A security researcher has created a $60 system with Arduino and a laser pointer that can spoof the LIDAR sensors used by most autonomous vehicles.
Many self-driving cars use LIDAR sensors to detect obstacles and build 3D images to help them navigate. However, one security researcher has developed a $60 device with “off-the-shelf parts” that can trick the systems into seeing objects which don’t actually exit, thereby forcing the autonomous vehicles to take unnecessary actions, like slowing down or stopping to avoid a collision with the phantom thing. Ultimately, this further highlights the need for stringent security measures for automobiles that would otherwise be vulnerable to cyber criminals armed with nothing more than a low-power laser and pulse generator.
“It’s kind of a laser pointer, really. And you don’t need the pulse generator when you do the attack. You can easily do it with a Raspberry Pi or an Arduino,” explains researcher Jonathan Petit, principle scientist at Security Innovation.
According to IEEE Spectrum, Petit began by simply recording pulses from a commercial IBEO Lux LIDAR unit. The pulses were not encoded or encrypted, which allowed him to replay them at a later point. He was then able to create the illusion of a fake car, wall, cyclist or pedestrian anywhere from 65 to 1,100 feet from the LIDAR system, and make multiple copies of the simulated obstacles. In tests, the attack worked at all angles — from behind, the side and in front without alerting the passengers — and didn’t always require a precise hit of the device for it to achieve its goal.
“I can spoof thousands of objects and basically carry out a denial of service attack on the tracking system so it’s not able to track real objects,” Petit adds.
As IEEE Spectrum notes, sensor attacks are not limited to self-driving cars, either. The same homebrew laser pointer can be employed to carry out an equally devastating denial of service attack on a human motorist by simply dazzling them, and without the need for sophisticated laser pulse recording, generation or synchronization equipment.
While the DIY system won’t necessary affect everyone, it does state the case that security should be at the forefront of auto design. Petit concludes. “There are ways to solve it. A strong system that does misbehavior detection could cross-check with other data and filter out those that aren’t plausible. But I don’t think carmakers have done it yet. This might be a good wake-up call for them.”
The researcher described his proof-of-concept hack in a paper entitled “Potential Cyberattacks on Automated Vehicles,” which will be presented at Black Hat Europe in November.
[Images: Jeff Kowalsky/IEEE Spectrum, TechHive]