Feb. 25, 2020

BGU researchers projected a phantom image on the road in front of a semi-autonomous car's autopilot that caused it to brake suddenly. By doing so, the researchers demonstrated that autopilots and advanced driving assistance systems (ADASs) in semi-autonomous or fully autonomous cars consider depthless projections of objects (phantoms), real objects. They show how attackers can exploit this perceptual challenge and manipulate a car into endangering its passengers in a research project entitled "Phantom of the ADAS". 

The researchers also demonstrate that attackers can fool a driving assistance system into believing fake road signs are real by disguising phantoms for 125 milliseconds in advertisements presented on digital billboards located near roads. 

While the deployment of semi/fully autonomous cars have already begun in countries around the world, the deployment of vehicular communication systems is delayed. Vehicular communication systems connect the car with other cars, pedestrians and surrounding infrastructure. The lack of such systems creates a “validation gap", which prevents semi/fully autonomous vehicles from validating their virtual perception with a 3rd party, requiring them to rely solely on their sensors. 

Ben Nassi, a Ph.D. student of Prof. Yuval Elovici, and his group showed that projecting a phantom of a person can trigger a car to suddenly brake, while a phantom image of lanes can cause its autopilot to veer into the oncoming traffic lane.

AutonomousCar_LargePhoto.png
 ​​​“This is not a bug. This is not the result of poor code implementation. This is a fundamental flaw in object detectors that essentially use feature matching for detecting visual objects and were not trained to distinguish between real and fake objects. This type of attack is currently not taken into consideration by the automobile industry," says Nassi. 

The researchers have also demonstrated a method to remotely conduct attacks by projecting a phantom road sign from a drone, and disguising a phantom road sign in an advertisement for 125 milliseconds screened on a digital billboard alongside a road.  

While previous attacks that exploited the validation gap required skilled attackers to approach the scene of the attack, Nassi demonstrates remote attacks that do not require any special expertise but can fool advanced systems with a drone and a projector.

In practice, depthless objects that are projected on the road are considered real even though depth sensors exist. The researchers believe that this is the result of a “better safe than sorry" policy that causes the car to consider a visual 2D object real. 

In order to detect phantoms, the researchers are developing a convolutional neural network model that analyzes a detected object's context, surface, and reflected light, which is capable of detecting phantoms with high accuracy. 

Prof. Elovici is director of the BGU Cyber Security Research Center and Deutsche Telekom Innovation Labs@BGU located in the Advanced Technologies Park adjacent to the University. Prof. Elovici and Nassi are members of BGU's Department of Software and Information Systems Engineering. The Cyber Security Research Center is a joint initiative of BGU and Israel's National Cyber Bureau.

Media Coverage:
JPost
Breaking Israel News​
ThreatPost​
The Times of Israel​