Skip to content
Naked Security Naked Security

‘NULL’ license plate gets security researcher $12K in tickets

The vanity plate sounded good in theory: maybe it would make his plate invisible to ALPR systems?!
Written by
August 15, 2019
Naked Security ALPR Automatic License Plate Reader DEF CON Defcon Droogie NULL traffic violations vanity plate

A vanity plate reading “NULL” sounded good to security researcher/hacker “Droogie,” at least in theory: maybe it would make his plate invisible to Automatic License Plate Reader (ALPR) systems?!

Maybe entering the characters – NULL is the marker used in structured query system (SQL) databases in order to indicate that a data value doesn’t exist – would just return error messages when his plate was spotted during one of his traffic violations…?

That’s not what happened, he told an audience at the recent Defcon security conference. Instead, $12,000 in traffic violation fines happened.

Forbes quoted Droogie as he reminisced about his initial expectations:

[I thought,] ‘I’m gonna be invisible’. Instead, I got all the tickets.

As the Guardian reports, every single speeding ticket earned by cars that lacked valid license plates wound up getting assigned to Droogie’s car – turning it into a veritable NULL bucket.

I’m not paying those, Droogie told Defconners. An unsympathetic Los Angeles police department had initially told him that the only solution was to change his license plate.

But why should he? He didn’t do anything wrong. He had checked with California’s Division of Motor Vehicles (DMV), found that the “NULL” vanity plate was surprisingly available, and registered it without any problem – “no bugs or anything.”

He said that it left him without any “high expectations of the DMV website.” At any rate, Droogie got his plate and set off to figure out if it would render him “invisible” to citations:

What happens when a police officer does a search for my plate ‘NULL’, would it not return any data? If they file a citation, would it cause an issue?

Fortunately for Droogie, the $12,000 worth of issues it caused were eventually scrapped by police.

The episode is giving rise to links to the XKCD Little Bobby Tables cartoon about sanitizing database input, but as a commenter on Ars Technica’s coverage pointed out, this one about the guy with the all-1s license plate was a whole lot more prescient.

Read Similar Articles

2 Comments

There is a older example of the same problem documented in the old risk digests forum. Person accidentally got the license plate “NOPLATE”. At one point they were spending $100s/month on postage fighting summons for abandoned and plateless vehicles

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!