because its hard to tell if its 1111111 or IIIIIII – but you’ll still get busted every time because of the pattern is so unique (that might actually be in a xkcd strip as well). Try driving this past the 5-0 and see what happens…

  26. Bob Ross says:

    This wouldn’t work because bug splat == sql injection.

  27. FrankTheCat says:

    But look at that Saab 900 to the right. I would love to have those wheels on mine.

  28. Michael says:

    This reminds me of the guy that had “NO TAG” as a license plate. Check it out: http://www.snopes.com/autos/law/noplate.asp

  29. 0ne says:

    Stupid… you are better off just removing your license plate. I doubt any programmer would be dumb enough to not do any type of variable validation before running an SQL command. They probably removed special characters from the OCR script too, in order to make recognition faster by narrowing possible values.

    Funny though.

    • dd says:

      You would be surprised. At last count only 26% of programmers have any secure development training and of those only a tiny fraction bother to do it. They get paid the same and are not legally liable like real engineers are, so why should they care? Security is hard, thus why so many crimes succeed and so many identities stolen.

  30. hulvi says:

    James you’re 3 days late

  31. Moroni Granja says:

    Too bad that wouldn’t work in Brazil. They look at the photos and type in the license plate numbers by hand :/

  32. supershwa says:

    In Colorado we do have traffic cams at various intersections, but there is an old law in place that a lot of residents aren’t aware of:

    Traffic violations must be served to you by a physical public servant.

    This means if you receive one of these traffic cam tickets in the mail, you can ignore it and you will not suffer any penalty. Sadly a lot of folks actually pay for them, even worse that the local authorities are allowed to “scam” residents in this manner.

  33. An Ominous One says:

    Just use some of the reflective sprays or one of those clear covers that blurs the image when a photo is taken.

    • Alan says:

      You know, if you can read a licence plate in day light, a standard camera will take an equally legible photo, and an expensive traffic camera will take an excellent one. If you can read it through a blurry plate cover, so will the camera, and even if it cant, it will flag it for a human to examine.

      Furthermore, if such things were effective, cops would be taught to watch for them, and they would pull you over and ticket you.

  34. David Bradbury says:

    Slow news day? Of course it won’t work.

  35. niru says:

    hack the cop: “NODONUT”

  36. Paintball sniper says:

    A lot of people around the world have hacked the actual cameras themselves. Common tools employed include flaming tires, sticking a post-it note on the lens, spraypaint (for the easy-to-reach units), or paintball guns, hacksaws, crowbars, axes, and ramming them with a sturdy front bumper to knock them over (for the ones on tall poles). Each camera costs a ridiculous amount of money, so don’t get caught defending yourself from a government-approved mugging.

    If the Supreme Court takes the case this time, these traffic scameras might be outlawed in the U.S. (like they should be), making the issue moot: http://www.thenewspaper.com/news/43/4376.asp

    Failing that, somewhere around 90% of the municipalities where they’ve been brought to on a vote they are outlawed by a very substantial margin (and the incumbents who initially approved them tend to be replaced as well).

    In the meantime, more anti- Big Brother tech please! Like how do we jam the RF data feed of those automatic plate readers that are popping up all over the place without disrupting other RF-dependent activity (such as listening to the radio)?

    • JRDM says:

      While they’re terrible systems, a lot of those actions sound like vandalism.

      This thing is slightly better aligned than a captcha, with such poor legibility, I don’t know if a machine vision system can get that right.

  37. Doktor Jeep says:

    Mwa ha ha ha! Good idea though.

  38. ejonesss says:

    ” it opens many new doors for mischievous and malicious attack”

    like allowing a hackers movie style attack on an individual.

    just like the hackers in the movie set up richard gill as a criminal and eventually registered him as dead the hack here could allow you to be able to take a picture of the plate of someone you have a vendetta or grudge and submit it along with a photoshopped image of their car on the road and rack up their fine tab.

    the only problem i see with that is you have to make sure the person uses that road anyways or they could argue ” i never was on that road”.

  39. Figureitout says:

    Now you need a version of this that you can wrap around your head, or a mask. For the coming facial recognition cameras.

  40. Rollyn01 says:

    I didn’t know the Laughing Man had a car. I wanna ride with him.

  41. License plate recongnition software is specifically designed for license plates. It’s not your average OCR software. It’s capable of car-specific things like recognizing a plate numbers under the layer of mud.
    Shortly, it would not recognize anythings that isn’t a license plate. This pic is just the average SQL-injection joke.

  42. I would like to try this idea with visors price in supermarkets hacking the barcode.

  43. Thumper says:

    How ridiculous. Funny idea, but ridiculous. Even if it did work, there’s little doubt of some sort of back-up process existing at the government’s (or contract vendor’s) data center. They love to spend money of stuff.

    Database of people they have to pay money too == not so important … but, database of people that owe them money == more than likely backed up somewhere.

    Also, whether it worked or not, wouldn’t this be considered an attempt at illegal cracking? (On this site, I dare not call it what the news calls it.)

    I think it would be in the States… “unauthorized access”, “intentionally, without authorization”, “knowingly … program, information, code, or command … result of such … intentionally causes damage”

    http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Criminal_offenses_under_the_Act

  44. asdf says:

    Most speed-activated cameras use a radar gun operating at 24 or 35 GHz to determine if you are speeding. It’s possible to “spoof” your speed back to the radar by modulating a Gunn diode operating at the same frequency with a tone equal to the speed you want the radar to see:

    • vvenesect says:

      There were construction plans back in the ’80s for a system like this that were advertised in the electronic magazines. I think I still have them. It had a hall effect sensor that mounted on your driveshaft and an under-dash control box with a digital display. You could set it to either display a percentage of your actual speed or a speed you dialed in. A Gunn diode was then used to transmit the signal. I supposed it was outdated when laser systems came into use.

  45. daid303 says:

    I worked on these systems, won’t work for multiple reasons. It’s not in the normal detection areas, the text does not fit in any license plate regular expression.

    It will get you arrested.

  46. Jens says:

    Why not just change the number on the plate?

  47. Calle says:

    Would probably not work as the OCR software will probably only search for characters that is actually used on plates.

  48. Its fake. Could not work technically but should appreciate the smartness of trial

  49. randomreader says:

    If there is no IR filter what’s to stop people blanking out there plates with IR light?

    • George Johnson says:

      Many of them use regular (fairly high end) consumer type cameras. So, you can bet it’s got the IR filter in place.
      But I think with some of the higher wattage(3/5watt) IR LED’s, you could still do this, just enough to blur the edges of the plate, without looking like you’re doing anything.

  50. in europe, every licenseplate will have a chip very soon. Welcome 1984…..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s