close
close

GhostStripe attack tracks self-driving cars by making them ignore traffic signs • The Register

Six professionals, mostly from Singapore-based universities, have proven that it is possible to attack autonomous vehicles by exploiting the system’s reliance on camera-based computer vision and tricking it into not recognizing traffic signs.

The attack system, called GhostStripe (PDF), is undetectable to the human eye but could be deadly for Tesla and Baidu Apollo users because it manipulates the type of sensor used by both brands – complementary metal-oxide-semiconductor (CMOS) sensors.

Cameras equipped with CMOS sensors capture an image line by line using an electronic rolling shutter – unlike their more expensive alternative, charge coupled devices (CCD), which capture an entire image at once.

Because of the way CMOS cameras work, rapidly changing light from rapidly flashing diodes can be used to vary the color. For example, the red tone of a stop sign could look different on each line, depending on the time between the diode flash and the line capture.

The result is that the camera captures an image full of lines that don’t quite match up. The information is pruned and sent to the classifier, usually based on deep neural networks, for interpretation. Because it is full of mismatched lines, the classifier does not recognize the image as a traffic sign.

All of this has already been proven so far.

But these researchers not only exploited the distortion of light, they also did so repeatedly, extending the length of the interference. This meant that an unrecognizable image was not just a single anomaly among many accurate images, but a constant unrecognizable image that the classifier could not judge, posing a serious safety risk.

A challenge to achieving a consistently distorted image is time and position. This must be done in order to maintain a similar stripe pattern on the sign over a period of time.

“Therefore, a robust attack…must carefully control the flickering of the LEDs based on the information about the operation of the victim’s camera and a real-time estimate of the position and size of the traffic sign in the camera’s field of view,” the researchers write.

The researchers developed two versions of a robust attack. The first was GhostStripe1, which was not targeted and did not require access to the vehicle, it said. It uses a vehicle tracker to monitor the victim’s location in real time and dynamically adjust the LED flickering accordingly.

GhostStripe2 is a target and requires access to the vehicle, which could potentially be done secretly by a hacker while the vehicle is being serviced. A transducer is attached to the camera’s power cable to recognize recording moments and refine the timing.

“Therefore, it targets a specific victim vehicle and controls the victim’s traffic sign recognition results,” the report’s authors said.

The team tested their system on a real road and in a car equipped with a Leopard Imaging AR023ZWDR, the camera used in Baidu Apollo’s hardware reference design. They tested the device on stop, yield and speed limit signs.

GhostStripe1 had a 94 percent success rate and GhostStripe2 had a 97 percent success rate, the researchers claim.

Notably, increased ambient light reduced the performance of the attack. “This degradation occurs because the attack light is overwhelmed by ambient light,” the team said. This suggests that hackers need to consider time and location when planning an attack.

Countermeasures are available. The easiest way could be to replace CMOS cameras with CCDs or to randomize the recording of the line image. Additionally, more cameras could lower the success rate or require a more complicated hack, or the attack could be included in the AI ​​training model.

The study joins a number of others that have used adversarial input to trick the neural networking of autonomous vehicles, including one that forced a Tesla Model S to veer out of its lane.

Research shows that there are still many questions to be answered about the safety of AI and autonomous vehicles.

The registry has reached out to Baidu for comment on its Apollo camera system and will respond with a substantive response. ®