00:00:00.033,00:00:03.503
>>So up next we’re gonna talk
about some some some some

00:00:03.503,00:00:06.473
current stuff but also thinking
very far forward because

00:00:06.473,00:00:08.842
everybody hates driving right?
I’d much rather have my car

00:00:08.842,00:00:12.212
drive me to work than uh than me
have to drive. We wanna make

00:00:12.212,00:00:14.581
sure that that’s nice and
secure. So these guys are gonna

00:00:14.581,00:00:20.087
talk about whether we can um
trust self-driving vehicles. Uh

00:00:20.087,00:00:23.557
let’s give em a big round of
applause. [applause] Have a good

00:00:23.557,00:00:28.228
time. [applause]. >>Uh thank
you. I’m uh so exciting just

00:00:28.228,00:00:34.401
stand here. Good afternoon today
I bring you the latest work on

00:00:34.401,00:00:39.406
attacking self-driving vehicles.
The title is can you trust your

00:00:42.175,00:00:47.180
autonomous cars, or vehicles? I
would like to talk about our

00:00:49.216,00:00:53.754
latest work. Uh we are core
security I’m Jianhao Liu from

00:00:53.754,00:00:59.726
China and I work for Qihoo 360
the Sky-Go team. Folks research

00:00:59.726,00:01:04.498
se uh vehicle cyber security.
>>I’m Chen Yan I’m Chen Yan from

00:01:04.498,00:01:08.635
Zhejiang University and Dr. Xu
is my advisor uh Xu’s a

00:01:08.635,00:01:12.039
professor at Zhejiang University
and universe university of South

00:01:12.039,00:01:14.675
Carolina. Uh I believe she’s
hiding somewhere in the audience

00:01:14.675,00:01:21.281
because she wants us to do all
the work. [laughter] >>Okay this

00:01:21.281,00:01:25.085
talk uh in this talk will first
introduce what is autonomous

00:01:25.085,00:01:29.723
vehicles. The idea of car
hacking by sensors or the

00:01:29.723,00:01:33.327
percent outward attacked. At the
last [indiscernible] we decided

00:01:33.327,00:01:38.332
to postpone defense. Recent
development car hacking ranging

00:01:40.534,00:01:45.806
for conversion costs raise the
telematics to autonomous car.

00:01:45.806,00:01:50.844
The car is in increasing in
instructing with the environment

00:01:50.844,00:01:56.249
the third opens up new attack
surface. In this talk we’ll show

00:01:56.249,00:02:01.188
you our work on autonomous
vehicles. So what are autonomous

00:02:07.427,00:02:12.199
vehicles? Autonomous vehicle can
sense our surrounding and uh

00:02:12.199,00:02:17.237
make car driving decisions by
using muh using the motion knee

00:02:17.237,00:02:22.275
knee algorithm. Basically a car
that can drive itself without

00:02:22.275,00:02:27.280
human doing anything. According
is uh to this international

00:02:30.484,00:02:37.024
standard. autonomous driving can
be divided into 5 levels and an

00:02:37.024,00:02:43.030
example of level 1. Adapt to
your cul culture where we must

00:02:43.030,00:02:48.869
uh put hands on the steering
wheel. Level 3 conditioned uh

00:02:48.869,00:02:53.774
automation where hands can be
off the steering wheel yet the

00:02:53.774,00:02:58.779
driver still needs to take over
for time to time. Level 5 is

00:03:00.747,00:03:06.019
full automation. A car can
handle all the driving models

00:03:06.019,00:03:12.392
and uh drives itself out without
a human in it. So basically we

00:03:12.392,00:03:17.564
can sleep in your car.
[laughter] typically Tesla is

00:03:17.564,00:03:22.636
considered as level 3 and uh ya
uh successfully Google car will

00:03:22.636,00:03:27.641
be level 5. This is uh arch
architecture of auton autonomous

00:03:31.244,00:03:36.950
vehicles. First the car has to
have a sensors to monitor these

00:03:36.950,00:03:43.323
surroundings and for more ad
advanced cars they will have a

00:03:43.323,00:03:48.328
V2X. We heard V2X stands for
vehicle to anything. Then the

00:03:50.697,00:03:56.470
sensor data can guide vehicle
movement and uh to plant and uh

00:03:56.470,00:04:02.642
counter the past. The driving
plans will be for formed to the

00:04:02.642,00:04:09.416
driver by HMI. The HMI it means
the motion len uh uh human

00:04:09.416,00:04:13.820
machine interface. All the
driving decision will be

00:04:13.820,00:04:18.825
executed by the car. The this is
how automatic to driver works.

00:04:21.895,00:04:26.800
Let me show a few automatic
driving application. They

00:04:26.800,00:04:33.273
include auton autonomous lane
keep, autonomous lane change,

00:04:33.273,00:04:38.178
autonomous lane overtake,
autolom- autonomous highway

00:04:38.178,00:04:43.183
merger, and autonomous highway
exit, uh and the autonomous

00:04:47.120,00:04:52.792
interchange. Autonomous vehicles
has a rich set of sensors which

00:04:52.792,00:04:57.797
include the following. Uh it’s
about uh a union qu you ah

00:05:00.133,00:05:04.304
ultrasonic ultrasonic uh sensor
can [indiscernible] outside

00:05:04.304,00:05:09.342
nearby. Camera can use
[indiscernible] word road thing

00:05:09.342,00:05:13.647
road things, lanes, and make
sure car descends in speed.

00:05:13.647,00:05:19.319
LiDAR creates a 3D map by
scanning the environment and

00:05:19.319,00:05:24.524
plan the driving decision. Radar
can [indiscernible] cars from

00:05:24.524,00:05:29.996
middle range uh to long range
and uh make sure that the signs

00:05:29.996,00:05:35.001
to your car in the front this
beat is a moving direction

00:05:37.003,00:05:42.209
because these sensors the car
can sense the environment and ID

00:05:42.209,00:05:47.214
the code identify what kind of
outside codes uh nearby. Finally

00:05:49.416,00:05:55.355
the car can make decisions for
driving. Of Course the automatic

00:05:55.355,00:06:01.228
driving are controlled by
electrotronicles. That’s uh to

00:06:01.228,00:06:06.233
turn a regular car into self
driving car. One has added uh

00:06:09.035,00:06:14.040
electronicals to control the
ultra ultrasonic directly. This

00:06:17.310,00:06:22.382
this way the car can send
commands to control our brakes,

00:06:22.382,00:06:27.387
electronic uh power steering and
so on. So how can I attack

00:06:31.324,00:06:36.129
autonomous vehicles? Where
sensor data guided to travel

00:06:36.129,00:06:42.302
route of the car and the sensors
safe as the plan to control the

00:06:42.302,00:06:47.307
car that we set uh scope of our
attacks. Attacking the sensors

00:06:49.342,00:06:54.180
on autonomous cars if we can
modify the sensor data the

00:06:54.180,00:07:00.754
driving decision will be made
based on fact data. What is

00:07:00.754,00:07:06.559
displayed on HMI may be wrong
and uh maybe mistake. The pass

00:07:06.559,00:07:12.299
planning may not be cracked
which leads to wrong execution.

00:07:12.299,00:07:17.304
In short the reliability of the
sensors will will be affect the

00:07:20.607,00:07:27.113
reliability of the automatic
driving vehicles. Now to up to

00:07:27.113,00:07:32.485
now the most otherwise automatic
driving can that we have access

00:07:32.485,00:07:38.391
in Tesla. Tesla has autodrive
otherwise autopilot assists him

00:07:38.391,00:07:43.563
which relies the the autonomo
autonomous driving at between

00:07:43.563,00:07:50.503
level 2 and level 3. Basically
Tesla has all the features of

00:07:50.503,00:07:54.774
the autonomous driving. Thus the
autopilot assists him but still

00:07:54.774,00:07:57.110
requests the driver to place his
hands on the steering wheel. It

00:07:57.110,00:07:58.912
has a really change of people
driving habits and luckily this

00:07:58.912,00:08:03.850
habit change ha has lead to our
recent incr incident which has

00:08:14.561,00:08:19.966
caused our sensor malfunction.
Thus re reliability of sensors

00:08:19.966,00:08:24.704
is important. If autopilot can
fair under no more yet a

00:08:24.704,00:08:29.709
specials case. What will happen
if there is international

00:08:31.811,00:08:38.785
intentional mel mer mer
malicious attacks as as is some

00:08:38.785,00:08:43.289
as China to have uh traffic
addic- additioned. So there is a

00:08:43.289,00:08:48.294
sweet strip of sensors in Tesla.
One of millimeter rear readers,

00:08:55.769,00:09:00.507
a middle range reader is
amounting front of the Tesla and

00:09:00.507,00:09:05.545
a camera a front looking camera
is amount on the window shield

00:09:05.545,00:09:11.684
on the le near rear mirror out
of 12 ultrasonic sensors.

00:09:11.684,00:09:16.556
Ultrasonic sense are claw are
clawed near the front and the

00:09:16.556,00:09:21.561
near the bumpers. There’s a
video. We will show how we can

00:09:24.164,00:09:29.169
find the sensors under the cars
which make the autopilot off of

00:09:29.169,00:09:34.841
Tesla to mirror mirror function.
Let me show you a few videos

00:09:34.841,00:09:41.748
give you the highlight of our
work. The first the is a spoof

00:09:41.748,00:09:46.753
ultrasonic to take HMI have a
mirror function. [indiscernible

00:09:49.989,00:09:54.994
sounds] Now Yen Chang is behind
the car Yen Chang is here. He’s

00:09:59.699,00:10:05.772
really too close now but uh the
HMI can not displays the designs

00:10:05.772,00:10:10.777
>>[Chinese] >>[laughs] Now uh
Yen Chang off of the device. The

00:10:15.448,00:10:20.453
HMI displayed [indiscernible
sounds] So >>[Chinese] >>We call

00:10:25.258,00:10:30.263
the HMI mistake. >>[Chinese]
[indiscernible yelling and

00:10:35.535,00:10:40.540
sounds] >>And last [applause]
Thank you [applause] Next the

00:10:45.812,00:10:50.817
video is a coaster car. This is
our attack code to control your

00:10:53.987,00:10:58.992
car. [indiscernible noise] Uh
this is our coaster car in front

00:11:04.831,00:11:11.804
so we can start autopilot system
and uh starting driving but in

00:11:11.804,00:11:13.806
in front of the car have a new
new car [indiscernible sounds]

00:11:16.142,00:11:21.147
[dinging]. When the car pass the
Yen Chang the coaster come force

00:11:27.153,00:11:32.158
our car to stop. [beeping]
[indiscernible sounds] [dinging]

00:11:35.261,00:11:42.135
Its display chu it it's
displayed to reach the coaster

00:11:42.135,00:11:47.140
car so uh the car uses to stop.
[indiscernible sounds] So

00:11:49.576,00:11:54.581
[applause] >>Thank you. Uh I
guess I’ll take over from here.

00:11:58.785,00:12:02.388
Uh the first type of talk is on
ultrasonic sensors and we have

00:12:02.388,00:12:08.394
tested the attack on Tesla,
Audi, Volkswagen and Ford. So uh

00:12:08.394,00:12:13.399
uh what is ultrasonic sensor? It
is sensor that measures distance

00:12:15.468,00:12:19.205
generally within 2 meters. Uh it
is used for um parking scenarios

00:12:19.205,00:12:23.610
like parking distance, parking
space detection, self parking,

00:12:23.610,00:12:26.946
and also on Tesla’s there’s uh
uh there’s feature called summon

00:12:26.946,00:12:29.616
which means that you can park
the car without even being

00:12:29.616,00:12:34.787
inside a car. So an important
scenario like this uh generally

00:12:34.787,00:12:38.925
there will be a display of
distance. It is either acoustic

00:12:38.925,00:12:43.329
or visual so that we can know
the sensor readings. So how can

00:12:43.329,00:12:49.769
we misuse ultrasonic sensors? So
imagine uh someone dislikes the

00:12:49.769,00:12:53.539
owner of a shop and he wants his
car to keep backing into the

00:12:53.539,00:12:57.577
glass wall so he did something
to the sensor now the car does

00:12:57.577,00:13:02.515
not stop where it should. So
what will happen? [indiscernible

00:13:11.858,00:13:13.993
noise] [yelling] Well I believe
most of you want to attack your

00:13:13.993,00:13:17.263
parking spot it is real annoying
when someone has parking into

00:13:17.263,00:13:21.834
your parking spot. So um instead
of putting up a sign, uh if you

00:13:21.834,00:13:25.605
can do something to the sensor
that makes a car stop in the

00:13:25.605,00:13:31.844
middle of parking that would be
awesome. So uh before going into

00:13:31.844,00:13:35.381
how this misuses can be done let
me walk you through how an

00:13:35.381,00:13:38.751
ultrasonic sensor works. So an
ultrasonic sensor it emits

00:13:38.751,00:13:41.954
ultrasound and receive echoes
based on the piezoelectric

00:13:41.954,00:13:45.091
effect. I believe this
technology is uh motivated by

00:13:45.091,00:13:51.798
bats. So the sensor generates an
ultrasonic pulse and it che

00:13:51.798,00:13:56.936
propagates and hit an obstacle
and bounces back and creates an

00:13:56.936,00:13:59.839
uh receiver pulse so we can
measure the uh so if we can

00:13:59.839,00:14:03.109
measure the propagation time
between the uh transmitter pulse

00:14:03.109,00:14:08.014
and the receiver pulse and
knowing the uh speed of sound in

00:14:08.014,00:14:11.284
air we can basically we can
calculate the distance uh from

00:14:11.284,00:14:16.522
this very simple uh formulation.
So there are 3 types of attacks

00:14:16.522,00:14:20.326
on ultrasonic sensors the first
one is jam attack. So jam attack

00:14:20.326,00:14:24.297
generates ultrasonic noises that
causes denial of service of the

00:14:24.297,00:14:30.903
sensor and spoofing attack uh it
crafts fake echo pulses so that

00:14:30.903,00:14:35.274
it can alters distance. The
third one is acoustic quieting

00:14:35.274,00:14:39.378
it means that uh this attack can
diminish the original ultrasonic

00:14:39.378,00:14:45.051
pulses so that it can hide
obstacles. To validate these

00:14:45.051,00:14:49.122
these attacks uh these are the
equipment we ha we used. Uh so

00:14:49.122,00:14:52.625
first we need uh uh ultrasonic
trans fusers that can emit

00:14:52.625,00:14:56.362
ultrasound. Uh and second we
need a signal signal uh signal

00:14:56.362,00:14:59.899
suppliers that can generate
excitation signals uh in our

00:14:59.899,00:15:05.171
case we use uh other uh Arduino
or uh signal generator um to

00:15:05.171,00:15:08.341
make is is start it faster and
cheaper we used ultra

00:15:08.341,00:15:10.743
[indiscernible] but you can
throw a design your own piece of

00:15:10.743,00:15:15.748
uh uh jammer. So the basic uh
idear of jamming attack is to

00:15:18.451,00:15:22.455
inject ultrasonic noises at the
resonance frequency of the

00:15:22.455,00:15:27.393
sensor which is generated
between 40 to 50 kilohertz uh at

00:15:27.393,00:15:29.962
it cos it can caused a denial of
service of the sensor. So

00:15:29.962,00:15:33.332
actually it’s really in the
round figure uh so fir first we

00:15:33.332,00:15:37.036
there is a on sensor there’s
transmitter pulse and the uh

00:15:37.036,00:15:41.007
receive echo pulse. If it
generate out a sound or noise at

00:15:41.007,00:15:46.546
a jammer so this noise will be
received by the sensor and this

00:15:46.546,00:15:51.384
noise will fully cover the um
original echos and we have

00:15:51.384,00:15:55.755
tested these attack uh in a
laboratory on 8 uh models of

00:15:55.755,00:16:00.693
stand alone sensors and on those
um 4 vehicles. So um for for

00:16:03.296,00:16:07.500
this uh indoor uh experiments uh
as you can see on the rad figure

00:16:07.500,00:16:11.637
it is uh rece- uh a figure of uh
re received electrical signal

00:16:11.637,00:16:14.173
and a sensor. Uh when there’s no
jammer you can see that there

00:16:14.173,00:16:17.543
are there are um excitation
pulse and the following echo

00:16:17.543,00:16:22.114
pulses. So this is how it works
uh uh but when there’s weak

00:16:22.114,00:16:24.851
jamming signal you can see that
the noise flow has been

00:16:24.851,00:16:29.989
increased and as we increase the
noise flow you can see that when

00:16:29.989,00:16:34.093
there’s strong jamming the noise
can fully hide the original

00:16:34.093,00:16:37.997
echos so no measurement is
possible. So what about the

00:16:37.997,00:16:41.434
sensors? What is the reading of
the sensors? So basically we get

00:16:41.434,00:16:46.205
we get 2 very opposite types of
read outs. The first one is 0

00:16:46.205,00:16:50.409
distance which means that the
sensor detects something very

00:16:50.409,00:16:54.180
close and the other one is
maximum distance which means

00:16:54.180,00:17:00.152
that the sensor can not detect
anything. So how should cars

00:17:00.152,00:17:04.290
behave to jamming attack? Should
they be zero distance or maximum

00:17:04.290,00:17:08.427
distance? If it’s if it is zero
distance it means that the car

00:17:08.427,00:17:12.198
detects something so that it
will stop but if it’s maximum

00:17:12.198,00:17:15.134
distance it means the car can
now detect anything and the car

00:17:15.134,00:17:18.537
will not stop and will keep
moving. So obviously zero

00:17:18.537,00:17:23.342
distance is a fail safe option
for vehicles right? However uh

00:17:23.342,00:17:28.648
according to our experiments on
cars uh the result is

00:17:28.648,00:17:32.385
unfortunately the maximum
distance. So um let me show you

00:17:32.385,00:17:38.925
a video that demonstrates how it
is really maximum distance. So

00:17:38.925,00:17:45.631
this is an ultrasonic sensor on
Audi Q3 and this is a ultrasonic

00:17:45.631,00:17:50.636
jammer which is wired to a
computer and now you from the um

00:17:53.639,00:17:56.442
screen of the car you can see
that the jammer has been

00:17:56.442,00:18:01.447
detected as an obstacle uh as
displayed in in white bar and we

00:18:01.447,00:18:05.751
read this the data from the OBD
the it says distance is 28

00:18:05.751,00:18:10.756
centimeters and now let’s turn
on the jammer and obstacle

00:18:17.363,00:18:22.368
disappears. [applause] and the
distance it's at is maximum.

00:18:28.808,00:18:32.611
[laughter] So in conclusion a
jamming attack can opp at

00:18:32.611,00:18:37.216
maximum distance and it can hide
obstacles. So let me summarize

00:18:37.216,00:18:40.720
the result of jamming attack. So
on ultrasonic sensors there uh

00:18:40.720,00:18:43.122
there’s zero distance and there
are maximum distance for

00:18:43.122,00:18:46.792
different sensors and on cars
with parking assistance the

00:18:46.792,00:18:51.497
result is maximum distance. Well
interestingly uh from the many

00:18:51.497,00:18:55.801
of the Tesla motor ads it says
if a sensor is unable to provide

00:18:55.801,00:18:59.071
feedback the instrument panel
instrument panel will display an

00:18:59.071,00:19:04.243
alert message however we have
never seen this alert message.

00:19:04.243,00:19:10.683
Well another question is how
well did car behave when like uh

00:19:10.683,00:19:15.087
self parking and someone got the
car actually drives itself based

00:19:15.087,00:19:18.824
on this false sensor readings?
So let me just show you a

00:19:18.824,00:19:23.829
reading of how we do this attack
on Tesla Summon. [indiscernible

00:19:26.399,00:19:30.002
noise] So as you can see that
there’s nobody in the car and

00:19:30.002,00:19:35.007
this is me standing in front of
the car holding an ultrason-

00:19:37.410,00:19:40.513
ultrasonic jammer. [background
noise] And now Jin Hau turn on

00:19:40.513,00:19:45.851
the Tesla Summon. Well normally
the car would not move because I

00:19:45.851,00:19:51.457
have been detected right?
[background noise] However when

00:19:51.457,00:19:58.431
we jam the sensor it moves
[beeping] [background noise] and

00:19:58.431,00:20:04.203
hit me. That hurts. [laughter]
[applause] well in conclusion

00:20:04.203,00:20:06.238
jamming attack can also hide
obstacles when the car is

00:20:06.238,00:20:10.543
driving for itself. Uh you might
ask well the distance eh is only

00:20:10.543,00:20:14.246
like 20 centimeters can it be
longer? Well of course because

00:20:14.246,00:20:18.584
if we increase the reach level
of the jammer like uh we used uh

00:20:18.584,00:20:22.521
if we use uh ultrasonic uh uh
Arduino outputs at 5 volts. If

00:20:22.521,00:20:26.492
we uh output at uh 20 volts we
reach a si single function

00:20:26.492,00:20:31.430
generator we can increase the um
the attack distance. So in this

00:20:31.430,00:20:36.202
video uh there’s a man uh
standing uh behind the Tesla uh

00:20:36.202,00:20:39.638
this is this is not me this is
another brave man in our lab. Uh

00:20:39.638,00:20:44.643
his name is Weebing uh this is
more dangerous. So now the

00:20:47.847,00:20:52.852
interferer is off and I turn on
the Tesla Summon and you can see

00:20:56.755,00:21:01.460
that the car starts reversing.
However the it would not move

00:21:01.460,00:21:07.900
because the man has been
detected and now we turn on the

00:21:07.900,00:21:12.905
uh function generator to uh turn
on the interferer so watch

00:21:15.541,00:21:20.546
closely. Now we turn on the
Tesla Summon again well it moves

00:21:24.950,00:21:29.955
uh it hit the man [laughter] and
hit the interferer. So um the

00:21:33.893,00:21:37.096
car will stop because the
interferer has been hit.

00:21:37.096,00:21:42.268
[applause] thank you [applause]
Because the interferer has been

00:21:42.268,00:21:45.738
hit and stopped working. So on
jamming attack the distance can

00:21:45.738,00:21:49.742
be increased if you have enough
budget right? So let me

00:21:49.742,00:21:52.244
summarize the read out of of of
jammer attack on on on self

00:21:52.244,00:21:56.682
parking and summon. So the car
uh analyst errors the car does

00:21:56.682,00:22:00.252
not stop under strong jamming.
It might hit someone though or

00:22:00.252,00:22:05.491
something. So there’s another
question, uh why is some sensors

00:22:05.491,00:22:09.461
output zero distance and some
output maximum distance? Well we

00:22:09.461,00:22:12.097
believe it is because of
different sensor designs. For

00:22:12.097,00:22:16.502
zero distance the sensor
compares the signal with a fixed

00:22:16.502,00:22:19.939
threshold so if the signal
exceeds the wattage level

00:22:19.939,00:22:23.175
exceeds the threshold it
believes that there's uh justify

00:22:23.175,00:22:26.812
uh echo. So the jamming signal
actually increased the ultra

00:22:26.812,00:22:31.750
level so the sensor thinks that
hey there’s um an uh there’s an

00:22:31.750,00:22:36.856
echo right after a transmit so
it is zero. Well for maximum

00:22:36.856,00:22:41.694
distance we uh kind of started
the sensor on Audi Q3 broke it,

00:22:41.694,00:22:45.631
probe it, and uh uh reversed a
schematic ho uh but we didn’t

00:22:45.631,00:22:48.367
find any useful information
because they it is an

00:22:48.367,00:22:52.104
application specific IC. So all
the signals are uh processed

00:22:52.104,00:22:56.108
inside the chip so um to ma to
make it easier we uh started

00:22:56.108,00:22:58.611
another sensor which is known as
MaxSonar MB1200. It is another

00:22:58.611,00:22:59.945
sensor that outputs maximum
distance. So uh basically we

00:22:59.945,00:23:01.247
have to destroy the um
transfuser on top of it and

00:23:01.247,00:23:02.581
expose the circuits. So this is
how it works when there’s no

00:23:02.581,00:23:03.916
jamming. You can see that the
the the white line means the uh

00:23:03.916,00:23:05.918
time of flight and the blue line
means the echos. Well we can see

00:23:05.918,00:23:07.920
that there’s uh excitation pulse
and there there are echo pulses

00:23:07.920,00:23:09.255
and if you watch closely the
time of flight exactly matched

00:23:09.255,00:23:10.589
with the echo the first echo
pulse. Uh and when there’s

00:23:10.589,00:23:15.294
strong jamming and when there’s
weak jamming uh you can see that

00:23:15.294,00:23:17.496
the noise floor has been
increased but it did but the

00:23:17.496,00:23:19.098
measurement is still uh correct.
However when there is strong

00:23:19.098,00:23:21.100
jamming you can see that the uh
signal is totally overwhelmed by

00:23:21.100,00:23:25.070
noise and it seems that there’s
is no echo so uh the sensor

00:23:25.070,00:23:30.976
outputs maximum. Uh we believe
it is uh uh it uses adaptive

00:23:30.976,00:23:36.348
threshold so it is used for
noise suppression. Well um the

00:23:36.348,00:23:40.686
designers definitely has a good
intention designing this but

00:23:40.686,00:23:45.691
they didn’t consider the
malicious scenarios. Well the

00:23:49.795,00:23:54.800
second type of attack is a
spoofing attack. So basic idear

00:24:19.958,00:24:25.297
is to inject ultrasonic pulses
at a certain time that can uh

00:24:25.297,00:24:30.669
fool the sensor. So for example
uh if we craft a fake pulse

00:24:30.669,00:24:37.376
right before the first original
one we can kind of spoof the uh

00:24:37.376,00:24:41.246
the uh trans propagation time so
it so that we can manipulate the

00:24:41.246,00:24:46.118
distance but this attack is non
trivial because only the first

00:24:46.118,00:24:49.621
justifiable echo will be
processed. So there’s kind of

00:24:49.621,00:24:53.892
like an effective time slot
which is right after the

00:24:53.892,00:24:56.862
transmitter pulse and before the
first echo pulse so you’re gonna

00:24:56.862,00:25:02.167
have to inject within this slot
to make it successful and if it

00:25:02.167,00:25:06.271
if it changed the arrival
arriving time of the fake echo

00:25:06.271,00:25:11.343
we can make manipulate the
sensor readings right? So this

00:25:11.343,00:25:16.248
is uh a video that demonstrates
um the spoofing attack on Tesla.

00:25:16.248,00:25:21.253
Oh sorry. So this is jammer
connect to connected to a

00:25:26.191,00:25:27.526
computer. Uh this is computer.
Uh you can see that the jammer

00:25:27.526,00:25:28.861
has been detected and as an
obstacle and distance is 66

00:25:28.861,00:25:30.195
centimeters and now we start
spoofing. Wow. So distance has

00:25:30.195,00:25:32.197
been honored. [laughter] It’s a
stop and if you look outside the

00:25:32.197,00:25:33.532
vehicle there’s nothing moving
and if you if you look at

00:25:33.532,00:25:35.534
instrument panel the spoofing is
still going on. [applause] So in

00:25:35.534,00:25:36.869
conclusion spoofing attack can
alter distance. Uh and this is a

00:25:36.869,00:25:41.874
demo of spoofing attack on Audi
uh in this video we just

00:25:51.984,00:25:56.989
randomly altered the distance.
So at first nothing is in front

00:26:01.226,00:26:06.231
of the car [inaudible word]
[music playing] [cheering]

00:26:50.042,00:26:52.611
[applause] Well I’m assuring you
that the jumping bars are now

00:26:52.611,00:26:56.582
volume indicator of the music.
So spoofing attack can also

00:26:56.582,00:27:00.719
alter distance on Audi. Uh let
me summarize their data of

00:27:00.719,00:27:04.356
spoofing attack. So spoof attack
can manipulate sensor readings

00:27:04.356,00:27:07.759
with some stand alone sensors
and on cars so that we can make

00:27:07.759,00:27:13.198
the car stop where it shouldn’t.
The third type attack is

00:27:13.198,00:27:17.603
acoustic quieting. Uh uh uh
method is acoustic cancellation

00:27:17.603,00:27:21.707
which means that we cancel the
original one with wa with sound

00:27:21.707,00:27:25.978
that we reversed phase so uh so
the when they add up together

00:27:25.978,00:27:31.450
there’s no echo at all and from
our experiments uh uh we observe

00:27:31.450,00:27:34.786
that by minor phase and
amplitude adjustment we are able

00:27:34.786,00:27:37.923
to cancel the ultrasound but if
you want to cancel cancel the

00:27:37.923,00:27:41.026
ultrasound from the car your
gonna need to uh use very good

00:27:41.026,00:27:45.731
hardware. So uh a easier way a
easier way to do this is

00:27:45.731,00:27:50.102
cloaking which means that we
absolve the ultrasound with some

00:27:50.102,00:27:53.805
kind of sound absorbing
materials uh like like some some

00:27:53.805,00:27:58.911
acoustic damping foams which is
very cheap and it has same

00:27:58.911,00:28:04.349
effect as jamming that can hide
obstacles. So this is how we uh

00:28:04.349,00:28:09.354
cloak a car. Now we drive toward
a car uh this lo-lovely panda

00:28:11.790,00:28:14.826
car and you can see that the
car’s been detected and

00:28:14.826,00:28:21.166
displayed as the the red bars on
the screen and now we’ll apply

00:28:21.166,00:28:26.305
the acoustic damping foam.
[laughter] Wow! It disappears!

00:28:26.305,00:28:31.310
Uh we we drive closer to the car
still nothing and now we remove

00:28:36.181,00:28:41.186
the damping foam and it
reappears. So uh [applause] so

00:28:43.889,00:28:49.528
in conclusion cloaking can hide
a car. So what about human? Can

00:28:49.528,00:28:54.533
cloaking also hide human? We
tried this. [inaudible voices]

00:28:57.970,00:29:01.139
So this is me walking across the
car and you can see that I have

00:29:01.139,00:29:06.144
been detected by the sensor but
now if I wear the damping foam

00:29:10.282,00:29:15.287
[laughter] I’m invisible.
[laughter] [applause] and still

00:29:18.857,00:29:22.894
nothing. [laughter] Well can you
think of a new way to wear this

00:29:22.894,00:29:27.966
foam? Here we go. This is uh
damp [laughter] it's a foam

00:29:27.966,00:29:34.940
skirt. [laughter] It also works.
So cloaking can hide a human so

00:29:34.940,00:29:39.945
if you want a car, a human, or
glass to be invisible just buy

00:29:39.945,00:29:45.951
this. Well um by the way uh
behind the glass door is my

00:29:45.951,00:29:49.221
advisor's office. So this is
what happens when you uh let

00:29:49.221,00:29:53.692
your students do all the work.
I’m sorry. [laughter] So the the

00:29:53.692,00:29:57.696
third type uh so the so the
second type attack is on the

00:29:57.696,00:30:01.800
millimeter wave radars. So we
have tested this attack on Tesla

00:30:01.800,00:30:05.570
Model S because we don’t have uh
the the other 3 cars don’t have

00:30:05.570,00:30:10.876
the radar on it. So uh MMW radar
it measures distance, angles,

00:30:10.876,00:30:16.048
speed, and shape uh etc. from
from long short to long

00:30:16.048,00:30:21.319
distance. Uh it is used for some
high speed and critical

00:30:21.319,00:30:24.556
applications like adaptive
cruise control, uh collision

00:30:24.556,00:30:29.027
avoidance and, blind spot
detection. So how can we misuse

00:30:29.027,00:30:31.296
radars? It is similar so uh when
there’s uh we’re driving on

00:30:31.296,00:30:33.298
highway and there’s danger ahead
of you, and you want to stop but

00:30:33.298,00:30:37.135
the car if you do something to
this to the radar that car does

00:30:37.135,00:30:42.140
not stop where it should. It
could cause some serious

00:30:46.111,00:30:51.383
accidents and if there is danger
behind you and you wanna steer

00:30:51.383,00:30:54.152
away from it but the radar tells
you that there is something

00:30:54.152,00:30:59.491
ahead of you you have to stop so
that would be terrible. So let

00:30:59.491,00:31:02.861
me se let me walk you through
how an radar works. So a radar

00:31:02.861,00:31:06.398
transmits and receives
electromagnetic magnetic waves

00:31:06.398,00:31:10.669
and measure the propagation time
and etc. it is uh similar to

00:31:10.669,00:31:15.807
ultrasonic sensors except that
the signal is is is is RF. So uh

00:31:15.807,00:31:20.412
when we’re dealing with RF uh it
is uh difficult to measure the

00:31:20.412,00:31:24.216
time because it it travels at
the speed of light. So uh in

00:31:24.216,00:31:29.521
order to do this we have to do
modulation so that uh we can

00:31:29.521,00:31:33.091
make this process easier. So the
most popular one of the most

00:31:33.091,00:31:37.162
popular modulation scheme is
FMCW. So uh which is kind of

00:31:37.162,00:31:40.432
frequency modulation and the
doppler effect can be used to

00:31:40.432,00:31:44.803
measure the route of speed and
their their 2 major frequency

00:31:44.803,00:31:49.808
bands which is at a 24 or 76
gigahertz. So this is how um the

00:31:52.811,00:31:56.848
frequency modulated continuous
wave works. Uh basically it is

00:31:56.848,00:32:01.686
kinda like a sweeping frequency
signal so the frequency actually

00:32:01.686,00:32:06.858
varies uh with time and when the
signal is transmitted and it hit

00:32:06.858,00:32:11.196
a target and bounces back we’ll
receive a similar uh receive

00:32:11.196,00:32:15.967
signal and what what what we’ll
measure is the reflection time

00:32:15.967,00:32:19.037
but it’s difficult so we measure
the difference frequency FD and

00:32:19.037,00:32:24.576
calculate the time knowing the
uh the ramp slope. So sometimes

00:32:24.576,00:32:28.713
when the car is moving
relatively uh there will be a

00:32:28.713,00:32:32.517
doppler frequency shift. So um
before doing any attacks the

00:32:32.517,00:32:36.788
first thing we have to do is to
understand the radar signal. So

00:32:36.788,00:32:40.792
we we gonna have to analyze the
signal to find out uh what is

00:32:40.792,00:32:43.995
the frequency range, what is the
modulation process, what is ramp

00:32:43.995,00:32:46.898
height, and what is the number,
and duration of the ramp, and

00:32:46.898,00:32:51.236
what is the cycle time. So after
doing this we can we can know

00:32:51.236,00:32:55.574
whether jamming attack or spoof
attack is feasible right? So

00:32:55.574,00:32:58.543
this is kinda like a a family
picture of all the equipment we

00:32:58.543,00:33:02.480
used. Uh special thanks to
Keysight open lab for providing

00:33:02.480,00:33:06.518
us uh free access to this
equipment which is 3 times the

00:33:06.518,00:33:12.524
price of Tesla. [murmurs] Well
um so I’m going to uh uh explain

00:33:12.524,00:33:18.363
which ones I use later. Well um
I forgot one thing. It doesn’t

00:33:18.363,00:33:22.567
have to be so expensive because
uh you can actually you you can

00:33:22.567,00:33:27.806
just buy a radar and modify it
to be your own jammer. So this

00:33:27.806,00:33:32.410
is how um we analyze the signal.
So at first we receive the uh

00:33:32.410,00:33:35.814
radar signal with a home with a
home antenna which connected to

00:33:35.814,00:33:39.117
a harmonic mixer and analyze the
signal from the frequency domain

00:33:39.117,00:33:42.254
on the signal analyzer and on
the time domain for from the

00:33:42.254,00:33:47.792
oscilloscope. So basically what
we found is that radar outputs

00:33:47.792,00:33:53.431
at uh 76 point 65 gigahertz as
fre it says in the frequency and

00:33:53.431,00:33:58.370
bandwidth is 450 megahertz,
modulation is FMCW but uh I have

00:33:58.370,00:34:02.440
we have no Audi details that
reassures but I’m not I’m not

00:34:02.440,00:34:07.879
gonna tell you because uh I’m
not gonna be responsible. So uh

00:34:07.879,00:34:13.018
the idear of jamming attack is
to jam radar within the same

00:34:13.018,00:34:19.224
frequency band which is 60 76 to
77 gigahertz. So uh we can jam

00:34:19.224,00:34:22.861
at fixed frequency like this and
we can jam at sweeping frequency

00:34:22.861,00:34:28.667
like this that carries all the
frequency band. Well the the the

00:34:28.667,00:34:33.104
idear of spoofing attack is to
spoof the radar with similar RF

00:34:33.104,00:34:38.243
signal something like this.
Pretty straight forward and to

00:34:38.243,00:34:42.247
to generate the the radar signal
we have to uh generate a signal

00:34:42.247,00:34:45.317
with a signal generator uh at at
12 gigahertz and multiply the

00:34:45.317,00:34:48.386
signal to with a frequency
multiplier and transmit with a

00:34:48.386,00:34:54.059
home antenna. So before showing
you how uh how the the results

00:34:54.059,00:34:59.631
are uh let me um introduce you
how the autopilot is placed. So

00:34:59.631,00:35:04.903
the blue icons means that the uh
traffic aware cruise control and

00:35:04.903,00:35:09.841
auto steer is on and the blue
car means the car ahead of you

00:35:09.841,00:35:15.380
has been detected and locked and
we have to do the experiments

00:35:15.380,00:35:19.184
when the car and exper and uh
equipment is is stationary

00:35:19.184,00:35:23.822
because uh when a car is moving
and incase our attack is

00:35:23.822,00:35:28.093
successful the car might hit the
equipment and if I damage the

00:35:28.093,00:35:30.595
equipment which is 3 times the
price of Tesla I won’t be able

00:35:30.595,00:35:36.901
to graduate. [laughter] So this
is a demo of of jamming attack

00:35:36.901,00:35:40.071
so in this video I am standing
in front of the Tesla

00:35:40.071,00:35:44.509
controlling the radio interferer
as you can see from the camera

00:35:44.509,00:35:51.316
of the mobile phone. [sneeze] So
now the autopilot is turned on

00:35:51.316,00:35:54.786
and the car internal equipment
has been detected as a blue car.

00:35:57.288,00:36:01.960
And now I show how uh so now the
interferer is is is turned off

00:36:01.960,00:36:06.364
so we turn on interferer and you
can see that the blue car

00:36:06.364,00:36:11.369
disappears. And we turn off
interferer, it reappears. We

00:36:20.378,00:36:24.049
have kept we have kept trying
this for many many times and it

00:36:24.049,00:36:29.054
works every time. [applause] So
jamming attack on radar can hide

00:36:47.472,00:36:52.677
obstacles so that the car may
now stop where it should. So let

00:36:52.677,00:36:56.347
me summarize the data of all the
uh radar attacks. So for jamming

00:36:56.347,00:36:59.984
attack it can hide obstacles
which has already been detect

00:36:59.984,00:37:04.089
been been detected uh and either
fixed or sweeping frequency

00:37:04.089,00:37:07.225
works. Uh for the spoofing
attack we can spoof the distance

00:37:07.225,00:37:10.662
of the car ahead so basically
what we what we are seeing is

00:37:10.662,00:37:16.267
that the car actually jumps
forward and backward. Well the

00:37:16.267,00:37:20.505
third type attack is on cameras.
Uh we have tested stand alone

00:37:20.505,00:37:25.477
cameras from Mobileye and and
Point Grey and tested on Tesla

00:37:25.477,00:37:31.850
Model S which has a Mobileye. So
camera uh actually detects ob

00:37:31.850,00:37:35.920
objects uh by computer vision.
Uh there’s forward camera and

00:37:35.920,00:37:39.090
there’s backward camera. It is
used for limpid lane departure

00:37:39.090,00:37:42.761
warning, lane keeping, uh
traffic sign recognition, and

00:37:42.761,00:37:48.466
also for parking assistance. So
how can cameras be misused? So a

00:37:48.466,00:37:51.770
camera has been used for
steering, if the camera does not

00:37:51.770,00:37:57.675
work the car may not steer where
it should. So there can be some

00:37:57.675,00:38:03.548
accidents. Well the attack we
have on ta on on on camera is

00:38:03.548,00:38:06.684
blinding attack. So basically
what it means is we we jam the

00:38:06.684,00:38:11.790
uh the we we uh there are 3
types of interference we use. Uh

00:38:11.790,00:38:16.361
they’re LED spot, a laser
pointer, and infrared LED spot

00:38:16.361,00:38:20.932
which are all very cheap. And
there are 2 scenarios. The one

00:38:20.932,00:38:25.537
is we point the interferers
directly at a camera and the

00:38:25.537,00:38:29.274
other is we point the interferer
at the calibration board and

00:38:29.274,00:38:34.312
reflect back to the camera. So
it is this is result of of of

00:38:34.312,00:38:38.950
blinding with LED so uh when the
LED’s is pointed to all the the

00:38:38.950,00:38:40.285
calibration board there’s only
partial blinding but when it’s

00:38:40.285,00:38:41.653
it is face toward the camera
directly there will be uh total

00:38:41.653,00:38:42.987
blinding. And this is a result
when we use a laser beam. Uh it

00:38:42.987,00:38:44.322
is even more prominent. Uh other
fixed laser beam or wobbling

00:38:44.322,00:38:45.657
laser beam uh can cause total
blinding. Uh and there’s

00:38:45.657,00:38:50.662
something we didn’t expect, is
the permanent damage of the

00:38:59.237,00:39:04.175
camera. So you can see that
there’s this uh black scar on

00:39:08.947,00:39:13.484
the camera and we have to send
it back to the vendor and have

00:39:13.484,00:39:17.522
it repaired and it cost us cost
us a lot of money which i don’t

00:39:17.522,00:39:19.457
care because it is Jianhau’s
camera. [laughter] Well this is

00:39:19.457,00:39:26.364
a demo uh of of of of of
blinding the camera with a laser

00:39:26.364,00:39:31.369
beam. This is a view from the
camera and now we uh point the

00:39:35.273,00:39:38.476
laser beam at a calibration
board and you can see that the

00:39:38.476,00:39:45.183
effect is hu is is is not very
effective. However when we point

00:39:45.183,00:39:48.486
the laser beam directly at the
camera you can see that there’s

00:39:48.486,00:39:52.390
uh this blurry white and blurry
red and you can not see

00:39:52.390,00:39:56.327
anything. So you can imagine
what will happen if the camera

00:39:56.327,00:40:01.332
on a car has been blinded like
this. So laser can blind camera.

00:40:04.969,00:40:07.872
And we have also tested infrared
LED it doesn’t work very well.

00:40:07.872,00:40:13.411
Um we have tested blinding uh
cameras on Tesla uh well the

00:40:13.411,00:40:17.815
good news is the Tesla actually
gave you an alert message that

00:40:17.815,00:40:22.120
asks you to take over uh when
there’s jamming attack. So it is

00:40:22.120,00:40:28.393
uh kinda like uh a relieving
response. Well um we have a pu a

00:40:28.393,00:40:33.765
ka uh submitted our findings to
Tesla uh and got their active

00:40:33.765,00:40:39.203
response. Uh they appreciate our
work and they are looking to

00:40:39.203,00:40:43.808
this issue. Well uh looking
forward how can we improve these

00:40:43.808,00:40:48.813
sensors? Well to begin with, the
sensor has to feel safe. Uh for

00:40:51.015,00:40:55.853
example uh this zero or maximum
distance for ultrasonic sensors

00:40:55.853,00:40:59.057
it has to be zero distance so
that the car will stop instead

00:40:59.057,00:41:03.828
of hitting something and it
should also be uh designed with

00:41:03.828,00:41:07.298
uh anomaly detection function.
Uh I believe at least jamming

00:41:07.298,00:41:11.903
attack is easier to be detected
because there’s uh st a normal

00:41:11.903,00:41:18.810
strong level uh signal and also
increase the redundancy of

00:41:18.810,00:41:23.214
sensors such as using multiple
ultrasonic sensors for measuring

00:41:23.214,00:41:29.654
one distance. And also using
different types of sensors to uh

00:41:29.654,00:41:34.659
for like uh kind of double
check. And also in the system

00:41:34.659,00:41:38.696
that does this sensor data
fusion uh it is better if the

00:41:38.696,00:41:43.067
trust [indiscernible] of these
sensors are evaluated uh so that

00:41:43.067,00:41:46.170
when there’s uh when the system
does not have enough continence

00:41:46.170,00:41:51.976
confidence in the sensor data it
will stop the car uh from self

00:41:51.976,00:41:56.781
driving so uh it can be it can
feel safe. Our safety is always

00:41:56.781,00:42:01.886
more important the convenience
right? Well whats next? Uh in

00:42:01.886,00:42:08.626
the future we hope to um to get
the output of the sensors

00:42:08.626,00:42:14.632
directly uh so instead of uh a
black box approach um we hope to

00:42:14.632,00:42:19.003
read um the the sensor data and
the actual actual reader data.

00:42:19.003,00:42:23.074
Well we hope to carry out a
moving uh what you call

00:42:23.074,00:42:25.510
experiments to to to examine
whether these attacks are

00:42:25.510,00:42:28.913
feasible when when this car is
moving on the road and we hope

00:42:28.913,00:42:34.051
to uh measure the longest the
the maximum attack range and

00:42:34.051,00:42:38.623
angle and also how can improve
the performance of these

00:42:38.623,00:42:44.362
attacks. Well um in conclusion I
hope what you can get from this

00:42:44.362,00:42:51.069
work is that uh attacking
existing sensors on cars is

00:42:51.069,00:42:55.840
feasible. Uh we have found many
ways to fool sensors. Uh some

00:42:55.840,00:43:00.578
attacks are easy well some some
are non trivial. So the sky is

00:43:00.578,00:43:03.448
not falling uh it’s not like
someone on the roadside can

00:43:03.448,00:43:10.121
easily just attack your sensors.
Well for the manufacturers the

00:43:10.121,00:43:13.624
sensors should be designed with
security in mind so that uh we

00:43:13.624,00:43:17.261
should also always think about
intentional attacks especially

00:43:17.261,00:43:20.665
when the sensors is gonna play a
very important role in self

00:43:20.665,00:43:26.170
driving cars. Well for customers
uh do not trust semi-autonomous

00:43:26.170,00:43:31.576
cars yet. You have to always be
careful yourself. Well, will we

00:43:31.576,00:43:37.915
have fully secure autonomous
cars in the future? Let’s wait

00:43:37.915,00:43:41.118
and see. Well these are the
people we’d like to thank uh

00:43:41.118,00:43:44.555
without their help this work
would not be possible. These are

00:43:44.555,00:43:48.025
our colleagues that helped us in
these experiments. Uh if you

00:43:48.025,00:43:51.462
wanna know more details about
this work please check out our

00:43:51.462,00:43:55.066
whitepaper or just write us
emails. Thank you. [applause] Uh

00:43:55.066,00:43:59.904
Thank you [applause] If you have
questions [applause] If you have

00:43:59.904,00:44:03.207
questions you can come up here
we’d like to answer. [applause]