https://arstechnica.com/cars/2019/06/spoofing-car-ai-with-projected-street-signs/After a recent demo using GNSS spoofing confused a Tesla, a researcher from [email protected] reached out about an alternative bit of car tech foolery. The [email protected] team recently demonstrated an exploit against a Mobileye 630 PRO Advanced Driver Assist System (ADAS) installed on a Renault Captur, and the exploit relies on a drone with a projector faking street signs.
The Mobileye is a Level 0 system, which means it informs a human driver but does not automatically steer, brake, or accelerate the vehicle. This unfortunately limits the "wow factor" of [email protected]'s exploit video—below, we can see the Mobileye incorrectly inform its driver that the speed limit has jumped from 30km/h to 90km/h (18.6 to 55.9 mph), but we don't get to see the Renault take off like a scalded dog in the middle of a college campus. It's still a sobering demonstration of all the ways tricky humans can mess with immature, insufficiently trained AI.
A Renault Captur, equipped with a Mobileye 630 Pro ADAS, is driven down a narrow university street. When a drone projects a fake speed limit sign on a building, the Mobileye 630 notifies its human driver that the speed limit has changed.
Ben Nassi, a PhD student at CBG and member of the team spoofing the ADAS, created both the video and a page succinctly laying out the security-related questions raised by this experiment. The detailed academic paper the university group prepared goes further in interesting directions than the video—for instance, the Mobileye ignored signs of the wrong shape, but the system turned out to be perfectly willing to detect signs of the wrong color and size. Even more interestingly, 100ms was enough display time to spoof the ADAS even if that's brief enough that many humans wouldn't spot the fake sign at all. The [email protected] team also tested the influence of ambient light on false detections: it was easier to spoof the system late in the afternoon or at night, but attacks were reasonably likely to succeed even in fairly bright conditions.
Spoofing success rate at various levels of ambient light. Roughly speaking, the range shown here is twilight on the left to noon on a cloudy day at the right.