So up next, we're going to talk about some current stuff, but also thinking very far
forward, because everybody hates driving, right? I'd much rather have my car drive me to work
than me have to drive. We want to make sure that that's nice and secure. So these guys are
going to talk about whether we can trust self-driving vehicles. Let's give them a big round
of applause. Have a good time. Thank you. I'm so excited to stand here.
Good afternoon. Today I bring you the latest work on attacking self-driving vehicles. The title is
Can You Trust Your Autonomous Vehicles? I would like to talk about our latest work on vehicle
security. I'm Jianhao Liu from China, and I work for Qihu 360 in Skygo team, folks research
security. I'm Jianhao Liu from China, and I work for Qihu 360 in Skygo team, folks research
uh uh vehicle cyber security. I'm Chen Yan, I'm Chen Yan from Zhejiang University, and Dr. Xu is
my advisor. Uh she's a professor at Zhejiang University and University of South Carolina. Uh I
believe she's hiding somewhere in the audience because she wants us to do our work. Okay, this
talk uh in this talk we first introduce what is autonomous vehicles. The idea of car hacking by
sensors at a present outward attacked. At last uh we decide the possible defense. With the
development of car hacking, ranging from condition cars with telematics to autonomous car. The car is
increasing in injecting with the environment. The third opens up new attack service. In this talk we
show you our work on autonomous vehicle. Thank you.
vehicles. So, what are autonomous vehicles? Autonomous
vehicle can sense its surrounding and uh make a driving
decisions by using mu- using the machine learning algorithm.
Basically, a car that can drive itself without human doing
anything. According is uh to this international standard,
autonomous driving can be divided into five levels. And
the next example of level one, adaptive coach control where we
must put hands on the steering wheel. Level three, conditioned
uh automation where hands can be off the steering wheel. Level
orters are able to solve problem. Yet, the driver still
needs to take over for time to time. Level five is for
automation. A car can handle other driving models and the
driving itself without human in it. So basically, we can sleep
in your car. Typically, Tesla is conditioned as level three.
And, as a sense for Google Car will be in around twenty to fourteen
level 5. This is the a- architecture of auton- autonomous
vehicles. First, the car has to have sensors to monitor these
surroundings. And for more a- advanced cars, they will have a
V2X. Where V2X stands for vehicle to anything. Then, the
sensor data can guide vehicle movement and uh to plan and uh
control the path. The driving plans will be for- formed to the
driver by HMI. The HMI is means the machine uh uh human machine
interface. All the driving decision will be executed by the
car. The- this is how automatic to driver works. The driver
will be- uh- let me show a few automatic driving application.
They include uh autom- autonomous line keep, autonomous
line change, autonomous line overtake, auto- auto- autonomous
highway merger, and uh autonomous highway excite, uh-
and uh autonomous interchange. Autonomous vehicle have a- uh-
rich set of sensors, which include the following. Uh- it's
about uh- a unique uh- uh- ultrasonic sensor can- a difficult
oversight nearby. Camera can use a difficult road thing- road
things, lines, and the measure car designs and speed. LiDAR
creates a 3D map by scanning the environment and plan the driving
decision. LiDAR can identify cars for- middle range, uh, to long
range and measure the designs to car in the front. This speed is uh
moving direction. Because this sensors, the car can sense the
environment and identify what kind of obstacles, are nearby. Finally,
the car can make this map complete. The bottom-fall correction process
decisions for driving. Of course, the automatic driving are
controlled by electronicals. That's to cover a regular car
into self-driving car. One has added a electronicals to
control the auto-autosonic directly. This-this way the car
can send commands to control the brakes, electronical power
stream, and so on. So, how can I attack autonomous vehicles?
We are sensor data guide to travel route of the car and the
sensor safe as the plan to control the car. Thus we set a
scope of our attacks. Attacking the car can send commands to
the sensors on autonomous cars. If we can modify the sensor data
in driving decision will be made based on fact data. What is
displayed on HMI may be wrong and may be mistake. The past
planning may not be correct, which leads to wrong execution.
In short, the reliability of the sensors will-will be affect
the reliability of the automatic driving vehicle.
Now, to-up to now, the most advanced automatic driving can,
that we have access in Tesla. Tesla has the ad-drive advanced
autopilot system which relies the-the autonoma-autonomous
driving at between level two and level three. Basically, Tesla has
the future of the autonomous driving. Thus, the autopilot system still requires the driver
to place his hands on the steering wheel. It has already changed people's driving habits.
Unluckily, this habit change has lead to a recent inc-incident which is cause of sensor
malfunction. Thus, the reliability of sensors is important. If autopilot can fail under normal
yet speckled case, what will happen if there is international, international, mer-mer-mer-mer
relations attacks? As, as is some as China to have a traffic addiction, addiction.
So, there is a straight type of sensors in test lab. One of millimeter real leaders. A
middle range radar is amount in front of the test lab. And a camera. A front-looking camera is
amount on the on the near-wave mere-mirro. And a 12 ultrasonic sensors.
Ultrasonic sensors are cla- are cloud near the front of the car. And they are used to
front and the near the bumpers. That's a video. We will show how we can find the sensors and
the cars which make the autopilot of Tesla to mirror mirror function. Let me show you a few
videos give you the highlight of our work. The first is uh spoof ultrasonic to take HMI
have a mirror function. Now Yen-Chen is behind the car. Yen-Chen is here. He is ready to
close now. But the HMI can't display the designs. Now uh Yen-Chen offers the device to
the device. The HMI displayed. So we can the HMI mistake. And that's thank you.
Next video is a ghost car. This is our tech go to controller car. Uh this is a ghost car
in front. So we can start autopilot system and starting driving. But in in front of the car
have a no no car. When the car pass the Yen-Chen, the ghost car can force our car to stop.
It's display to it's display to hit the ghost car. It's display to hit the ghost car.
So it the car is to stop. So
Thank you. Uh I guess I'll take a word from here. Uh the first type of tech is ultrasonic
sensors and we have tested this tech on Tesla, Audi, Volkswagen and Ford. So uh uh
sensor. It is a sensor that measures distance generally within 2 meters. Uh it is used for
um parking scenarios like parking assistance, parking space detection, self parking and also
on Tesla there's this feature called summon which means that you can park the car without
even being inside the car. So in a parking scenario like this uh generally there will be a
display of distance. It is either acoustic or visual so that we can know the sensor readings.
So how can we misuse ultrasonic sensors? So imagine uh someone dislikes the owner of the
shop and he wants the car to keep backing into the glass wall. So he did something to the
sensor that the car does not stop where it should. So what will happen?
Uh I believe most of you want to protect your parking spot. It is really annoying when
someone gets parking into your parking spot. So uh instead of putting up a sign uh if you can do
something to the sensor that makes the car stop in the middle of parking that would be awesome.
So uh before going into how these misuses can be done let me walk you through how an
ultrasonic sensor works. So an ultrasonic sensor it emits ultrasound and receive echoes based
on the piezoelectric effect. I believe this technology is uh motivated by bats. So the sensor
generates an ultrasonic pulse and it it propagates and hit an obstacle and bounces back and
creates an uh receiver pulse. So we can measure the uh so if we can measure the propagation time
between the uh transmitter pulse and the receiver pulse and measure the uh the uh the uh the uh the
knowing the uh speed of sound in air we can this way we can calculate the distance uh from this
very simple uh formulation. So there are three types of attacks on ultrasonic sensors. The
first one is jamming attack. So jamming attack generates ultrasonic noises that causes the
narrow service of the sensor. And spoofing attack uh it crafts fake echo pulses so that it can
orders distance. The third one is acoustic quieting. It means that uh this attack can
diminish the original ultrasonic pulses so that it can hide obstacles. To validate these
attacks uh these are the equipment we have we use uh so first we need uh uh ultrasonic
transducers that can emit ultrasound. Uh and second we need uh signal signal uh signal
suppliers that can generate excitation signals. Uh in our case we use uh other
uh adrenal or uh a single generator um to make it it start a faster and cheaper we use
official hardware but you can design your own piece of of jammer. So the basic uh idea of
jamming attack is to inject ultrasonic noises at the resonance frequency of the sensor which is
generally between 40 to 50 kilohertz. Uh a it can cause the uh denial service of the
sensor. So actually it's related in the ultrasonic sensor is the uh violet sensor
the right figure. Uh so first there is uh on the sensor there
is transmitter pulse and the uh received echo pulse. If it
generate an ultrasonic noise noise at the jammer so this
noise will be received by the sensor and this noise will fully
cover the uh original echoes. And we have tested this attack
uh in the laboratory on eight uh models of stand-alone sensors
and all those on uh four vehicles. So um for for this
uh indoor uh experiments uh as you can see on the right figure
it is uh a figure of uh received electrical signal at a sensor.
Uh when there's no jamming you can see that there are there are
uh excision pulse and the following echo pulses. So it is
how it works. Uh and but when there's weak jamming signal you
can see that the noise floor has been increased. Uh the
drained signal as we increase the noise floor you can see that
when there's strong jamming the noise can fully hide the original
echo. So no measurement is possible. So what about the
sensors. What is the reading of the censors? So basically we
get two very opposite types of results. The first one is zero
distance which means that the sensor detects something very
close. And the other one is maximum distance which means
that the sensor can detect. I can then exchange the Echo light
anything. So how should cars behave to jamming attack? Should
it be zero distance or maximum distance? If it's if it is zero
distance it means that the car detects something so that it
will stop. But if it's maximum distance it means the car can
not detect anything and the car will now stop and will keep
moving. So obviously zero distance is a failsafe option
for vehicles right? However uh according to our experiments on
cars uh the result is unfortunately the maximum
distance. So um let me show you a video that demonstrates how it
is really maximum distance. So this is an ultrasonic sensor on
Audi Q3 and this is a ultrasonic jammer which is
wired to a computer. And now you from the uh screen of the car
you can see that the jammer is not working. The jammer is
not working. The jammer has been detected as an obstacle uh
as displayed in in white bar. And we read the the data from
the OBD. It says distance is 28 centimeters. And now let's
turn on the jammer. And the obstacle disappears. And the
distance it says is maximum. So in conclusion uh jamming attack
can output at maximum distance and it can hide obstacles. So let
me summarize the result of jamming attack. So ultrasonic
sensors they are uh there's zero distance and there are maximum
distance for different sensors. And on cars with parking
assistance the result is maximum distance. Well interestingly uh
from the menu of Tesla Model S it says if a sensor is not
working the jammer is unable to provide feedback. This
instrument instrument panel will display an alert message.
However we have never seen this alert message. Well another
question is how will the car behave when like uh self parking
and someone that the car actually drives itself based on
this false sensor readings. So let me just show you a video of
how we do this attack on Tesla Summon.
So as you can see that there's nobody in the car and this is me
standing in front of the car holding an ultrasonic ultrasonic
jammer. And now Jane Howe turned on the Tesla Summon. Well
normally the car will not move because I have been detected
right? However when we jam the sensor it moves and hit me.
That hurts. Well in conclusion jamming attack can also
have obstacles when the car is driving for itself. Uh you might
ask well the distance is only like 20 centimeters can it be
longer? Well of course because if we increase the voltage
level of the jammer like uh we use uh if we use uh ultrasonic
uh uh adrenal outputs at 5 volts. If we uh output at uh 20
volts we use a signal to function generator we can
increase the um the attack distance. So in this video uh
there's a man uh standing uh behind the Tesla uh this is it
is not me this is another brave man in our lab uh his name is
Weibing uh this is more dangerous. So now the
interferer is off and I turn on the Tesla Summon and uh the
car starts reversing. And you can see that the car starts
reversing. However the it will not move because the man has been
detected. And now we turn on the uh function generator to uh
turn on the interferer. So watch closely. Now we turn on the
Tesla Summon again. Well it moves again. Now we turn on the
HMUS and I hit the man. And I hit the interferer. So um the
car only start because the interferer has been hit. Thank
you. Because the interferer has been hit and stopped working. So
uh jamming attack at the distance can be increased. If
you have no budget right. So let me summarize the redoubt of of
jamming attack on uh uh on stop working Summon. So the car uh it
energy scenarios the car does not stop energy strong jamming it might hit someone or something.
So there's another question uh why some sensors output zero distance and some output maximum
distance? Well we believe it is because of different sensor designs. For zero distance the
sensor compares the signal with a fixed threshold so if the signal exceeds the voltage level
exceeds the threshold it believes that there's a justified uh echo. So the jamming signal
actually increased the voltage level so the sensor thinks that hey there's um uh there's an echo
right after I transmit. So it is zero. Well for maximum distance we uh kind of started the
sensor on Audi Q3 broke it probed it and and it reversed the schematic uh but we didn't find
any useful information because the it is um application specific I'd say. So the uh the
signals are processed inside the chip. So uh to to make it easier we uh started another
sensor which is known as Maxona MB1200. It is another sensor that outputs maximum distance.
So uh we basically we have to destroy the uh transducer on top of it and expose the circuits.
So this is how it works when there's no jamming. You can see that the the the white line means
the uh time of flight. And the blue line means the uh time of flight. And the blue line means the
echoes. Well you can see that there's uh activation pause and there are there are echo pauses
and if you watch closely the time of white exactly match with the echo the first echo pause.
Uh and when there's strong jamming when there's weak jamming uh you can see that the
noise flow has been increased but the but the measurement is still uh correct. However when
there is strong jamming you can see that the uh signal is totally overgrazed. Uh you can see
overwhelmed by noise and it seems that there is no echo so the sensor uh outputs maximum. Uh we
believe it is uh it uses adaptive vessels so it is used for noise suppression. Well uh the
designers definitely has a good intention designing this but they didn't consider it a
malicious scenarios. Well the second type of attack is uh spoofing attack. So basically
the idea is to inject ultrasonic pulses at a certain time that can uh fool the sensor. So for
example uh if we craft a fake pulse right before the first original one we can kind of spoof
the uh the uh propagation time so that we can manipulate the distance. But this attack is
non-trivial because only the first justifiable echo will be processed. So there's kind of
like an effective time slot which is right after the transmitter pulse and before the first echo
pulse. So you're gonna have to inject within this slot to make it successful. And if it if it
change the arrival arriving time of the fake echo we can make manipulate the sensor readings.
Right? So this is uh uh we do uh demonstrates um the spoofing attack on Tesla. Oh sorry.
So this is jammer connected connected to computer. Now this is computer. And you can see
that the jammer has been detected and as an obstacle and distance is 66 centimeters. And now
it starts spoofing. Wow. So distance has been altered. It's at stop. So the jammer is
moving. Now if we look at the remote control. And if you look outside the vehicle there
is nothing moving. And if you if you look at the instrument panel the spoofing is still going
on. So in conclusion spoofing attack and hour distance. Uh and this is a demo
attack on Audi. Uh, in this video we just randomly altered the distance. At first nothing
is in front of the car.
Well, I'm assuring you that the jumping bars are now volume indicator of the music.
So, Spoof and Tac are also already on Audi. Uh, let me summarize the
result of Spoof and Tac. So, Spoof and Tac can manipulate sensor readings both on
stand-alone sensors and on cars so that we can make the car stop where it shouldn't.
The third type of Tac is acoustic quieting. Uh, uh, uh, a method is, uh, acoustic
cancellation, which means that we cancel the original one with, uh, with sound of reverse
phase. So, uh, so the, when they add up together, there's no echo at all. Um, from our experiments,
uh, uh, we observed that by matter of phase and amplitude adjustment, we are able to cancel
ultrasound. But if you want to cancel, cancel ultrasound from the car, you're gonna need to,
uh, use dedicated hardware. So, uh, a easier way, a easier way to do this is cloaking, which
means that we absorb the ultrasound with some kind of sound absorbing materials, uh, like, like
some, some acoustic dimming foams, which is very cheap and it has the same effect as jamming.
That can add obstacles. So, this is how we, uh, cloak a car. Now we drive toward the car, uh,
this lovely panel car and you can see that the car's been detected and displayed as the, the
red bars on the screen. And now we'll apply the acoustic dimming foam. Wow, it
disappears! And we, we drive closer to the car and look at the signal. Now we can see, uh, uh,
still nothing. And now we remove the damping form and it reappears. So uh, so in conclusion,
cloaking can hide a car. So what about human? Can cloaking also hide a human? Let's try this.
So this is me walking across the car and you can see that I have been detected by the sensor.
But now if I wear the damping form, I'm invisible. And still nothing. Well, can you
think of a new way to wear this form? Here we go. This is uh, damp- this is a foam scar.
It also works. So cloaking can hide a human. So if you want a car, a human, or glass to be
invisible, just buy this. Well, um, by the way, uh, behind the glass door is my advisor's
office. So this is what happens when you, uh, let a student do all the work. I'm sorry.
So the, the third type, uh, so the second type attack is on the millimeter wave radar. So we
have tested this attack on Tesla Model S because we don't have, uh, the other three cars don't
have a radar on it. So, uh, MSW radar, it measures distance, angles, speed, and shape, uh,
etcetera from, from long, short to long distance. Uh, it is used for some high speed and critical
applications like adaptive cruise control, uh, collision warnings, and one spot detection. So
how can we misuse radars? It is similar. So, uh, when there is a- you're driving on highway and
there is danger ahead of you, and you want to stop. But the car, if you do something to the radar,
that car does not stop where it should. It could cause some serious accident. And if there is danger
behind you and you want to stay away from it, but the radar tells you that there is
something ahead of you, you have to stop. So that would be terrible. So let me, let me
walk you through how a radar works. So a radar transmits and receives electromagnetic waves and
measures the propagation time and et cetera. It is uh similar to ultrasonic sensors except
that the signal is is is RF. So uh when we're dealing with RF uh it is uh difficult to measure
the time because it it travels at the speed of light. So uh in order to do this we have to do
modulation so that uh we can make this process easier. So the most popular, one of the most
popular modulation schemes is FMCW. So uh which is kind of frequency modulation. And the
Doppler effect can be used to measure the relative space and the frequency of the signal. So
we can measure frequency and there are two major frequency bands. Which is at uh 24 or 76
gigahertz. This is how uh the frequency modulated continuous wave works. Uh basically it is
kind of like a sweeping frequency signal so the frequency actually varies uh with time. And
when the signal is transmitted and it hit a target and bounces back we'll receive a similar uh
received signal.
And a uh frequency has been adjusted. We measure the frequency of the signal and what what we'll
measure is the reflection time. But it's difficult so we measure the difference frequency of FD and
calculate the time knowing the uh the ramp slope. So sometimes when the car is moving
relatively uh there will be a Doppler frequency shift. So before doing the task the first thing
we have to do is to understand radar signal. So we we're gonna have to analyze the signal to find
find out uh what is the frequency range, what is the
modulation process, what is the RAM height, and what is the
number and duration of RAM and what is the cycle time. So after
doing this we can we can know whether jamming tag or
speaking tag is feasible right? So this is kind of like a a
family picture of all the equipment we used uh special
thanks to Keysight Open Lab for providing us uh free access to
this equipment which is three times the price of Tesla. Well
um so I'm going to uh uh explain which ones I use later.
Well um I forgot one thing. It doesn't have to be so expensive
because uh you can actually you can just buy a reader and modify
it to be your own jammer. So this is how um we analyze the
signal. So first we receive the uh reader signal with a home
uh with a home antenna which is connected to a harmonic mixer
and analyze the signal from the
efficiency of the signal. So this is how we analyze the
signal. So we will use this domain on the signal analyzer and
on time domain from the oscilloscope. So basically what
we found is that the reader outputs at uh 76.65 thertz as
its or frequency and bandwidth is 450 megahertz, modulation is
MCW. But uh I have uh we have no all the details of the
readers, but I'm not I'm not go tell you because um I don't und
be responsible. So uh the idea is um we select uh the data
of jamming attack is to jam reader within the same frequency
band which is sixty seventy six to seventy seven gigahertz. So
uh we can jam at fixed frequency like this and we can jam at
sweeping frequency like this that covers all the frequency
band. Now the the the idea of spoofing attack is to spoof the
reader with similar RF signal something like this. Pretty
straightforward. And to to generate the read reader signal
we have to uh generate a signal with the signal generator uh at
at twelve gigahertz and multiply signal to with uh
frequency multiplier and just made it with uh home antenna. So
before showing you how uh how the the results are uh let me uh
introduce you how the autopilot is placed. So the blue icons
means that the uh traffic aware, close control, and auto
signal. So the blue icons means that the uh traffic aware, close
clear is on. And the blue car means the car ahead of you has
been detected and locked. And we have to do the experiments when
the car and the uh equipment is is stationary because uh when the
car is moving and in case our attack is successful the car
might hit the equipment. And if I damage the equipment with
three times the price of Tesla I won't be able to graduate. So
this is a demo. So this is a demo. So this is a demo. So
this is a demo. So this is a demo. So this is a demo. So in this
video I am standing in front of the Tesla controlling the radio
interferer. As you can see from the camera of the mobile phone.
So now the autopilot is turned on. And the car containing the
equipment has been detected as a blue car. And now I show how uh
so now the interferer is is turned off. So we turn on the
interferer. And now I show how uh so now the interferer is is
turned off. And you can see that the blue car disappears. And
we turn off the interferer. It reappears. We have cap uh we have
kept trying this for many many times and it works every time.
Okay. So as you can see the camera is now rolling. The
cameras should not move. Okay. So JME attack is now rolling.
Yea. It is time to conflicted. But the hurrying solutions are
ready as soon as we protect thethings near the cars interأ
canцы. Okay. So the Curry Viscay Veilles is now showing itself,
right? Uh and we can see that the car is moving too much, and PC being Så A
the spoofing attack we can spoof the distance of the car ahead. So basically what we would
have seen is that the car actually jumps forward and bad boy. Well the third type of
attack is on cameras. Uh we have tested stand-alone cameras from mobile eye and and
point-of-gree and tested on a Tesla Model S which has a mobile eye. So camera uh actually
detects ob-objects uh by computer vision. Uh there's forward camera and there's backward
camera. It is used for limpid-lens departure warning, lane keeping, uh traffic sign
recognition, and also for parking assistance. So how can cameras be misused? Well camera is
really used for steering. If the camera does not work, the car may not steer where it
should. So there can be some accidents. So the third type of attack is on cameras. Uh
the attack we have on ta- on on camera is blinding attack. So basically we means we jam
the uh the we uh there are three types of interferers we use. Uh there are LED spot, uh
laser pointer, and infrared LED spot which are all very cheap. And there are two
scenarios. The one is we point the interferers directly at the camera and the other is we
point the interferer at the calibration board and reflect back to the camera. So the first
one is it- it is a blinding attack. When we use this uh it- it can cause a total blinding.
So it is- it is a result of- of- of blinding with IOD. So uh when the IOD is pointed toward
the- the calibration board there's only partial blinding. But when they it is faced toward the
camera directly there would be uh total blinding. And this is a- the- that when we use a laser
beam. Uh it is even more prominent. Uh either fixed laser beam or wobbling laser beam uh can
cause total blinding. Uh and there is something we didn't expect is the permanent damage of the
camera. So you can see that there is this uh black scar on the camera. And we have to send it
back to the vendor and have it repaired and it cost us a lot of money. Uh which I don't care
because it is Jianhao's camera. But this is a demo uh of of of of blinding the
camera with the laser beam. This is a view from the camera. And now we uh point the laser
beam at a calibration board and you can see that the effect is uh it is not very effective.
However when we point the laser beam directly at the camera you can see that there is uh this
blurry white and blurry red and you cannot see anything. So you can imagine what will happen if
the camera on the car has been blinded like this. So laser can blind camera. Uh we have
also tested infrared it doesn't work very well. Uh we have tested blinding uh cameras on
Tesla. Uh well the good news is the Tesla actually gave you an alert message that asks you to
take over uh when there is jamming time. So it is uh kind of like uh a relieving response.
Well um we have uh submitted our findings to tesla uh and got their active response. Uh they
zero or maximum distance for ultrasonic sensors it has to be zero distance so that the car will
stop instead of hitting something. And it should also be uh designed with uh anomaly detection
function uh I believe at least jamming attack is easier to be detected because there is uh
abnormal strong level of signal. And also increase the damage to the sensor such as using
multiple ultrasonic sensors for measuring one distance. And also using different types of
sensors to uh for like uh kind of double check. And also in the system that does the sensor data
fusion uh it is better if the transverseness of these sensors are evaluated uh so that when
there's uh when the system does not have enough confidence in the sensor data it will stop the car
uh from self-driving. So uh it can be it can feel safe. But safety is always uh more important
than convenience right. But what's next? Uh in the future we hope to uh to get the output out of
the sensors directly uh so instead of uh a black box approach. And we hope to read uh the the
sensor data and the actuator data. And uh we hope that uh the uh the uh the uh the uh the uh the uh
we hope to carry out uh moving uh vehicle experiments to to to examine whether this
attacks are feasible when when the vehicle is is moving on the road. And we hope to uh measure
the longest uh the maximum attack range and angle and also how we can improve the performance
of this attack. Well um in conclusion I hope what you can get from this work is that uh attacking
existing sensors on cars or vehicles you can and most importantly uh connecting to the car.
is feasible. Uh we have found many ways to fool sensors. Uh
some attacks are easy while some some are non-trivial. So
this guy is not falling. It's not like someone on the real
side can easily just attack your sensors. Well for the
manufacturers the sensors should be designed with security
in mind so that uh we should also always think about
intentional attacks especially when the sensor is going to
play a very important role in self-driving cars. But for
customers uh do not trust semi-autonomous cars yet. You
have to always be careful yourself. Well when we have
fully secure autonomous cars in the future, let's wait and see.
Well these are the people we'd like to thank uh without the
help this work would not be possible. These are our
colleagues that helped us in the experiments. Uh the
uh if you want to know more details about this work please
check out our white paper or just write us a email. Thank
you. Uh thank you. If you have questions, if you have
questions you can come up here. We'd like to answer.