SoK: Rethinking Sensor Spoofing Attacks against Robotic Vehicles from a Systematic View

Robotic Vehicles (RVs) have gained great popularity over the past few years. Meanwhile, they are also demonstrated to be vulnerable to sensor spoofing attacks. Although a wealth of research works have presented various attacks, some key questions remain unanswered: are these existing works complete enough to cover all the sensor spoofing threats? If not, how many attacks are not explored, and how difficult is it to realize them? This paper answers the above questions by comprehensively systematizing the knowledge of sensor spoofing attacks against RVs. Our contributions are threefold. (1) We identify seven common attack paths in an RV system pipeline. We categorize and assess existing spoofing attacks from the perspectives of spoofer property, operation, victim characteristic and attack goal. Based on this systematization, we identify 4 interesting insights about spoofing attack designs. (2) We propose a novel action flow model to systematically describe robotic function executions and unexplored sensor spoofing threats. With this model, we successfully discover 103 spoofing attack vectors, 26 of which have been verified by prior works, while 77 attacks are never considered. (3) We design two novel attack methodologies to verify the feasibility of newly discovered spoofing attack vectors.

[1]  Guanhong Tao,et al.  Physical Attack on Monocular Depth Estimation with Optimal Adversarial Patches , 2022, ECCV.

[2]  Wenyuan Xu,et al.  Rolling Colors: Adversarial Laser Exploits against Traffic Light Recognition , 2022, USENIX Security Symposium.

[3]  Qi Alfred Chen,et al.  SoK: On the Semantic AI Security in Autonomous Driving , 2022, ArXiv.

[4]  Deming Zhai,et al.  Shadows can be Dangerous: Stealthy and Effective Physical-world Adversarial Attack by Natural Phenomenon , 2022, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[5]  Lichao Sun,et al.  DoubleStar: Long-Range Attack Towards Depth Estimation based Obstacle Avoidance in Autonomous Systems , 2021, USENIX Security Symposium.

[6]  M. Pajic,et al.  Security Analysis of Camera-LiDAR Fusion Against Black-Box Attacks on Autonomous Vehicles , 2021, USENIX Security Symposium.

[7]  Tambet Matiisen,et al.  A Survey of End-to-End Driving: Architectures and Training Methods , 2020, IEEE Transactions on Neural Networks and Learning Systems.

[8]  Aanjhan Ranganathan,et al.  An Experimental Study of GPS Spoofing and Takeover Attacks on UAVs , 2022, USENIX Security Symposium.

[9]  Tianwei Zhang,et al.  Clean-Annotation Backdoor Attack against Lane Detection Systems in the Wild , 2022, ArXiv.

[10]  Chenglin Miao,et al.  Can We Use Arbitrary Objects to Attack LiDAR Perception in Autonomous Driving? , 2021, CCS.

[11]  Ting Zhu,et al.  I Can See the Light: Attacks on Autonomous Vehicles Using Invisible Lights , 2021, CCS.

[12]  Tianwei Zhang,et al.  Analysis and Mitigation of Function Interaction Risks in Robot Apps , 2021, RAID.

[13]  Yang Liu,et al.  An Investigation of Byzantine Threats in Multi-Robot Systems , 2021, RAID.

[14]  Vijay Srinivas Tida,et al.  Transduction Shield: A Low-Complexity Method to Detect and Correct the Effects of EMI Injection Attacks on Sensors , 2021, AsiaCCS.

[15]  Waseem Iqbal,et al.  On GPS spoofing of aerial platforms: a review of threats, challenges, methodologies, and future research directions , 2021, PeerJ Comput. Sci..

[16]  Xiaoyu Ji,et al.  Poltergeist: Acoustic Adversarial Machine Learning against Cameras and Computer Vision , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[17]  Ruigang Yang,et al.  Invisible for both Camera and LiDAR: Security of Multi-Sensor Fusion based Perception in Autonomous Driving Under Physical-World Attacks , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[18]  Yungang Bao,et al.  Towards Practical Cloud Offloading for Low-cost Ground Vehicle Workloads , 2021, 2021 IEEE International Parallel and Distributed Processing Symposium (IPDPS).

[19]  Vyas Sekar,et al.  CANNON: Reliable and Stealthy Remote Shutdown Attacks via Unaltered Automotive Microcontrollers , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[20]  Yuval Elovici,et al.  SoK: Security and Privacy in the Age of Commercial Drones , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[21]  Jiong Jin,et al.  Deep Learning-Based Autonomous Driving Systems: A Survey of Attacks and Defenses , 2021, IEEE Transactions on Industrial Informatics.

[22]  Huy Kang Kim,et al.  Cybersecurity for autonomous vehicles: Review of attacks and defense , 2021, Comput. Secur..

[23]  Felix Juefei-Xu,et al.  Fooling LiDAR Perception via Adversarial Trajectory Perturbation , 2021, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[24]  Yuan He,et al.  Adversarial Laser Beam: Effective Physical-World Attack to DNNs in a Blink , 2021, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[25]  Xianglong Liu,et al.  Dual Attention Suppression Attack: Generate Adversarial Camouflage in Physical World , 2021, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[26]  David A. Wagner,et al.  Model-Agnostic Defense for Lane Detection against Adversarial Attack , 2021, Proceedings Third International Workshop on Automotive and Autonomous Vehicle Security.

[27]  Franc Dimc,et al.  A Comparative Analysis of the Response of GNSS Receivers under Vertical and Horizontal L1/E1 Chirp Jamming , 2021, Sensors.

[28]  Lu Su,et al.  Who Is in Control? Practical Physical Layer Attack and Defense for mmWave-Based Sensing in Autonomous Vehicles , 2020, IEEE Transactions on Information Forensics and Security.

[29]  Qi Alfred Chen,et al.  Dirty Road Can Attack: Security of Deep Learning based Automated Lane Centering under Physical-World Attack , 2020, USENIX Security Symposium.

[30]  Patrick Traynor,et al.  SoK: The Faults in our ASRs: An Overview of Attacks against Automatic Speech Recognition and Speaker Identification Systems , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[31]  Ivan Martinovic,et al.  SLAP: Improving Physical Adversarial Examples with Short-Lived Adversarial Perturbations , 2020, USENIX Security Symposium.

[32]  Moinuddin K. Qureshi,et al.  MAZE: Data-Free Model Stealing Attack Using Zeroth-Order Gradient Estimation , 2020, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[33]  Wenyuan Xu,et al.  The Feasibility of Injecting Inaudible Voice Commands to Voice Assistants , 2019, IEEE Transactions on Dependable and Secure Computing.

[34]  Qi Alfred Chen,et al.  Fooling Perception via Location: A Case of Region-of-Interest Attacks on Traffic Light Detection in Autonomous Driving , 2021, Proceedings Third International Workshop on Automotive and Autonomous Vehicle Security.

[35]  Lei Xue,et al.  Too Good to Be Safe: Tricking Lane Detection in Autonomous Driving with Crafted Perturbations , 2021, USENIX Security Symposium.

[36]  Gedare Bloom WeepingCAN: A Stealthy CAN Bus-off Attack , 2021 .

[37]  Z. Berkay Celik,et al.  PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles , 2021, NDSS.

[38]  Mathias Payer,et al.  Evading Voltage-Based Intrusion Detection on Automotive CAN , 2021, NDSS.

[39]  Yuval Elovici,et al.  Phantom of the ADAS: Securing Advanced Driver-Assistance Systems from Split-Second Phantom Attacks , 2020, CCS.

[40]  Kuo-Yi Lin,et al.  A Survey on Attack Resilient of UAV Motion Planning* , 2020, 2020 IEEE 16th International Conference on Control & Automation (ICCA).

[41]  Lei Ma,et al.  It's Raining Cats or Dogs? Adversarial Rain Attack on DNN Perception , 2020, ArXiv.

[42]  Xiang Bai,et al.  EPNet: Enhancing Point Features with Image Semantics for 3D Object Detection , 2020, ECCV.

[43]  Qi Alfred Chen,et al.  Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor Attack and Countermeasures , 2020, USENIX Security Symposium.

[44]  Junjie Shen,et al.  Drift with Devil: Security of Multi-Sensor Fusion based Localization in High-Level Autonomous Driving under GPS Spoofing (Extended Version) , 2020, USENIX Security Symposium.

[45]  Mauro Conti,et al.  UAVs Path Deviation Attacks: Survey and Research Challenges , 2020, 2020 IEEE International Conference on Sensing, Communication and Networking (SECON Workshops).

[46]  Wenyuan Xu,et al.  SoK: A Minimalist Approach to Formalizing Analog Sensor Security , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[47]  Tao Wei,et al.  Fooling Detection Alone is Not Enough: Adversarial Attack against Multiple Object Tracking , 2020, ICLR.

[48]  Ming Li,et al.  Impacts of Constrained Sensing and Communication Based Attacks on Vehicular Platoons , 2020, IEEE Transactions on Vehicular Technology.

[49]  Xiaodong Lin,et al.  The Security of Autonomous Driving: Threats, Defenses, and Future Directions , 2020, Proceedings of the IEEE.

[50]  Xingming Sun,et al.  Security and Privacy Issues of UAV: A Survey , 2020, Mob. Networks Appl..

[51]  Ming Li,et al.  GhostImage: Remote Perception Attacks against Camera-based Image Classification Systems , 2020, RAID.

[52]  L. Davis,et al.  Making an Invisibility Cloak: Real World Adversarial Attacks on Object Detectors , 2019, ECCV.

[53]  Quanfu Fan,et al.  Adversarial T-Shirt! Evading Person Detectors in a Physical World , 2019, ECCV.

[54]  Cihang Xie,et al.  Universal Physical Camouflage Attacks on Object Detectors , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[55]  Cong Liu,et al.  PhysGAN: Generating Physical-World-Resilient Adversarial Examples for Autonomous Driving , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[56]  Junaid Qadir,et al.  Securing Connected & Autonomous Vehicles: Challenges Posed by Adversarial Machine Learning and the Way Forward , 2019, IEEE Communications Surveys & Tutorials.

[57]  Daniel Kroening,et al.  A survey of safety and trustworthiness of deep neural networks: Verification, testing, adversarial attack and defence, and interpretability , 2018, Comput. Sci. Rev..

[58]  Yuval Elovici,et al.  Phantom of the ADAS: Phantom Attacks on Driver-Assistance Systems , 2020, IACR Cryptol. ePrint Arch..

[59]  Joarder Kamruzzaman,et al.  Attacks on Self-Driving Cars and Their Countermeasures: A Survey , 2020, IEEE Access.

[60]  Yiming Yang,et al.  Spoofing and Anti-Spoofing Technologies of Global Navigation Satellite System: A Survey , 2020, IEEE Access.

[61]  Kai Chen,et al.  Devil's Whisper: A General Approach for Physical Adversarial Attacks against Commercial Black-box Speech Recognition Devices , 2020, USENIX Security Symposium.

[62]  G. Edward Suh,et al.  Stealthy Tracking of Autonomous Vehicles with Cache Side Channels , 2020, USENIX Security Symposium.

[63]  D. Suzuki,et al.  A Low-Cost Replica-Based Distance-Spoofing Attack on mmWave FMCW Radar , 2019, ASHES@CCS.

[64]  Ruigang Liang,et al.  Seeing isn't Believing: Towards More Robust Adversarial Attack Against Real World Object Detectors , 2019, CCS.

[65]  Kevin Fu,et al.  Adversarial Sensor Attack on LiDAR-based Perception in Autonomous Driving , 2019, CCS.

[66]  Shenhua Hou,et al.  L3-Net: Towards Learning Based LiDAR Localization for Autonomous Driving , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[67]  Adi Shamir,et al.  Drones' Cryptanalysis - Smashing Cryptography with a Flicker , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[68]  Qian Wang,et al.  Hidden Voice Commands: Attacks and Defenses on the VCS of Autonomous Driving Cars , 2019, IEEE Wireless Communications.

[69]  Kevin Fu,et al.  Trick or Heat?: Manipulating Critical Temperature-Based Control Systems Using Rectification Attacks , 2019, CCS.

[70]  Colin Raffel,et al.  Imperceptible, Robust, and Targeted Adversarial Examples for Automatic Speech Recognition , 2019, ICML.

[71]  Zhixin Wang,et al.  Frustum ConvNet: Sliding Frustums to Aggregate Local Point-Wise Features for Amodal , 2019, 2019 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).

[72]  Mohsen Guizani,et al.  A Friendly and Low-Cost Technique for Capturing Non-Cooperative Civilian Unmanned Aerial Vehicles , 2019, IEEE Network.

[73]  Mohsen Guizani,et al.  How to Govern the Non-Cooperative Amateur Drones? , 2019, IEEE Network.

[74]  Ashutosh Singandhupe,et al.  A Review of SLAM Techniques and Security in Autonomous Driving , 2019, 2019 Third IEEE International Conference on Robotic Computing (IRC).

[75]  Xiaogang Wang,et al.  PointRCNN: 3D Object Proposal Generation and Detection From Point Cloud , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[76]  Dorothea Kolossa,et al.  Adversarial Attacks Against Automatic Speech Recognition Systems via Psychoacoustic Hiding , 2018, NDSS.

[77]  Dong Hoon Lee,et al.  Securing Ultrasonic Sensors Against Signal Injection Attacks Based on a Mathematical Model , 2019, IEEE Access.

[78]  Wenyuan Xu,et al.  Analyzing and Enhancing the Security of Ultrasonic Sensors for Autonomous Vehicles , 2018, IEEE Internet of Things Journal.

[79]  Wenzhi Cui,et al.  MAVBench: Micro Aerial Vehicle Benchmarking , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[80]  Debdeep Mukhopadhyay,et al.  Adversarial Attacks and Defences: A Survey , 2018, ArXiv.

[81]  Zhe Zhou,et al.  A survey of practical adversarial example attacks , 2018, Cybersecur..

[82]  Gang Wang,et al.  All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road Navigation Systems , 2018, USENIX Security Symposium.

[83]  Dawn Song,et al.  Physical Adversarial Examples for Object Detectors , 2018, WOOT @ USENIX Security Symposium.

[84]  Insup Lee,et al.  Injected and Delivered: Fabricating Implicit Control over Actuation Systems by Spoofing Inertial Sensors , 2018, USENIX Security Symposium.

[85]  Atul Prakash,et al.  Robust Physical-World Attacks on Deep Learning Visual Classification , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[86]  Daisuke Suzuki,et al.  Sensor CON-Fusion: Defeating Kalman Filter in Signal Injection Attack , 2018, AsiaCCS.

[87]  Wenyuan Xu,et al.  Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[88]  Zhuoqun Cheng,et al.  End-to-End Analysis and Design of a Drone Flight Controller , 2018, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[89]  Yue Zhao,et al.  CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition , 2018, USENIX Security Symposium.

[90]  David A. Wagner,et al.  Audio Adversarial Examples: Targeted Attacks on Speech-to-Text , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[91]  Ajmal Mian,et al.  Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey , 2018, IEEE Access.

[92]  Steven Lake Waslander,et al.  Joint 3D Proposal Generation and Object Detection from View Aggregation , 2017, 2018 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).

[93]  Yuval Elovici,et al.  Security Vulnerabilities of Unmanned Aerial Vehicles and Countermeasures: An Experimental Study , 2018, 2018 31st International Conference on VLSI Design and 2018 17th International Conference on Embedded Systems (VLSID).

[94]  Giovanni Pau,et al.  A survey on driverless vehicles: from their diffusion to security features , 2018, J. Internet Serv. Inf. Secur..

[95]  Romit Roy Choudhury,et al.  Inaudible Voice Commands: The Long-Range Attack and Defense , 2018, NSDI.

[96]  Prateek Mittal,et al.  POSTER: Inaudible Voice Commands , 2017, CCS.

[97]  Yongdae Kim,et al.  Illusion and Dazzle: Adversarial Optical Channel Exploits Against Lidars for Automotive Applications , 2017, CHES.

[98]  Wenyuan Xu,et al.  DolphinAttack: Inaudible Voice Commands , 2017, CCS.

[99]  Romit Roy Choudhury,et al.  BackDoor: Making Microphones Hear Inaudible Sounds , 2017, MobiSys.

[100]  Andrea Maria Zanchettin,et al.  An Experimental Security Analysis of an Industrial Robot Controller , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[101]  Marshini Chetty,et al.  Spiders in the Sky: User Perceptions of Drones, Privacy, and Security , 2017, CHI.

[102]  Wenyuan Xu,et al.  WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[103]  Jonathan Miller,et al.  Cyber Threats Facing Autonomous and Connected Vehicles: Future Challenges , 2017, IEEE Transactions on Intelligent Transportation Systems.

[104]  Danilo Orlando,et al.  A Novel Noise Jamming Detection Algorithm for Radar Applications , 2017, IEEE Signal Processing Letters.

[105]  Juan D. Tardós,et al.  ORB-SLAM2: An Open-Source SLAM System for Monocular, Stereo, and RGB-D Cameras , 2016, IEEE Transactions on Robotics.

[106]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[107]  Micah Sherr,et al.  Hidden Voice Commands , 2016, USENIX Security Symposium.

[108]  Hao Wu,et al.  Controlling UAVs with Sensor Input Spoofing Attacks , 2016, WOOT.

[109]  Yongdae Kim,et al.  This Ain't Your Dose: Sensor Spoofing Attack on Medical Infusion Pump , 2016, WOOT.

[110]  Wenyuan Xu,et al.  WindCompass: Determine Wind Direction Using Smartphones , 2016, 2016 13th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON).

[111]  Ernest Foo,et al.  A Survey and Analysis of the GNSS Spoofing Threat and Countermeasures , 2016, ACM Comput. Surv..

[112]  Todd E. Humphreys,et al.  GNSS Spoofing and Detection , 2016, Proceedings of the IEEE.

[113]  Cheng Wang,et al.  Road traffic sign detection and classification from mobile LiDAR point clouds , 2016, ISPRS International Conference on Computer Vision and Remote Sensing.

[114]  Chen Yan Can You Trust Autonomous Vehicles : Contactless Attacks against Sensors of Self-driving Vehicle , 2016 .

[115]  Mani Srivastava,et al.  PyCRA: Physical Challenge-Response Authentication For Active Sensors Under Spoofing Attacks , 2015, CCS.

[116]  Yongdae Kim,et al.  Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors , 2015, USENIX Security Symposium.

[117]  Haizhou Li,et al.  Spoofing and countermeasures for speaker verification: A survey , 2015, Speech Commun..

[118]  Jonathan Petit,et al.  Remote Attacks on Automated Vehicles Sensors : Experiments on Camera and LiDAR , 2015 .

[119]  Christoph Günther,et al.  A Survey of Spoofing and Counter-Measures , 2014 .

[120]  Ji Zhang,et al.  LOAM: Lidar Odometry and Mapping in Real-time , 2014, Robotics: Science and Systems.

[121]  Henning Lategahn,et al.  Vision-Only Localization , 2014, IEEE Transactions on Intelligent Transportation Systems.

[122]  Ruchir Chauhan,et al.  A platform for false data injection in frequency modulated continuous wave radar , 2014 .

[123]  Dennis M. Akos,et al.  Jamming Detection in GNSS Receivers: Performance Evaluation of Field Trials , 2013 .

[124]  Paulo Tabuada,et al.  Non-invasive Spoofing Attacks for Anti-lock Braking Systems , 2013, CHES.

[125]  Wenyuan Xu,et al.  Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors , 2013, 2013 IEEE Symposium on Security and Privacy.

[126]  David Brumley,et al.  GPS software attacks , 2012, CCS.

[127]  Andreas Geiger,et al.  Are we ready for autonomous driving? The KITTI vision benchmark suite , 2012, 2012 IEEE Conference on Computer Vision and Pattern Recognition.

[128]  J. S. Warner,et al.  A Simple Demonstration that the Global Positioning System ( GPS ) is Vulnerable to Spoofing , 2012 .

[129]  Gary R. Bradski,et al.  ORB: An efficient alternative to SIFT or SURF , 2011, 2011 International Conference on Computer Vision.

[130]  Srdjan Capkun,et al.  On the requirements for successful GPS spoofing attacks , 2011, CCS '11.

[131]  George T. Flowers,et al.  A Characterization of the Performance of a MEMS Gyroscope in Acoustically Harsh Environments , 2011, IEEE Transactions on Industrial Electronics.

[132]  Jinling Wang,et al.  Precise Velocity Estimation with a Stand-Alone GPS Receiver , 2011, Journal of Navigation.

[133]  Wenyuan Xu,et al.  Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study , 2010, USENIX Security Symposium.

[134]  Aníbal Ollero,et al.  Vision-Based Odometry and SLAM for Medium and High Altitude Flying UAVs , 2009, J. Intell. Robotic Syst..

[135]  T. Humphreys,et al.  Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer , 2008 .

[136]  Fulvio Gini,et al.  Radar Detection and Classification of Jamming Signals Belonging to a Cone Class , 2008, IEEE Transactions on Signal Processing.

[137]  Dezhen Song,et al.  IMU-based localization and slip estimation for skid-steered mobile robots , 2007, 2007 IEEE/RSJ International Conference on Intelligent Robots and Systems.

[138]  G.T. Flowers,et al.  On the Degradation of MEMS Gyroscope Performance in the Presence of High Power Acoustic Noise , 2007, 2007 IEEE International Symposium on Industrial Electronics.

[139]  George T. Flowers,et al.  Influence of Acoustic Noise on the Dynamic Performance of MEMS Gyroscopes , 2007 .

[140]  Tom Drummond,et al.  Machine Learning for High-Speed Corner Detection , 2006, ECCV.

[141]  F. V. Graas,et al.  Precise Velocity Estimation Using a Stand-Alone GPS Receiver , 2004 .

[142]  J. A. Volpe Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning Syst , 2001 .