We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-Driving Vehicles

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
331
 Cite
 Share
 Download Purchase
No logo availableDEF CON
 Liu, Jianhao Yan, Chen Xu , Wenyuan

Formal Metadata

Title
Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-Driving Vehicles
Title of Series
Number of Parts
93
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
To improve road safety and driving experiences, autonomous vehicles have emerged recently, and they can sense their surroundings and navigate without human inputs. Although promising and proving safety features, the trustworthiness of these cars has to be examined before they can be widely adopted on the road. Unlike traditional network security, autonomous vehicles rely heavily on their sensory ability of their surroundings to make driving decision, which opens a new security risk. Thus, in this talk we examine the security of the sensors of autonomous vehicles, and investigate the trustworthiness of the 'eyes' of the cars. In this talk, we investigate sensors whose measurements are used to guide driving, i.e., millimeter-wave radars, ultrasonic sensors, forward-looking cameras. In particular, we present contactless attacks on these sensors and show our results collected both in the lab and outdoors on a Tesla Model S automobile. We show that using off-the-shelf hardware, we are able to perform jamming and spoofing attacks, which caused the Tesla's blindness and malfunction, all of which could potentially lead to crashes and greatly impair the safety of self-driving cars. To alleviate the issues, at the end of the talk we propose software and hardware countermeasures that will improve sensor resilience against these attacks. Jianhao Liu is the director of ADLAB at Qihoo 360. He specializes in the security of Internet of Things and Internet of Vehicles. He has reported a security vulnerability of Tesla Model S, led a security research on the remote control of a BYD car, and participated in the drafting of security standards among the automobile society. Being a security expert employed by various information security organizations and companies, he is well experienced in security service, security evaluation, and penetration test. Chen Yan is a PhD student at Zhejiang University in the Ubiquitous System Security Laboratory. His research focuses on the security and privacy of wireless communication and embedded systems, including automobile, analog sensors, and IoT devices. Wenyuan Xu is a professor in the College of Electrical Engineering at Zhejiang University and an associate professor in the Department of Computer Science and Engineering at University of South Carolina. She received her Ph.D. degree in Electrical and Computer Engineering from Rutgers University in 2007. Her research interests include wireless security, network security, and IoT security. She is among the first to discover vulnerabilities of tire pressure monitor systems in modern automobiles and automatic meter reading systems. Dr. Xu received the NSF Career Award in 2009. She has served on the technical program committees for several IEEE/ACM conferences on wireless networking and security, and she is an associated editor of EURASIP Journal on Information Security.
DEF CON 2457 / 93
1
Thumbnail
41:56
Robot Hacks: TASBot Exploits Consoles with Custom Controllers
2
Thumbnail
44:56
Toxic Proxies: Bypassing HTTPS & VPNs to pwn your online identity
3
Thumbnail
00:50
Uber badge (Sneak peek), featuring LosT
4
Thumbnail
44:55
Universal Serial aBUSe
5
Thumbnail
30:26
Use Their Machines Against Them: Loading Code with a Copier
6
Thumbnail
43:36
Meet the Feds
7
Thumbnail
45:38
Drones Hijacking
8
Thumbnail
31:21
Realtime bluetooth device detection Blue Hydra
9
Thumbnail
43:18
Attacks Against Top Consumer Products
10
Thumbnail
19:56
Stargate: Pivoting Through VNC to own internal networks
11
Thumbnail
18:48
Esoteric Exfiltration
12
Thumbnail
30:05
Hacking Next Gen ATMs: From Capture to Cashout
13
Thumbnail
44:19
Hacking Hotel Keys and POS systems
14
Thumbnail
44:19
Hacking Hotel Keys and Point of Sale Systems
15
Thumbnail
43:18
Direct Memory Attack the Kernel
16
Thumbnail
44:16
Sentient Storage: Do SSDs Have a Mind of Their Own?
17
Thumbnail
40:17
Propaganda and you (and your devices)
18
Thumbnail
43:45
Research on the Machines: Help the FTC protect privacy & security
19
Thumbnail
35:42
How to do it wrong : Smartphone antivirus and security applications under fire
20
Thumbnail
39:21
Help, I've got ANTs!!!
21
Thumbnail
21:22
Cheap Tools for Hacking Heavy Trucks
22
Thumbnail
50:55
Shellphish - Panel: Cyber Grand Shellphish
23
Thumbnail
41:28
Maelstrom: Are you playing with a full desk?
24
Thumbnail
12:28
Samsung Pay: Tokenized Numbers, Flaws and Issues
25
Thumbnail
45:01
VLAN Hopping, ARP Poisining & Man-In-The_Middle Attacks in Virtualized Environments
26
Thumbnail
01:43
RISE OF THE MACHINES
27
Thumbnail
25:56
Let's Get Physical: Network Attacks Against Physical Security Systems
28
Thumbnail
49:42
Playing Through Pain: The Impact of Secrets and Dark Knowledge
29
Thumbnail
35:40
Hiding Wookiees in HTTP: HTTP smuggling is a thing we should know better and care about
30
Thumbnail
45:20
How to get good seats in the seurity theater?
31
Thumbnail
19:58
Side channel attacks on high security electronic safe locks
32
Thumbnail
20:01
I got 99 Problems, but LittleSnitch aint one!
33
Thumbnail
1:20:41
MR ROBOT Panel
34
Thumbnail
1:20:02
Closing Ceremonies
35
Thumbnail
26:11
Ask the EFF
36
Thumbnail
44:33
Crypto: State of the Law
37
Thumbnail
26:06
DARPA Cyber Grand Challenge Award Ceremony
38
Thumbnail
38:24
(A)busing Smart Cities: the dark age of modern mobilitiy
39
Thumbnail
45:10
CYBER -ITL- A501(c)3 Corporation
40
Thumbnail
42:09
Weaponize Your Feature Codes
41
Thumbnail
42:34
MouseJack: Injecting Keystrokes into Wireless Mice
42
Thumbnail
36:18
Attacking Network Infrastructure to Generate a 4 Tb/S DDOS for $5
43
Thumbnail
45:14
Light Weight Protocol! Serious Equipment! Critical Implications!
44
Thumbnail
38:37
How to Build a Processor in 10 minutes or less
45
Thumbnail
22:24
Sticky Keys To The Kingdom: Pre auth System RCE on Windows is more common than you think
46
Thumbnail
34:43
Compelled Decryption
47
Thumbnail
37:58
Examining the Internet's pollution
48
Thumbnail
41:23
411: A framework for managing security alerts
49
Thumbnail
38:39
BlockFighting with a Hooker
50
Thumbnail
32:06
Discovering and Triangulating Rogue Cell Towers
51
Thumbnail
43:17
Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game
52
Thumbnail
29:56
Auditing 6LoWPAN networks: Using Standard Penetration Testing Tools
53
Thumbnail
17:39
CANSPY: Auditing CAN Devices
54
Thumbnail
43:21
Intro to Wichcraft Compiler Collection
55
Thumbnail
45:48
BSODomizer HD: A mischievous FPGA HDMI platform
56
Thumbnail
45:41
101 Ways to Brick your Hardware (With some un-bricking tips sprinkled in for good measure)
57
Thumbnail
44:04
Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-Driving Vehicles
58
Thumbnail
38:37
Backdooring the Frontdoor
59
Thumbnail
51:50
Slouching Towards Utopia: The State of the Internet Dream
60
Thumbnail
43:40
Feds and 0Days: From Before Heartbleed to After FBI- Apple
61
Thumbnail
46:14
Phishing without Failure and Frustration or "How I learned to stop worrying and love the layer 8"
62
Thumbnail
22:36
CAN I haz car secret plz?
63
Thumbnail
44:16
Platform Agnostic Kernel Fuzzing
64
Thumbnail
42:39
"Cyber" Who Done It?! Attribution Analysis Through Arrest History
65
Thumbnail
41:16
Cunning with CNG: Soliciting Secrets from Schannel
66
Thumbnail
37:23
Anti-Forensics AF
67
Thumbnail
17:17
RT2Win: 50 lines of Python made me the luckiest guy on Twitter
68
Thumbnail
30:59
LTE Redirection
69
Thumbnail
24:13
Exposing Snooping Tor HSDir Relays
70
Thumbnail
16:16
Bypassing Captive Portals and Limited Networks
71
Thumbnail
22:22
All Your Solar Panels belong to Me
72
Thumbnail
28:12
Cheating at Poker
73
Thumbnail
45:18
Mouse Jiggler: Offense and Defense
74
Thumbnail
44:42
Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter
75
Thumbnail
1:32:23
DEF CON 101 Panel - PANEL III: Rise of the Noobs!
76
Thumbnail
46:40
Game over, man! Reversing Video Games to Create an Unbeatable AI Player
77
Thumbnail
44:12
Machine Duping: Pwning Deep Learning Systems
78
Thumbnail
45:11
NG9-1-1: The Next Gen of Emergency Ph0nage
79
Thumbnail
42:19
How to Overthrow a Government
80
Thumbnail
51:36
Emulating all (well many) of the things with Ida
81
Thumbnail
45:21
Abusing Bleeding Edge Web Standards for AppSec Glory
82
Thumbnail
48:33
Malware Command and Control Channels -a journey into Darkness-
83
Thumbnail
15:00
pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle
84
Thumbnail
32:39
An introduction to Pinworm : Man In The Middle for your metadata
85
Thumbnail
43:45
Exploiting seismological networks..Remotely
86
Thumbnail
42:54
Developing Managed Code Rootkits for Java Runtime Environment
87
Thumbnail
40:59
SITCH: Inexpensive, coordinated GSM anomaly detection
88
Thumbnail
42:22
Picking Bluetooth Low Energy Locks from a Quarter Mille Away
89
Thumbnail
34:08
A Monitor Darkly: Reversing and Exploiting Ubiquitous OSD Controllers
90
Thumbnail
44:34
Six Degrees of Domain Admin
91
Thumbnail
41:58
So you think you want to be a penetration tester.
92
Thumbnail
48:24
The Remote Metamorphic Engine
93
Thumbnail
44:20
Hacker-Machine Interface
00:00
Multiplication signRoundness (object)Autonomic computingGoodness of fit
00:43
Student's t-testInformation securityCybersexSystem call
01:18
RadarHacker (term)Physical systemService (economics)Software developerData conversionTelematikWordHacker (term)SurfaceIntegrated development environmentAutonomic computing
02:02
GoogolBeer steinDevice driverLevel (video gaming)Data acquisitionVirtual machineAlgorithmDecision theoryAutonomic computingLevel (video gaming)Streaming mediaDevice driverStandard deviationAdaptive behaviorGame controllerNormal (geometry)Multiplication signModel theoryString (computer science)Computer animation
03:26
Interface (computing)Device driverDecision theoryClient (computing)Autonomic computingLinearizationGame controllerComputer architectureElectronic program guideUser interfacePlanningVirtual machine
04:20
MathematicsCartesian coordinate systemAutonomic computingLine (geometry)Set (mathematics)Decision theoryDirection (geometry)Integrated development environmentRange (statistics)Level (video gaming)WebsitePlanningDemoscene
05:54
Power (physics)Game controllerUser interfaceHacker (term)Suite (music)Power (physics)Game controllerString (computer science)Regular graphTelecommunicationDirection (geometry)Decision theoryPlanningRoutingAutonomic computingElectronic program guide
07:24
MathematicsContext awarenessControl flowLevel (video gaming)Insertion lossPhysical system1 (number)Streaming mediaAutonomic computingDevice driverMathematicsComputer animation
08:06
Crash (computing)MathematicsCASE <Informatik>CausalityOperator (mathematics)Incidence algebraAdditionTheory of relativity
08:46
Data modelShared memoryPoint cloudMetreRadiusLine (geometry)Type theoryUltrasoundVideoconferencingWindowRange (statistics)Functional (mathematics)Social classEngineering drawing
09:48
AreaMeasurementElectronic visual display
10:27
VideoconferencingGame controller
11:05
Vulnerability (computing)Physical system
11:50
Type theoryPersonal digital assistantSpacetimeSupersonic speedDistanceComputer animation
12:32
Punched cardUltrasoundElectronic visual displayReading (process)DistanceComputer animationLecture/Conference
13:11
UltrasoundSound effectSign (mathematics)Pulse (signal processing)DistanceTransmitterPropagatorMultiplication signUltrasoundMobile appType theoryComputer animation
14:14
NoiseUltrasoundNoise (electronics)Service (economics)Pulse (signal processing)Order (biology)Supersonic speedGroup actionDistanceElectric generatorCASE <Informatik>Computer hardware
15:13
Model theoryService (economics)UltrasoundPulse (signal processing)Noise (electronics)TransmitterService (economics)UltrasoundResonanceModel theoryFigurate number
16:01
FreewareUltrasoundModel theoryMaxima and minimaPulse (signal processing)Pole (complex analysis)Figurate numberMultiplication signPulse (signal processing)DataflowNoise (electronics)MeasurementReading (process)Type theoryDistanceResultant
16:59
Maxima and minimaData modelMultiplication signComputer configurationDistanceMaxima and minimaVideoconferencingResultantUltrasoundSupersonic speedComputer animation
17:41
UltrasoundDistanceNeuroinformatikMaxima and minimaString (computer science)Touchscreen
18:27
Normal (geometry)Maxima and minimaMessage passingFeedbackDistanceFunction (mathematics)Maxima and minimaModel theoryDifferent (Kate Ryan album)Message passingFeedbackPhysical systemMenu (computing)Reading (process)ResultantEndliche ModelltheorieVideoconferencing
19:18
Demo (music)VideoconferencingSoftware testingUltrasoundFiber (mathematics)VotingLecture/Conference
19:54
Demo (music)VoltmeterLevel (video gaming)DistanceFunction (mathematics)Metropolitan area networkVideoconferencing
20:30
Data modelMetropolitan area networkVideoconferencingClosed setReverse engineering
21:32
Demo (music)Normal (geometry)Different (Kate Ryan album)DistanceFunction (mathematics)Food energyCurveSoftwareDifferent (Kate Ryan album)WordLevel (video gaming)Thresholding (image processing)Maxima and minimaGroup action
22:37
Maxima and minimaDifferent (Kate Ryan album)InformationShape (magazine)Process (computing)Maxima and minimaCartesian coordinate systemLatent heatDigital electronicsDistanceMach's principle
23:12
Maxima and minimaDifferent (Kate Ryan album)Beat (acoustics)DistanceNoiseMultiplication signLine (geometry)Video gameMatching (graph theory)MeasurementDataflowNoise (electronics)Maxima and minimaThresholding (image processing)
24:15
Normal (geometry)Multiplication signHoaxRight angleVideoconferencingCAN busPulse (signal processing)2 (number)Reading (process)PropagatorPhysical lawDistanceSound effectTransmitter
25:10
ComputerUltrasoundDistanceNeuroinformatik
26:06
VideoconferencingDemo (music)DistancePunched card
26:43
UltrasoundNormal (geometry)Phase transitionUniformer RaumMusical ensemblePrice indexDistanceVolume (thermodynamics)ResultantReading (process)Sinc functionType theoryMereologyComputer hardwarePhase transitionReverse engineeringUltrasound
27:42
Phase transitionDemo (music)Materialization (paranormal)Sound effectUltrasoundRhombusTouchscreenComputer animation
28:40
Demo (music)
29:23
Lamb wavesRadarData modelStudent's t-testOffice suiteSocial classReading (process)Table (information)Quantum state2 (number)Endliche ModelltheorieType theory
30:07
Lamb wavesControl flowAdaptive behaviorShape (magazine)AngleCartesian coordinate systemShape (magazine)Very-high-bit-rate digital subscriber lineDistanceAngleBlind spot (vehicle)CollisionAdaptive behavior
30:48
Phase transitionRadarDoppler-EffektSound effectMusical ensembleBlock (periodic table)Noise (electronics)Numbering schemeProcess (computing)Order (biology)FrequencyElectromagnetic radiationPropagatorDoppler-EffektException handlingMultiplication signTransmitterLamb wavesSpektrum <Mathematik>
31:50
Lamb wavesTransmitterDifferent (Kate Ryan album)Multiplication signSweep line algorithmReflection (mathematics)Shift operatorDoppler-EffektMeasurement
32:29
Feasibility studyData modelProcess (computing)Mathematical analysisBinary multiplierFrequencyMultiplication signRight angleStandard deviationCellular automatonNumberFamilySweep line algorithm1 (number)Multilateration
33:16
Binary multiplierData modelMathematical analysisReal numberTime domainBand matrixTime domainDomain namePoint (geometry)Mobile appBand matrixFunction (mathematics)
34:07
Musical ensembleFreewareSimilarity (geometry)Binary multiplierFrequencySweep line algorithmTransmitterSimilarity (geometry)Covering spaceReading (process)Traverse (surveying)Multiplication
34:49
CASE <Informatik>Multiplication signComputer iconContext awarenessExpert systemResultant
35:34
Group actionVideoconferencingDemo (music)Spherical capMultiplication signMeeting/Interview
36:19
Sweep line algorithmRadarObject (grammar)Multiplication signSpherical capResultantSource codeDistanceEntire functionDisk read-and-write headType theory
37:15
Point (geometry)Data modelMobile WebMachine visionPoint (geometry)Machine visionMobile WebNeuroinformatikAsynchronous Transfer ModeDegree (graph theory)Object (grammar)Sign (mathematics)Pattern recognitionOperator (mathematics)Line (geometry)Personal digital assistant
37:59
Pointer (computer programming)WhiteboardDistribution (mathematics)Type theoryPlanningWhiteboardInformationReflection (mathematics)ResultantLaserPartial derivative
38:48
Total S.A.PermanentLaserDemo (music)
39:22
Demo (music)LaserView (database)Point (geometry)Sound effectLecture/Conference
39:57
Dependent and independent variablesExplosionPhysical systemNP-hardDependent and independent variablesMessage passingMultiplication signReliefLecture/Conference
40:38
Maxima and minimaPhysical systemType theoryDifferent (Kate Ryan album)Data fusionMeasurementAngleBlack boxAnglePhysical systemRange (statistics)Maxima and minimaType theoryActuaryStack (abstract data type)DistanceDoubling the cubeDifferent (Kate Ryan album)Function (mathematics)MultiplicationSupersonic speedFunctional (mathematics)Level (video gaming)Data fusionConfidence intervalUltrasound
42:40
Message passingInformation securityInformation securityOnline help
43:39
Open setOnline helpEmail
Transcript: English(auto-generated)
00:00
So up next we're gonna talk about um some some current stuff but also thinking very far forward because everybody hates driving right? I'd much rather have my car drive me to work than uh than me have to drive. We wanna make sure that that's nice and secure. So these guys are gonna talk about whether we can um trust self driving vehicles. Um let's
00:20
give them a big round of applause. Have a good time. Thank you. I'm so excited to stand here. Good afternoon. Today I bring you the latest work on attacking self driving vehicles. The title is can you trust your autonomous car vehicles? I
00:48
would like to talk about our latest work on vehicle security. I'm Jianhao Liu from China and I work for Qihoo Sui City in SkyGo team. Folks research uh uh vehicle cyber security. I'm
01:03
Chanyan I'm Chanyan from Georgia University and Dr. Xu is my advisor. Uh she is a professor at Georgia University and University of South Carolina. Uh I believe she is hiding somewhere in the audience because she wants us to do all the work. Okay this
01:21
talk uh in this talk we first introduce what is autonomous vehicles. The idea of car hacking by sensors and present our word attacked. At last we decide the possible defense. With the development car hacking ranging for conversion cars with telematics to
01:44
autonomous car. The car is in increasing in interacting with the environment. The third opens up new attack surface. In this talk we show you our work on autonomous vehicles. So
02:05
what are autonomous vehicles? Autonomous vehicle can sense is surrounding and uh make uh driving decisions by using m- using the machine learning algorithm. Basically a car that can drive itself without human doing anything. According is uh uh
02:29
to this international standard. Autonomous driving can be divided into 5 levels. And the next example of level 1 adaptive control where we must put hands on the string
02:45
wheel. Level 3 conditioned uh automation where hands can be off the string wheel. Yet the driver is still needs to take over for time to time. The driver needs to drive. Level 5 is for automation. A car can handle all the driving models and drives
03:07
itself without a human in it. So basically we can sleep in your car. Typically Tesla is conditioned as level 3 and uh successfully Google car will be level 5. This is uh
03:32
autonomous vehicles. First the car has to have sensors to monitor these surroundings. And for more advanced cars they will have a V2X. Where V2X stands for vehicle to anything.
03:50
Then the sensor data can guide vehicle movement and uh to plan and uh control the path. The driving plans will be fo- formed to the driver by HMI. The HMI is means
04:06
the machine le- uh uh human machine interface. All the driving decision will be executed by the car. Th- this is how automatic to driver works. Let me show a few
04:23
automatic driving application. They include autom- autonomous vehicle. They include autonomous line keep. Autonomous line change. Autonomous line overtake. Autolom- autonomous highway merger. And autonomous highway exit. Uh and uh aut- autonomous
04:43
interchange. Autonomous vehicle have a rich set of sensors which include following. Uh is about uh unique uh uh ultrasonic ultrasonic sensor can a difficult
05:04
oversight nearby. Camera can use a difficult road s- road scenes lines and make sure car designs and speed. LiDAR creates a 3D map by scanning the environment and plan a
05:20
driving decision. LiDAR can a difficult cars form middle range to long range and speed is moving direction. Because this sensors the car can sense the environment and
05:42
a difficult identify what kind of obstacles are nearby. Finally the car can make decisions for driving. Of course the automatic driving are controlled by
06:01
electronicals. That's the to power a regular car into self driving car. One has added uh uh electronicals to control the ultr- ultrasonic directly. This this way the car can send commands to control the brakes, electronic power string and so on. So how
06:30
can I attack autonomous vehicles? We are sensor data guide to travel route of the car and the sensor safe as the plan to control the car. Thus we set uh scope of our
06:46
attacks. Attacking the sensors on autonomous cars. If we can modify the sensor data in driving decision will be made based on fact data. Uh we can modify the sensor
07:00
data. What is displayed on HMI may be wrong and may be mistake. The past planning may not be correct which leads to wrong execution. In short the reliability of the sensors will will be affect the reliability of the automatic driving vehicle. Now to up to now the
07:32
technology we have access in Tesla. Tesla has uh drive advanced autopilot system which relies the the auto normal- autonomous driving at between level 2 and level 3.
07:46
Basically Tesla has all the feature of the autonomous driving. Thus the autopilot system still requires the driver to place his hands on the steering wheel. It has
08:02
already changed people driving habits. Unluckily this habit change has lead to a recent inc- incident which is cause of sensor malfunction. Thus the reliability of sensors is
08:20
important. If autopilot can fail under normal yet speckled case what will happen if there is uh international intentional mer- mer- mer- relations attacks as as is some as China to have a traffic addition. So there is a street trip of sensors in Tesla. One of
08:53
millimeter rear readers. A middle range reader is amount in front of the Tesla. And a
09:01
front camera. A front looking camera is amount on the window chair under the near rear mirror. And the 12 ultrasonic sensors. Ultrasonic sensors are cloud are cloud near the front and the near the bumpers. That's a video. We will show how we can find the
09:25
sensors under the cars. Which make the autopilot of Tesla to mirror mirror function. Let me show you a few videos give you the highlight of our work. The first is uh proof of
09:41
ultrasonic to take HMI have a mirror function. Now the engine is behind the car. The engine is here. It is really too close now. But the HMI can't display the designs.
10:11
Now uh engine of the device. The HMI displayed. So we can HMI mistake. And that's thank you.
10:46
Next the video is a ghost car. This is our tech go to controller car. This is our
11:06
autopilot system. And the starting driving. But in in front of the car have a no no car.
11:23
When the car pass the engine. The ghost car can force our car to stop. It's display to
11:40
it's display to hit the ghost car. So the car is to stop. So. Thank you. Uh I guess I'll take over from here. Uh the first type of tech is ultrasonic sensors. And we have
12:03
tested this tech on Tesla, Audi, Volkswagen and Ford. So uh uh what is an ultrasonic sensor? It is a sensor that measures distance generally within 2 meters. Uh it is used for um parking scenarios like parking assistance, parking space detection, self
12:23
parking and also on Tesla there's there's a feature called summon. Which means that you can park the car without even being inside the car. So in a parking scenario like this. Uh generally there will be a display of distance. It is either acoustic or visual so
12:40
that we can know the sensor readings. So how can we misuse ultrasonic sensors? So imagine uh someone dislikes the owner of a shop and he wants the car to keep backing into the glass wall. So he did something to the sensor that the car does not stop. Well it should. So what will happen? I believe most of you want to protect your parking
13:14
spot. It is really annoying when someone gets parking into your parking spot. So um instead of putting up a sign uh if you can do something to the sensor that makes the car
13:25
stop in the middle of parking that would be awesome. So uh before going to how these misuses can be done let me walk you through how an ultrasonic sensor works. So an ultrasonic sensor it emits ultrasound and receive echoes based on the piezoelectric
13:42
effect. I believe this technology is uh motivated by bats. So the sensor generates an ultrasonic pulse and it it propagates and hit an obstacle and bounces back and create an uh receiver pulse. So we can measure the uh so if we can measure the propagation time
14:02
between the uh transmitter pulse and the receiver pulse and knowing the uh speed of sound in air we can basically we can calculate the distance uh from this very simple uh formulation. So there are 3 types of attacks on ultrasonic sensors. The first one is jamming attack. So jamming attack generates ultrasonic noises that causes no service
14:24
out of the sensor. And spoofing attack uh it crafts fake echo pulses so that it can order distance. The third one is acoustic quieting. It means that uh this attack can diminish the original ultrasonic pulses so that it can hide obstacles. To validate these
14:45
attacks uh these are the equipment we use. Uh so first we need uh uh ultrasonic transducers that can emit ultrasound. Uh and second we need uh signal signal uh signal suppliers that can generate excitation signals. Uh in our case we use uh either uh
15:02
adrenal or uh signal generator. Um to make it start a faster and cheaper we use autoshoot hardware but you can totally design your own piece uh of jammer. So the basic uh idea of jamming attack is to inject ultrasonic noises at the resonance frequency of the
15:23
sensor which is generally between 40 to 50 kilohertz. Uh and it ca- it can cause the uh denial service out of the sensor. So actually it's really in the right figure. Uh so first we there is uh on the sensor there's transmitter pulse and the uh received echo pulse. If it generate an ultrasonic noise noise at the jammer so this noise will be
15:44
received by the sensor and this noise will fully cover the uh original echoes. And we have tested this attack uh in the laboratory on 8 uh models of standalone sensors and all those on uh 4 vehicles. So um for for this uh indoor uh experiments uh as you can
16:07
see on the right figure it is uh uh a figure of received electrical signal at a sensor. Uh when there's no jamming you can see that there are there are uh excitation pulse and the following echo pulses. So it is how it works. Uh and but when there's weak jamming
16:22
signal you can see that the noise flow has been increased. And as we increase the noise flow you can see that when there's strong jamming the noise can fully hide the original echoes so no measurement is possible. So what about the sensors? What is the reading of the sensors? So basically we get we get 2 very opposite types of
16:45
results. The first one is zero distance which means that the sensor detects something very close. And the other one is maximum distance which means that the sensor cannot detect anything. So how should cars behave to jamming attack? Should it be zero
17:03
distance or maximum distance? If it is if it is zero distance it means that the car detects something so that it will stop. But if it is maximum distance it means the car cannot detect anything and the car will now stop and will keep moving. So obviously zero distance is a fail safe option for vehicles right? However uh according to our
17:25
experiments on cars uh the result is unfortunately the maximum distance. So um let me show you a video that demonstrates how it is really maximum distance. So this is an
17:40
ultrasonic sensor on audio Q3 and this is a ultrasonic jammer which is wired to a computer. And now from the uh screen of the car you can see that the jammer has been detected as an obstacle uh as displayed in in white bar. And we read the data from the
18:03
OBD. It says distance is 28 centimeters. And now let's turn on the jammer. And the obstacle disappears. And the distance it says is maximum. So in conclusion uh jamming
18:31
attack can output at maximum distance and it can hide obstacles. So let me summarize the result of jamming attack. So on ultrasonic sensors there are uh there's zero
18:41
distance and there are maximum distance for different sensors. And on cars with parking systems the result is maximum distance. Well interestingly uh from the menu of Tesla model S it says if a sensor is unable to provide feedback this is from our instrument panel will display an alert message. However we have never seen this alert message. Well
19:05
another question is how will the car behave when like uh self parking and someone that the car actually drives itself based on these false sensor readings. So let me just show you a video of how we do this attack on Tesla summon. So as you can see that there's
19:28
nobody in the car uh this is me standing in front of the car holding an ultrasonic jammer ultrasonic jammer. And now Jane Howe turned on the Tesla summon. Well
19:43
normally the car will now move because I have been detected right? However when we jam the sensor it moves and hit me. That hurts. Well in conclusion jamming attack can
20:04
also hide obstacles when the car is driving for itself. Uh you might ask well the distance is only like 20 centimeters can it be longer? Well of course because if we increase the watch level of the jammer like uh we use uh if we use uh ultrasonic uh
20:20
adrenal outputs at 5 volts. If we uh output at uh 20 volts with a signal to function generator we can increase the um the attack distance. So in this video uh there's a man uh standing uh behind the Tesla. Uh this is not this is not me this is another brave man in our lab. Uh his name is Wei Bing. Uh this is more dangerous. So now the
20:48
interferon is off and I turn on the Tesla summon and you can see that the car starts reversing. However the it will now move because the man has been detected. And now
21:07
we turn on the uh function generator to uh turn on the interferon. So watch closely. Now we turn on the Tesla summon again. Well it moves. And I hit the man.
21:29
And I hit the interferon. So um the car only starts because the interferon has been hit. Thank you. Because the interferon has been hit and stopped working. So uh jamming
21:45
attack the distance can be increased if you have no budget right? So let me summarize the result of of jamming attack on on on stop working summon. So the car uh energy snares the car does not stop and a strong jamming it might hit someone or
22:00
something. So there's another question. Uh why some sensors output their distance and some output maximum distance? Well we believe it is because of different sensor designs. For their distance the sensor compares the signal with a fixed threshold. So if the signal exceeds the voltage level exceeds the threshold it believes that there is uh justify uh
22:23
echo. So the jamming signal actually increased the virtual level so the sensor thinks that hey there's um uh there's an echo right after it's made. So it is zero. Well for maximum distance we uh kind of started the sensor on audio Q3 broke it, probe it and uh
22:43
reverse the schematic uh but we didn't find any useful information because they it is um application specific I say. So all these signals uh process inside the chip. So uh to make it easier we uh started another sensor which is known as Maxima MB-1200. It is
23:00
another sensor that outputs maximum distance. So uh we basically we have to destroy the uh transducer on top of it and expose the circuits. So this is how it works when there's no jamming. You can see that the the the white line means the uh time of light. And the blue line means the echoes. Well you can see that there's uh
23:23
excitation pause and there are there are echo pauses. And if you watch closely the time of light exactly match with the echo the first echo pause. Uh and when there's strong jamming and when there's weak jamming uh you can see that the noise flow has been increased. But they did but the measurement is still uh correct. However when there's
23:46
strong jamming you can see that the uh signal is totally overwhelmed by noise. And it seems that there is no echo. So the sensor uh outputs maximum. Uh we believe it is uh uh it
24:02
uses adaptive threshold. So it is used for noise suppression. Well uh the designers definitely has a good intention designing this but they didn't consider the malicious scenarios. Well the second attack is uh spoofing attack. So basically there is to inject
24:21
ultrasonic pulses at a certain time that can uh fool the sensor. So for example uh if we craft a fake pulse right before the first original one we can kind of spoof the uh the uh propagation time so that so that we can manipulate the distance. But this attack is
24:44
non trivial because only the first justifiable echo will be processed. So there's kind of like an effective time slot which is right after the transmitter pulse and before the first echo pulse. So you're gonna have to inject within this slot to make it successful. And if if if it change the arrival arriving time of the fake echo we can make
25:07
manipulate the sensor readings right? So this is uh uh video demonstrates um the
25:25
distance. So this is jammer connected to computer. Uh this is computer. And you can see that the jammer has been detected as an obstacle and distance is 66 centimeters. And now it starts spoofing. Wow. So distance has been altered. It's a stop. And if you
25:53
look outside the vehicle there's nothing moving. And if you if you look at instrument panel the spoofing is still going on. So in conclusion spoofing attack can
26:15
alter distance. Uh and this is a demo of spoofing attack on Audi. Uh in this video we just
26:23
randomly altered the distance. At first nothing is in front of the car. Well I'm
26:50
assuring you that the jumping bars are now volume indicator of the music. So spoofing attack can alter distance on Audi. Uh let me summarize the result of spoofing
27:01
attack. So spoof attack can manipulate sensor readings for some stand alone sensors and on cars so that we can make the car stop where it shouldn't. The third type of attack is acoustic quieting. Uh uh a method is uh acoustic cancellation which means that we cancel the original one with what every sound of reverse phase. So uh so the when they
27:25
add up together there's no echo at all. And from our experiments uh uh we observe that by matter of phase and amplitude adjustment we are able to cancel ultrasound. But if you want to cancel cancel ultrasound from the car you're gonna need to uh use dedicated
27:41
hardware. So uh a easier way a easier way to do this is cooking. Which means that we absorb the ultrasound with some kind of sound absorbing materials. Uh like like some some acoustic damping foams which is very cheap. And it has the same effect as jamming that can have obstacles. So this is how we uh cloak a car. Now we drive toward a
28:08
car uh this lovely panel car. And you can see that the car's been detected and displayed as the the red bars on the screen. And now we'll apply the acoustic
28:22
damping foam. Well it disappears. And we we drive closer to the car, still nothing. And now we remove the damping foam and it reappears. So uh so in conclusion, choking can hide a
28:48
car. So what about human? Can clicking also hide a human? We tried this. So this is me walking across the car and you can see that I have been detected by the sensor. But now
29:06
if I wear the damping foam I'm invisible. And still nothing. Well can you think of a
29:22
new way to wear this foam? Here we go. This is uh dump to the foam scar. It also works. So choking can hide a human. So if you want a car, a human or a glass to be visible, just buy this. Well um by the way uh behind the glass door is my advisor's office. So this
29:48
is what happens when you uh let your students do all the work. I'm sorry. So the the third type uh so the the second type of attack is on the millimeter wave readers. So we have tested this attack on Tesla Model S because we don't have uh the the other
30:05
sweetcars don't have a reader on it. So uh M&W reader, it measures distance, angle, speed and shape uh etcetera from from long, short to long distance. Uh it is useful for some high speed and critical applications like adaptive cruise control,
30:24
collision violence and blind spot detection. So how can we misuse readers? It is similar. So uh when there's uh you're driving on highway and there's danger ahead of you and you want to stop but the car if you do something to the to the reader that the car
30:43
does not stop where it should. It could cause some serious accident. And if there is danger behind you and you want to steer away from it but the reader tells you that there's something ahead of you you have to stop. So that would be terrible. So let me let me walk you through how a reader works. So a reader transmits and receives
31:05
electromagnet magnetic waves and measures the propagation time and etcetera. It is uh similar to ultrasonic sensors except that the signal is is is RF. So uh when we are dealing with RF uh it is uh difficult to measure the time because it it travels at the
31:22
speed of light. So uh in order to do this we have to do modulation so that uh we can make this process easier. So the most popular one of the most popular modulation scheme is FMCW. So uh which is kind of frequency modulation. And the Doppler effect can be used
31:40
to measure the relative speed and there are two major frequency bands. Which is at uh 24 or 76 gigahertz. This is how um the frequency modulated continuous wave works. Uh basically it is kind of like a sweeping frequency signal so the frequency actually
32:01
varies uh with time. And when the signal is transmitted and it hit a target and bounces back we'll receive a similar uh receive signal. And what what what we'll measure is the reflection time but it's difficult so we measure the difference frequency FD and calculate the time knowing the uh the RAM slope. So sometimes when the car is moving
32:26
relatively uh there will be a Doppler frequency shift. So um before doing the text the first thing we have to do is to understand the radar signal. So we we're gonna have to analyze the signal to find out uh what is the frequency range, what is the
32:42
modulation process, what is the RAM height, and what is the number and duration of RAM and what is the cycle time. So after doing this we can we can know whether jamming tag or sweeping tag is feasible right? So this is kind of like a a family picture of all the equipment we use. Uh special thanks to Keysight OpenLab for providing us uh free
33:04
access to this equipment which is three times the price of Tesla. Well um so I'm going to uh uh explain which ones I use later. Well um I forgot one thing. It doesn't have to be so expensive because uh you can actually you can just buy a radar and modify it to
33:25
be your own jammer. So this is how uh we analyze the signal. So first we receive the uh radar signal with a home uh with a home antenna which is connected to a harmonic mixer and analyze the signal from the frequency domain on the signal analyzer
33:40
and on the time domain from the oscilloscope. So basically what we found is that the radar outputs at uh 76 point 65 gigahertz as it says in the frequency and bandwidth is 450 megahertz, modulation is MCW but uh I have uh we have known all the details of
34:01
radar charts but I'm not I'm not gonna tell you because uh I wanna be responsible. So uh the idea of jamming tech is to jam radar within the same frequency band which is 60 76 to 77 gigahertz. So uh we can jam at fixed frequency like this and we can jam at
34:22
sweeping frequency like this. It covers all the frequency band. Well the the the idea spoofing tech is to spoof the radar with similar RF signal something like this. Pretty straightforward. And to to generate the radar signal we have to uh generate a signal
34:42
with a signal generator uh at 12 gigahertz and multiply the signal to with a frequency multiplier and transmit it with a home antenna. So before showing you how uh how the results are uh let me uh introduce you how the autopilot is placed. So the blue
35:00
icons means that the uh traffic aware cruise control and auto steer is on and the blue car means the car ahead of you has been detected and locked. And we have to do the experiments when the car and the experiment is stationary because uh when the car is
35:21
moving and in case our attack is successful the car might hit the equipment and if I damage the equipment with 3 times the price of tesla I won't be able to graduate. So this is a demo of jamming attack. So in this video I am standing in front of the tesla controlling the radio interfere as you can see from the camera of the mobile phone. So
35:48
now the autopilot is turned on and the car controlling the equipment has been detected as a blue car. And now I show how uh so now the interfere is is turned
36:01
off. So we turn on interfere and you can see that the blue car disappears. And we turn off interfere it reappears. We have cap we have kept trying this for many many times and it
36:24
works every time. So jamming attack on radar can hide obstacles so that the car may now
36:49
stop where it should. So let me summarize the result of all the uh radar attacks. So for jamming attack it can hide obstacles which has already been detected. Uh and other fix
37:03
or swimming fix works. Uh for the spoofing attack we can spoof the distance of the car head. So basically what we would have seen is that the car actually jumps forward and badboard. Well the third type of attack is on cameras. Uh we have tested stand
37:20
along cameras from mobile eye and and point degree and tested on tesla mode S which has a mobile eye. So camera uh actually detects ob objects uh by computer vision. Uh there's forward camera and there's backward camera. It is used for limpet lint departure warning, lint camping uh traffic sign recognition and also for parking assistance. So how
37:46
can cameras be misused? So a camera is mainly used for steering. If the camera does not work the car may not steer where it should. So there can be some accidents. Well the
38:01
attack we have on on on camera is blinding attack. So basically it means what we jam the uh the we we uh there are 3 types of interference we use. Uh there are LED spot, laser pointer and infrared LED spot which are all very cheap. And there are 2 scenarios. The one is we point the interference directly at the camera and the other is we
38:26
point the interference at the calibration bar and reflect back to the camera. So it is this is a result of of of blinding with IOD. So uh when the IOD is pointed toward the the calibration bar there's only partial blinding but when it is faced toward the camera
38:45
directly there will be uh total blinding. And this is a result when we use a laser beam. Uh it is even more prominent. Uh either fixed laser beam or wobbling laser beam uh can cause total blinding. Uh and there is something we didn't expect is the permanent damage of
39:05
the camera. So you can see that there is this uh black scar on the camera. And we have to send it back to vendor and have repair and cost uh cost us a lot of money. Uh which I don't care because it is Jien Ho's camera. Well this is a demo uh of of of blinding
39:25
the camera with a laser beam. This is a view from the camera. And now we uh point the laser beam at the calibration bar and you can see that the effect is it is it's not
39:41
very effective. However when we point the laser beam directly at the camera, we can see that there is uh this blurry white and blurry red and you can not see anything. So you can imagine what will happen if a camera on a car has been blinded like this. So laser
40:03
can blind camera. Uh we have also tested infrared IOD it doesn't work very well. Um we have tested blinding uh cameras on Tesla. Uh well the good news is the Tesla actually gave you an alert message that asks you to take over uh when there is
40:20
jamming time. So it is uh kind of like uh a relieving response. Well um we have uh uh submitted our findings to Tesla uh and got their active response. Uh they uh appreciate our work and they are looking into this issue. Well uh looking forward how can we improve
40:44
these sensors? Well to begin with the sensor has to feel safe. Uh for example this zero or maximum distance for ultrasonic sensors it has to be zero distance so that the car will stop instead of hitting something. And it should also be uh designed with uh anomaly
41:05
detection function. Uh I believe at least jamming attack is easier to be detected because there is uh uh abnormal strong level of signal. And also increase the damage of sensors such as using multiple ultrasonic sensors for measuring one distance. And also
41:26
using different types of sensors to uh for like uh kind of double check. And also in the system that does the sensor data fusion uh it is better if the trustworthiness of these
41:40
sensors are evaluated. Uh so that when there's uh when the system does not have enough confidence in the sensor data it will stop the car uh from self driving. So uh it can be it can feel safe. Whereas safety is always uh more important than convenience driving. But what's next? Uh in the future we hope to um to get the output of the
42:08
sensors directly. Uh so instead of uh a black box approach and we hope to read uh the sensor data and the actuator data. Or we hope to carry out uh moving uh vehicle
42:23
experiments to to to examine whether these attacks are feasible when the vehicle is moving on the road. And we hope to uh measure the longest uh the maximum attack range and angle. And also how we can improve the performance of these attacks. Well uh in
42:42
conclusion I hope what you can get from this work is that uh attacking existing sensors on cars is feasible. Uh we have found many ways to fool sensors. Uh some attacks are easy uh some some are non-trivial. So the sky is not falling. It's not like someone on the
43:05
road has a lot of sensors. Well for the manufacturers the sensors should be designed with security in mind so that uh we should also always think about intentional attacks especially when the sensor is going to play a very important role in self driving
43:21
cars. Well for customers uh do not trust semi autonomous cars yet. You have to always be careful yourself. Well well we have fully secure autonomous cars in the future. Let's wait and see. Well these are the people we'd like to thank uh with all the help this
43:43
work will not be possible. These are our colleagues that helped us in the experiments. Uh if you want to know more details about this work please check out our white paper or just write us an email. Thank you. Uh thank you. If you have questions if you have questions you can come up here we'd like to answer.