Typical speed camera traps have built-in OCR software that is used to recognize license plates. A clever hacker decided to see if he could defeat the system by using SQL Injection…
The basic premise of this hack is that the hacker has created a simple SQL statement which will hopefully cause the database to delete any record of his license plate. Or so he (she?) hopes. Talk about getting off scot-free!
The reason this works (or could work?) is because while you would think a traffic camera is only taught to recognize the license plate characters, the developers of the third-party image recognition software simply digitize the entire thing — recognizing any and all of the characters present. While it’s certainly clever, we’re pretty sure you’ll still get pulled over and questioned — but at least it’s not as extreme as building a flashbulb array to blind traffic cameras…
What do you guys think? Did it work? This image has been floating around the net for a few years now — if anyone knows the original story let us know!
ZUO666 = EVIL666. Greetings from Poland ;)
Reminds me of Little Bobby Tables… http://xkcd.com/327/
exact thing i thought of too!
Looks like I showed up too late… you beat me to the Little Bobby Tables reference. Well done, good human!
reminds me of https://xkcd.com/1105/
If this works, I will laugh my head off. Not only does it attempt to drop a table, it attempts to drop the ENTIRE DATABASE. Given the structure of the injection string, it would also appear that the person not only knew the structure of the table and database, he/she also knew the format of the actual SQL statement that was doing the injection! (IF it’s real, of course)
haha this is really great :)
Hrmm… Looks like Bobby Tables has reached driving age!
For those that don’t get the reference, the obligatory xkcd: https://xkcd.com/327/
Yep , This is Mrs. Roberts car .
ya beat me to it! :)
worse, little Bobby ended up in a life of crime and is making license plates? :P
OMG this is perfect!! Thanks for the history lesson!!
photoshoop?
Really? You think some photoshopped sticking a bit of paper on their car, rather than just… sticking a bit of paper on their car.
:D
Kids of today don’t even know what paper is anymore…
Some kind of flattened dead tree with black oil smeared on it in the shape of words?
I laughed entirely too hard at this.
This photo is at least 5 years old.
And was previously featured on this very site
I never saw it. Its hilarious!
I can’t find that one, and the first references seem to be from 2010, so here’s an ancient reddit thread:
http://www.reddit.com/r/pics/comments/bfikg/a_new_way_of_sql_injection_pic/
Probably flushed all the posts with the site upgrade. Can’t go that far back tbh
Somebody had that other post renamed to newname’); drop table posts;
Aww, Lil’ Bobby Tables!
It could work. Every once in awhile I’ll run into a spammer that offers automatic removal of email addresses. I feed into the field “*@*.com” to see what will happen.
In SQL you’d want “%@%.com” to match wildcards.
SQL does use the asterisk for a wildcard, and why would they ever use LIKE to remove a single person from a database?
Brilliant. It doesn’t really matter if it would work. The fact that it just *might* is funny enough.
BTW: the license plate numbers starting with “ZU O” are a slang term for “evil” in Polish :-)
I don’t think it’s going to work. I work a lot with check image processing (similar to mobile deposit on your phone) and when images are captured by a camera, the first thing done is finding the object you are trying to read. In my case, it is a check, so we find the edges in the image and then “guess” what the check is by finding 4 edges that make a rectangle and could match the aspect ratio of a check. This gives us the values we need to then make the check “flat” in the image so that character recognition is easier. I am sure that license plate recognition works the same way. His banner certainly does not match the aspect ratio of a license plate. Novel idea, but I think it will always be a just a novelty :)
So. What you are saying is that we could make a border around the plate that would add an extra number or offset a number by tricking the system to see a false start/end which would cause a failure to properly read the plate? Sounds kind of easy to fool.
I think it doesn’t have to be in a car. If the statement was included inside a rectangle with the same aspect ratio, and maybe in the same format the ocr expects to read… And one comes cluster to the camera, it would be more readable. And it has chance to work because the ocr will search database to query the register, that’s in this time that the injection occurs. Unless it only queries only in the correct plate format.
Can’t work. Most ANPR software are looking for a short number of char to read depending of the type of plate expected. For exemple in France an ANPR will look for 7 or 9 char , not more. Everything above that will be read by the OCR but not saved to the DB.
Two more points :
ANPR searching fo rectangle in image to know where to fin char (won’t work here)
Most of ANPR (at least good one) works with IR light , so printed paper won’t work ::)
Which then begs the question, what could you paint on either side of your real number plate to cause the OCR to fail? Ideally without being so obvious that police pulled you over.
Does ANPR use visible light, or IR? If it’s IR you could paint ON the plate and it wouldn’t be visible to humans.
One of my co-worker says it doesn’t work. And i’m pretty sure he’s right. He saws that years ago on a french website (yes it’s a french crappy car). There is “prepare statements” in order to avoid anything like that. Brilliant idea however and it looks fun.
And there is no commercial ANPR engine that could recognize punctuation symbols.
However that crappy French car is found throughout pretty much all of Europe, more likely to the east, since it’s a fairly old model :P
If I had to drive that old Renault, I’d rather use “Please kill me” as a registration plate.
That’s funnay because you’re making fun of french cars tee hee heee
Hey droolies, the Renault group is the 4th biggest automotive group on this planet…
GM makes three times the amount of cars that Renault makes, and I will make fun of my crappy Saturn any day. Also, you should double check your “4th biggest” factoid.
Even if it was the number 1 producer, that doesn’t mean anything. Case in point: Tata everything they make is crap and yet they are the most popular company in India.
People will buy what is cheapest a lot of times. Of course something that is cheap is probably crappy.
But it is true that making fun of the French is as obnoxious as how they make fun of us all the time.
@mikethezipper Renaults are among the best selling cars, and the most used car brand in Europe, sorry we dont care for chevy/ford pickups the size of a friggin boat and still unable to protect their driver, to each their own ay?
SQL prepare statements only work if the programmer was wise enough to use them. That is the whole point of the joke, that bobby tables would have been a non-issue if the programmer properly sanitized the input data.
This was made in Poland – home of people who has minds set to hacking mode since birth – common thinking is that you need to know how to cheat absurdities of The System.
The “TABLICE” in DROP DATABASE part means “number plates”.
This picture is just a joke, of course.
You think polish people have an inate ability to hack? Let me guess, you’re polish?
Ever since they installed screendoors on their submarines, they’ve thought they were all kinds of smart…
Hey, It keeps the fish out!
There is a significant culture for it. Most of the best lockpickers and safecrackers in the world are from that general region. Dutch are even more strongly suited. It is just the way the culture is over there. Like In the US people tend to value independent action, or at your house, where everyone is an asshole.
Marian Rejewski https://en.wikipedia.org/wiki/Marian_Rejewski cracked the Enigma. What have you done?
I reduced an htc wildfire to smithereens.
Mike, why you are asking about polish people when he’s talking about Polish people? :) The latted do have innate distrust of authority and rules and knack to invent new ways of circumventing the system. I suppose that over a hundred years under foreign rule, 5 years of Nazi occupation, and 50 years of communism does that to people…
Last week news websites posted a story that our (Belgian) king had dozens of speeding tickets coming from France. It turned out the French system couldn’t read the new Belgian license plate format (1-ABC-123) and defaulted to the plate “1”, which belongs to the king.
That’s what the King wants you to believe… B^)
XD
I can tell you I have a coworker who has an injection on his license plate. He thought it was really clever at the time. He’s been pulled over twice since and both times the cops couldn’t run the plate. Once he was detained for a period because the plate didn’t come up in the system and they thought it was stolen. The last time he was up for renewal he couldn’t do it at the DMV.
Details, please!
Don’t want to give his plate number out, but it starts with a double tic. It’s supposed to be illegal to have multiple special characters here, so they should never have issued the plate in the first place. I suspect it went through because it failed to register as a “bad” combination. The cops obviously have no clue. The first time running it allegedly crashed the MDT application on the laptop. The second time it just didn’t resolve to a valid plate and came back as “no record found”. Of course the cop just assumed that meant it wasn’t a valid plate, probably because it was stolen previously. He had to manually call it in, which took a while and the DMV finally just said they couldn’t figure out what was going on so they eventually let him go. In both cases they didn’t write a ticket because they couldn’t run the plate, so I guess it was a win. Apparently it wasn’t too much hassle, because he still has the plate today.
inquiring minds want to know…
I’m also eager to hear more about this.
…. Really people? obviously SQL injection doesn’t work on humans, it’s a joke.
I can tell you that this picture was taken in Poland (you can see ‘PL’ written at the beginning of the real licence plate).
Also “ZU O666” can be interpreted as “ZŁO 666” (pronounced the same), which means “EVIL 666”.
The database in the query is called called “Tablice” which means “[licence] plates” in Polish.
was this idea “borrowed” from XKCD? Kudos if so
http://xkcd.com/327/
As everyone else is say, yes this is old. Also someone on Twitter mentioned that it’s been thoroughly debunked.
But click through and read the article that is linked. He makes a really good point about systems that take automatic input like this license plate scraper, or airline baggage tag scanners. Are these systems which don’t allow keyboard input being tested for injection attacks?
Without going all the way to SQL injection you could imagine putting stickers with lots of alphanumeric characters the same size and shape as the license plate. That way the system wouldn’t be able to tell what the plate is amongst all the gibberish.
That’s when the picture is sent to a human who immediately sees what is a plate and what isn’t, Dirty plates get the same treatment.
As others already stated none of the ANPR systems on the market should read this as a plate. Mainly because the plate has invalid dimensions and by far to many characters. But certainly sometimes they will at least partially read it!
Concerns about reflection in IR range are only an issue at night. At daytime even IR-only systems will read non-reflective items. Recognition rate will drop but reading is still possible and will work in a lot of cases. Furthermore such systems will regularly read text from banners on trucks by accident from time to time even tough these banners are not designed to be reflective in IR-range.
Syntax checks for licence plates are based on a good guess because they may not be unique when handling many different countries which is the default case in such systems most of the time. So you can’t throw away the plate if syntax doesn’t match any known syntax. You will therefor end up with funny readings from time to time.
NOPLATE
NONE
BLANK
There was a guy in New York City who got NOTAGS as a vanity plate. Kept getting fines for not having a license because stupid meter readers and stupid DMV people would either write the plate data in the wrong spot or if it was in the right spot on the form they wouldn’t pay attention to where on the form NOTAGS was written. He finally gave up combating stupidity and got something different.
Right now there’s a guy in Florida who has never been to Miami yet has received at least one ticket from that city. He has a pickup truck. Someone in Miami has a car with a plate number that is the same as his except for an O, 0 or Q. I don’t recall which character is on his plate, but the stupid idiots at Miami DMV refuse to kill the ticket. The traffic camera photo was taken in either the morning or evening and is too grainy to make out whether or not the suspect character is a Q or not.
You’d think that once shown the difference between a pickup truck and a car, they’d just forget it, and go to their database and search for a CAR, registered in Miami, with a plate that’s almost but not quite exactly like the one they mistakenly sent the ticket to.
I doubt it would work. What’s more, if any actual cop saw that on the road, he could pull him over for not displaying proper plates. I’d bet the fine for that is more than the speeding fine would be.
And finally somebody states the obvious.
Reading the comments, that’s what I kept thinking. None of their arguments matter, because this person is going to get pulled in a matter of hours anyway.
I would reckon that ALPR systems have error checking like others have said for “does plate have proper number of digits” and “does plate have proper characters in string” types of gotchas. I would also imagine that they would capture an image of the cars they can’t read for further investigation, if not for criminal activity, then for troubleshooting data. Capturing the plate to text and databasing it is one part of the system, they do keep the actual pictures as well. This is like getting a plate that says 1111111 to commit a crime because its hard to tell if its 1111111 or IIIIIII – but you’ll still get busted every time because of the pattern is so unique (that might actually be in a xkcd strip as well). Try driving this past the 5-0 and see what happens…
To prevent such kind of error, polish license plates have AAA BBBB or AA BBBBB format, where AAA is prefix for city (only known prefixes, even for “custom” plates) and BBB are only non-similar alphanumerics. In B section there can be no uppercase i, lowercase L, only 1. The same with O/0, there can be only 0.
https://xkcd.com/1105/
This wouldn’t work because bug splat == sql injection.
But look at that Saab 900 to the right. I would love to have those wheels on mine.
This reminds me of the guy that had “NO TAG” as a license plate. Check it out: http://www.snopes.com/autos/law/noplate.asp
Stupid… you are better off just removing your license plate. I doubt any programmer would be dumb enough to not do any type of variable validation before running an SQL command. They probably removed special characters from the OCR script too, in order to make recognition faster by narrowing possible values.
Funny though.
You would be surprised. At last count only 26% of programmers have any secure development training and of those only a tiny fraction bother to do it. They get paid the same and are not legally liable like real engineers are, so why should they care? Security is hard, thus why so many crimes succeed and so many identities stolen.
James you’re 3 days late
Too bad that wouldn’t work in Brazil. They look at the photos and type in the license plate numbers by hand :/
In Colorado we do have traffic cams at various intersections, but there is an old law in place that a lot of residents aren’t aware of:
Traffic violations must be served to you by a physical public servant.
This means if you receive one of these traffic cam tickets in the mail, you can ignore it and you will not suffer any penalty. Sadly a lot of folks actually pay for them, even worse that the local authorities are allowed to “scam” residents in this manner.
If you broke the law by speeding, the fact there’s an old law that works in your favor to get around it, doesn’t make it a “scam” for them to try to charge you.
Wouldn’t the mailman delivering the ticket to your mailbox be considered a ‘public servant’?
That knock by the cops after work…
Just use some of the reflective sprays or one of those clear covers that blurs the image when a photo is taken.
You know, if you can read a licence plate in day light, a standard camera will take an equally legible photo, and an expensive traffic camera will take an excellent one. If you can read it through a blurry plate cover, so will the camera, and even if it cant, it will flag it for a human to examine.
Furthermore, if such things were effective, cops would be taught to watch for them, and they would pull you over and ticket you.
Slow news day? Of course it won’t work.
hack the cop: “NODONUT”
A lot of people around the world have hacked the actual cameras themselves. Common tools employed include flaming tires, sticking a post-it note on the lens, spraypaint (for the easy-to-reach units), or paintball guns, hacksaws, crowbars, axes, and ramming them with a sturdy front bumper to knock them over (for the ones on tall poles). Each camera costs a ridiculous amount of money, so don’t get caught defending yourself from a government-approved mugging.
If the Supreme Court takes the case this time, these traffic scameras might be outlawed in the U.S. (like they should be), making the issue moot: http://www.thenewspaper.com/news/43/4376.asp
Failing that, somewhere around 90% of the municipalities where they’ve been brought to on a vote they are outlawed by a very substantial margin (and the incumbents who initially approved them tend to be replaced as well).
In the meantime, more anti- Big Brother tech please! Like how do we jam the RF data feed of those automatic plate readers that are popping up all over the place without disrupting other RF-dependent activity (such as listening to the radio)?
While they’re terrible systems, a lot of those actions sound like vandalism.
This thing is slightly better aligned than a captcha, with such poor legibility, I don’t know if a machine vision system can get that right.
Mwa ha ha ha! Good idea though.
” it opens many new doors for mischievous and malicious attack”
like allowing a hackers movie style attack on an individual.
just like the hackers in the movie set up richard gill as a criminal and eventually registered him as dead the hack here could allow you to be able to take a picture of the plate of someone you have a vendetta or grudge and submit it along with a photoshopped image of their car on the road and rack up their fine tab.
the only problem i see with that is you have to make sure the person uses that road anyways or they could argue ” i never was on that road”.
Now you need a version of this that you can wrap around your head, or a mask. For the coming facial recognition cameras.
And your wish comes true July 2020!
I didn’t know the Laughing Man had a car. I wanna ride with him.
License plate recongnition software is specifically designed for license plates. It’s not your average OCR software. It’s capable of car-specific things like recognizing a plate numbers under the layer of mud.
Shortly, it would not recognize anythings that isn’t a license plate. This pic is just the average SQL-injection joke.
I would like to try this idea with visors price in supermarkets hacking the barcode.
How ridiculous. Funny idea, but ridiculous. Even if it did work, there’s little doubt of some sort of back-up process existing at the government’s (or contract vendor’s) data center. They love to spend money of stuff.
Database of people they have to pay money too == not so important … but, database of people that owe them money == more than likely backed up somewhere.
Also, whether it worked or not, wouldn’t this be considered an attempt at illegal cracking? (On this site, I dare not call it what the news calls it.)
I think it would be in the States… “unauthorized access”, “intentionally, without authorization”, “knowingly … program, information, code, or command … result of such … intentionally causes damage”
http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Criminal_offenses_under_the_Act
Most speed-activated cameras use a radar gun operating at 24 or 35 GHz to determine if you are speeding. It’s possible to “spoof” your speed back to the radar by modulating a Gunn diode operating at the same frequency with a tone equal to the speed you want the radar to see:
https://www.youtube.com/watch?v=YLfGHXejeus
There were construction plans back in the ’80s for a system like this that were advertised in the electronic magazines. I think I still have them. It had a hall effect sensor that mounted on your driveshaft and an under-dash control box with a digital display. You could set it to either display a percentage of your actual speed or a speed you dialed in. A Gunn diode was then used to transmit the signal. I supposed it was outdated when laser systems came into use.
I worked on these systems, won’t work for multiple reasons. It’s not in the normal detection areas, the text does not fit in any license plate regular expression.
It will get you arrested.
Why not just change the number on the plate?
Would probably not work as the OCR software will probably only search for characters that is actually used on plates.
Its fake. Could not work technically but should appreciate the smartness of trial
If there is no IR filter what’s to stop people blanking out there plates with IR light?
Many of them use regular (fairly high end) consumer type cameras. So, you can bet it’s got the IR filter in place.
But I think with some of the higher wattage(3/5watt) IR LED’s, you could still do this, just enough to blur the edges of the plate, without looking like you’re doing anything.
in europe, every licenseplate will have a chip very soon. Welcome 1984…..