Go NULL Yourself or: How I Learned to Start Worrying While Getting Fined for Other's Auto Infractions

Presented at DEF CON 27 (2019), Aug. 10, 2019, 4:30 p.m. (20 minutes)

Input sanitization issues will always exist, although it's surprising at how we're still seeing amateur mistakes being made on everyday applications and systems used by millions. After making some observations against automatic license plate recognition (ALPR) data requested via the freedom of information act (FOIA) while having reminiscent conversations about old hacker tales, it turned on the evil bit, leading to some interesting ideas. We'll go over this adventure of poking at systems using totally valid user-controlled data that causes unexpected behavior in the real world. It's always a strange thing when you can "exploit" unexpected attack surface, due to poor specification, especially in government systems.

Presenters:

• droogie - Security Consultant at IOActive
  droogie is a security researcher, interested in offensive security and hacking of retro and modern video games alike. He makes a living as a security consultant at IOActive, which helps fund his degenerate passion for hardware hacking on old video game console hardware. He's spoken at conferences like CCC and Ruxcon and helped bring Metal Gear Online back to life, he enjoys international travel to security conferences to kick it with awesome hackers.

Links:

• https://defcon.org/html/defcon-27/dc-27-speakers.html#droogie
• https://infocon.org/cons/DEF CON/DEF CON 27/DEF CON 27 video and slides/DEF CON 27 - droogie - Go NULL Yourself or How I Learned to Start Worrying While Getting Fined.mp4
• https://infocon.org/cons/DEF CON/DEF CON 27/DEF CON 27 video and slides/DEF CON 27 - droogie - Go NULL Yourself or How I Learned to Start Worrying While Getting Fined for Others Auto Infractions.srt (subtitles)
• https://www.youtube.com/watch?v=TwRE2QK1Ibc