A US security researcher called Droogie thought he’d come up with the perfect wheeze to avoid being fined by the Department of Motor Vehicles (DMV) – he bought a personalised license plate which we believed would mess with the DMV’s database.
The name on Droogie’s vanity plate? “NULL”
The hacker’s hope was that using “NULL”, the marker to signify data that doesn’t exist in an SQL database, he’d avoid receiving any tickets.
Sign up to our newsletterTelling the story at DEF CON in Las Vegas, Droogie remembered that he thought he had duped the system and was flipping the bird at the authorities:
“I was like, ‘I’m the shit,” he joked. “I’m gonna be invisible. Instead, I got all the tickets.”
Ars Technica explains what happened:
First, Droogie got a parking ticket, incurred for an actual parking infraction—so much for being invisible. Then, once a particular database of outstanding tickets had associated the license plate NULL with his address, it sent him every other ticket that lacked a real plate. The total came to $12,049 worth of tickets. Droogie told the DEF CON audience that he received little sympathy from either the California DMV or the Los Angeles Police Department, both telling him to just change his plate to something else. That remains something he refuses to do.
Although the initial $12,000-worth of fines were removed, the private company that administers the database didn’t fix the issue and new NULL tickets are still showing up.
With neither the database administrators or Droogie (I wonder if his real name is Bobby Tables?) prepared to budge, my guess is he’s going to carry on receiving parking tickets intended for other car owners for some time to come…
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
Surely now he can get as many tickets as he wants and just deny all knowledge of them!
It seems strange to me, because the licence plate word "NULL" would be stored as a string, whereas the database would just have null in that column to indicate no value.
In programming terms "NULL" != NULL.
If the story is true then the SQL writers are definitely at fault here.
To clarify comment above:
– Where licence plate is NULL, the word would be stored as a string "NULL".
– Where the licence plate is unknown the column would have NULL to indicate no value.
As an ex-Oracle database programmer, I was going to comment the exact same thing. It just doesn't make sense.
A little late to the conversation, but feel compelled to comment that I believe we are giving the programmers of the application too much credit. Those of us experienced with database programming see the obvious time-saving advantage of leveraging the database to perform the necessary conditions. However, this is likely not the case in this application as described by the article – the query they are using is likely a simple timeframe condition containing all plates in a given period.
The NULL check is likely at a higher programatic level rather than a database level which is obfuscating the string to NULL comparison.
So they likely have a " != " condition instead of a " !== " condition somewhere outside of the database layer… or worse…
Good point Techno :-)
So bollocks then?
No, I think it is genuine. Many custom scripts for data exchange, data conversion and bulk loading from one system to another can drop quotes from strings, and they incorrectly specify test for NULL which might match NULL with or without quotes. It is "a private company that administers a database of outstanding tickets". Admins should be looking first at the import procedure for that external database of outstanding tickets.
Two words – Input Validation
Mmm… I won't comment on the technical issue(s) as described above. Just want to point out this:
"Droogie told the DEF CON audience that he received little sympathy from either the California DMV or the Los Angeles Police Department, both telling him to just change his plate to something else. That remains something he refuses to do."
I guess there's a reason why they call them "Vanity Plates"… ;-)