skip to main content

Title: Dirty Road Can Attack: Security of Deep Learning based Automated Lane Centering under Physical-World Attack
Automated Lane Centering (ALC) systems are convenient and widely deployed today, but also highly security and safety critical. In this work, we are the first to systematically study the security of state-of-the-art deep learning based ALC systems in their designed operational domains under physical-world adversarial attacks. We formulate the problem with a safetycritical attack goal, and a novel and domain-specific attack vector: dirty road patches. To systematically generate the attack, we adopt an optimization-based approach and overcome domain-specific design challenges such as camera frame interdependencies due to attack-influenced vehicle control, and the lack of objective function design for lane detection models. We evaluate our attack on a production ALC using 80 scenarios from real-world driving traces. The results show that our attack is highly effective with over 97.5% success rates and less than 0.903 sec average success time, which is substantially lower than the average driver reaction time. This attack is also found (1) robust to various real-world factors such as lighting conditions and view angles, (2) general to different model designs, and (3) stealthy from the driver’s view. To understand the safety impacts, we conduct experiments using software-in-the-loop simulation and attack trace injection in a real vehicle. The results show more » that our attack can cause a 100% collision rate in different scenarios, including when tested with common safety features such as automatic emergency braking. We also evaluate and discuss defenses. « less
Authors:
; ; ; ; ;
Award ID(s):
1850533 1932464
Publication Date:
NSF-PAR ID:
10281626
Journal Name:
USENIX Security Symposium
Sponsoring Org:
National Science Foundation
More Like this
  1. In Autonomous Driving (AD) systems, perception is both security and safety critical. Despite various prior studies on its security issues, all of them only consider attacks on cameraor LiDAR-based AD perception alone. However, production AD systems today predominantly adopt a Multi-Sensor Fusion (MSF) based design, which in principle can be more robust against these attacks under the assumption that not all fusion sources are (or can be) attacked at the same time. In this paper, we present the first study of security issues of MSF-based perception in AD systems. We directly challenge the basic MSF design assumption above by exploring the possibility of attacking all fusion sources simultaneously. This allows us for the first time to understand how much security guarantee MSF can fundamentally provide as a general defense strategy for AD perception. We formulate the attack as an optimization problem to generate a physically-realizable, adversarial 3D-printed object that misleads an AD system to fail in detecting it and thus crash into it. To systematically generate such a physical-world attack, we propose a novel attack pipeline that addresses two main design challenges: (1) non-differentiable target camera and LiDAR sensing systems, and (2) non-differentiable cell-level aggregated features popularly used in LiDAR-basedmore »AD perception. We evaluate our attack on MSF algorithms included in representative open-source industry-grade AD systems in real-world driving scenarios. Our results show that the attack achieves over 90% success rate across different object types and MSF algorithms. Our attack is also found stealthy, robust to victim positions, transferable across MSF algorithms, and physical-world realizable after being 3D-printed and captured by LiDAR and camera devices. To concretely assess the end-to-end safety impact, we further perform simulation evaluation and show that it can cause a 100% vehicle collision rate for an industry-grade AD system. We also evaluate and discuss defense strategies.« less
  2. For high-level Autonomous Vehicles (AV), localization is highly security and safety critical. One direct threat to it is GPS spoofing, but fortunately, AV systems today predominantly use Multi-Sensor Fusion (MSF) algorithms that are generally believed to have the potential to practically defeat GPS spoofing. However, no prior work has studied whether today’s MSF algorithms are indeed sufficiently secure under GPS spoofing, especially in AV settings. In this work, we perform the first study to fill this critical gap. As the first study, we focus on a production-grade MSF with both design and implementation level representativeness, and identify two AV-specific attack goals, off-road and wrong-way attacks. To systematically understand the security property, we first analyze the upper-bound attack effectiveness, and discover a take-over effect that can fundamentally defeat the MSF design principle. We perform a cause analysis and find that such vulnerability only appears dynamically and non-deterministically. Leveraging this insight, we design FusionRipper, a novel and general attack that opportunistically captures and exploits take-over vulnerabilities. We evaluate it on 6 real-world sensor traces, and find that FusionRipper can achieve at least 97% and 91.3% success rates in all traces for off-road and wrongway attacks respectively. We also find that it ismore »highly robust to practical factors such as spoofing inaccuracies. To improve the practicality, we further design an offline method that can effectively identify attack parameters with over 80% average success rates for both attack goals, with the cost of at most half a day. We also discuss promising defense directions.« less
  3. With the development of the emerging Connected Vehicle (CV) technology, vehicles can wirelessly communicate with traffic infrastructure and other vehicles to exchange safety and mobility information in real time. However, the integrated communication capability inevitably increases the attack surface of vehicles, which can be exploited to cause safety hazard on the road. Thus, it is highly desirable to systematically understand design-level flaws in the current CV network stack as well as in CV applications, and the corresponding security/safety consequences so that these flaws can be proactively discovered and addressed before large-scale deployment. In this paper, we design CVAnalyzer, a system for discovering design-level flaws for availability violations of the CV network stack, as well as quantifying the corresponding security/safety consequences. To achieve this, CVAnalyzer combines the attack discovery capability of a general model checker and the quantitative threat assessment capability of a probabilistic model checker. Using CVAnalyzer, we successfully uncovered 4 new DoS (Denial-of-Service) vulnerabilities of the latest CV network protocols and 14 new DoS vulnerabilities of two CV platoon management protocols. Our quantification results show that these attacks can have as high as 99% success rates, and in the worst case can at least double the delay in packetmore »processing, violating the latency requirement in CV communication.We implemented and validated all attacks in a real-world testbed, and also analyzed the fundamental causes to propose potential solutions. We have reported our findings in the CV network protocols to the IEEE 1609 Working Group, and the group has acknowledged the discovered vulnerabilities and plans to adopt our solutions.« less
  4. With the growing trend of the Internet of Things, a large number of wireless OBD-II dongles are developed, which can be simply plugged into vehicles to enable remote functions such as sophisticated vehicle control and status monitoring. However, since these dongles are directly connected with in-vehicle networks, they may open a new over-the-air attack surface for vehicles. In this paper, we conduct the first comprehensive security analysis on all wireless OBD-II dongles available on Amazon in the US in February 2019, which were 77 in total. To systematically perform the analysis, we design and implement an automated tool DONGLESCOPE that dynamically tests these dongles from all possible attack stages on a real automobile. With DONGLESCOPE, we have identified 5 different types of vulnerabilities, with 4 being newly discovered. Our results reveal that each of the 77 dongles exposes at least two types of these vulnerabilities, which indicates a widespread vulnerability exposure among wireless OBD-II dongles on the market today. To demonstrate the severity, we further construct 4 classes of concrete attacks with a variety of practical implications such as privacy leakage, property theft, and even safety threat. We also discuss the root causes and feasible countermeasures, and have made correspondingmore »responsible disclosure.« less
  5. The goal of this study was to evaluate driver risk behavior in response to changes in their risk perception inputs, specifically focusing on the effect of augmented visual representation technologies. This experiment was conducted for the purely real-driving scenario, establishing a baseline by which future, augmented visual representation scenarios can be compared. Virtual Reality (VR), Augmented Reality (AR) and Mixed Reality (MR) simulation technologies have rapidly improved over the last three decades to where, today, they are widely used and more heavily relied upon than before, particularly in the areas of training, research, and design. The resulting utilization of these capabilities has proven simulation technologies to be a versatile and powerful tool. Virtual immersion, however, introduces a layer of abstraction and safety between the participant and the designed artifact, which includes an associated risk compensation. Quantifying and modeling the relationship between this risk compensation and levels of virtual immersion is the greater goal of this project. This study focuses on the first step, which is to determine the level of risk perception for a purely real environment for a specific man-machine system - a ground vehicle – operated in a common risk scenario – traversing a curve at high speeds.more »Specifically, passengers are asked to assess whether the vehicle speed within a constant-radius curve is perceived as comfortable. Due to the potential for learning effects to influence risk perception, the experiment was split into two separate protocols: the latent response protocol and the learned response protocol. The latent response protocol applied to the first exposure of an experimental condition to the subject. It consisted of having the subjects in the passenger seat assess comfort or discomfort within a vehicle that was driven around a curve at a randomlychosen value among a selection of test speeds; subjects were asked to indicate when they felt uncomfortable by pressing a brake pedal that was instrumented to alert the driver. Next, the learned response protocol assessed the subjects for repeated exposures but allowing subjects to use brake and throttle pedals to indicate if they wanted to go faster or slower; the goal was to allow subjects to iterate toward their maximum comfortable speed. These pedals were instrumented to alert the driver who responded accordingly. Both protocols were repeated for a second curve with a different radius. Questionnaires were also administered after each trial that addressed the subjective perception of risk and provided a means to substantiate the measured risk compensation behavior. The results showed that, as expected, the latent perception of risk for a passenger traversing a curve was higher than the learned perception for successive exposures to the same curve; in other words, as drivers ‘learned’ a curve, they were more comfortable with higher speeds. Both the latent and learned speeds provide a suitable metric by which to compare future replications of this experiment at different levels of virtual immersion. Correlations were found between uncomfortable subject responses and the yaw acceleration of the vehicle. Additional correlation of driver discomfort was found to occur at specific locations on the curves. The yaw acceleration is a reflection of the driver’s ability to maintain a steady steering input, whereas the location on the curve was found to correlate with variations in the lane-markings and environmental cues.« less