Researchers warn robot cars can be crashed with tinfoil and paint daubed on cardboard

A team of researchers from prominent universities – including SUNY Buffalo, Iowa State, UNC Charlotte, and Purdue – were able to turn an autonomous vehicle (AV) operated on the open sourced Apollo driving platform from Chinese web giant Baidu into a deadly weapon by tricking its multi-sensor fusion system, and suggest the attack could be applied to other self-driving cars.

"Extensive experiments based on a real-world AV testbed show that the proposed attack can continuously hide a target vehicle from the perception system of a victim AV using only two small adversarial objects," explained the researchers, whose work was published last week in The 30th Annual International Conference on Mobile Computing and Networking.

While others have proven vulnerabilities inherent in AV systems, this particular team expanded on single-sensing modality or camera-LiDAR manipulation, and tricked systems that employ Lidar, camera, and radar together.

The new attack leverages mmWave reflection – the signals that provide object detection in such systems – on a smooth metal surface. They do this in a way researchers refer to as "low cost" and "easily fabricated" as it involves strategically arranging metal foil and colored patches on cardboard.

"By placing a smooth metal surface between the radar and a target vehicle with a specific orientation, the transmitted mmWave signals can be deflected from the radar receiver, leading to a reduction in the energy of echo signals from the vehicle," wrote the study authors. "When the energy becomes lower than a threshold, the target vehicle will be hidden from radar perception."

Meanwhile, the color patch misrepresented input image pixel values and affected Apollo's camera perception. Reflections confused its read on Lidar lasers. Thus all three sensing modalities were compromised.

• Baidu's robotaxi division to wheel into profit next year
• GhostStripe attack haunts self-driving cars by making them ignore road signs
• Baidu's PR head has a PR problem after workaholic social media posts
• Waymo robotaxi drives down wrong side of street after being alarmed by unicyclists

The boffins suggest that the attack could be carried out with drones, which serve to "hide" a secondary vehicle from the victim AV by projecting or carrying the adversarial object. Absent a drone, the trickster collage could be mounted on the front vehicle and disguised as an advertisement.

"Since the drones only hover for a few seconds during the attack and can fly away from the victim AV immediately after the attack, the attack can be performed with high stealthiness and flexibility," noted the researchers.

While Baidu Apollo platforms were used in the attack, the attack strategy could theoretically be applied to other multi-sensor fusion systems.

Baidu has expanded its robo-taxi operations across China. The tech giant has charged for autonomous rides in its Apollo Go cabs since November 2021 and now operates robo-taxis in more than ten Chinese cities.

Its service in Wuhan alone covers 3,000 square kilometers and half the city's population.

The biz expects its robo-taxi wing to be profitable next year. ®