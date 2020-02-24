This 35mph sign has been doctored by black tape on the bar in the 3. The MobilEye EQ3 chip reads it … [+] as “85mph.”

A group of researchers at McAfee Security recently released a report showing how they were able to make modest modifications to speed limit signs which caused a 4 year old Tesla using the MobilEye ADAS chip of that era to misread the signs and think the limit was much higher than the sign was. A regular human might still read the sign the old way, which people find quite creepy. Most of the covered focused on a simple trick putting black tape on the bar in a “35mph” sign, which caused the MobilEye to read it as “85mph” and the Tesla to attempt to accelerate to that speed while using Autopilot.

This is a classic example of showing how computers an AI systems don’t think the way we do, presented in a scary way. There have been actually much creepier examples generated in the literature when people have access to the neural network. If you want to browse this index, you can find many, many examples. Work began with attacks made by people with access to internals of the system in question. If you have that, you can take an image recognized by a computer as one thing, and make subtle changes to it the human eye won’t even see, and cause the computer to identify it as something completely different.

The McAfee article describes a “black box” attack where you don’t get to peek inside the system, but still are able to come up with less subtle changes that trick the computer. Humans may notice that something is odd — indeed a human squinting at the speed limit sign above might well read it as “85” — but generally will figure it out.

Another recent academic paper showed camera system based cars fooled by images projected on the ground at night, including images of fake pedestrians and even fake lane markers driving off of the road.

How scary is this?

At first blush, it seems scary. A powerful machine passing by a regular looking sign, being tricked into reading it wrong and doing something dangerous. But then, you could always go up to a sign like this and turn the 3 into an 8 (for both computers and people) with a black marker. Most of the humans would not be fooled (knowing there are no 85mph limits anywhere) but a stupid computer might still make a mistake, not because of its perception system, but because it just doesn’t know better. If you changed it to 55, then the humans would also be fooled.

It is always going to be possible to put up fake road signs and fool anybody or anything that relies on those road signs for critical information. That’s not new and this sort of computer vision attack doesn’t change this. Fortunately, this turns out to be something that it’s unlikely anybody is going to want to do. There are a few out there who like chaos, but there are many different and easier ways to create chaos than this.

Secondly, it’s not likely to even work. The Tesla Autopilot isn’t a self-driving car, it’s a driver assist. If it speeds up in a way the driver doesn’t like, they just take over. That human driver would know that there are no 85mph streets, or with a lower speed, sense that the speed feels wrong for that road. If it doesn’t feel wrong it probably isn’t even that dangerous. Both human drivers and machine systems still aren’t going to not slow down for cars in front of them.

This attack worked on a 4 year old system — that’s ancient when it comes to this technology. It didn’t work on later Teslas or later MobilEyes, though it’s not out of the question one could find a different attack that did.

But even if you do, it should not cause a problem, because…

You must assume your perception is not perfect

Nobody doing robocar development expect things like sign reading to work 100% of the time. Even human fail at interpreting signs quite often — more often than the best algorithms today, actually! As such, systems are designed to deal with that failing.

The Tesla/MobilEye was in fact designed to deal with that failing because it is only meant to be used with a human driver also paying attention to the road. That’s the simplest solution, but it is a solution. Systems meant to operate without human supervision need to do more.

Many robocar projects plan to pay only minimal attention to reading signs. Instead, they want to encode all road signs, particularly things like speed limits, stop signs and more, into their map. They know what the speed limit is not because they saw a sign, but because their map knows the limit for that stretch of road. When you get road signs from the map, each gets verified and quality checked before going into the map, so the chance of error is extremely low. The only question is around new signs, removed signs and occasional changed signs.

All good map based systems expect the world to change from their maps (and even to have rare errors in their maps.) So they still look at the signs as a sanity check. If you see a sign that is not in your map, or don’t see a sign that is, or see a different sign, that’s a sign something has changed.

If you’re the first car to come upon the change — which is a fairly rare thing — you then do two things. First, you follow a cautious approach, doing the thing which is safe in either situation. At the same time, you send the new sign information back to HQ, where a human can, if it’s a priority item, look at it within a few seconds and confirm or change that conservative behavior.

So if your map says 35mph and you see 55mph? Just go 35mph for a short time until you hear back from HQ. If your map says 55mph and you see 35? Slow down for a bit until you hear back. If your map shows no stop sign but you see one, or vice versa? Stop in both situations. The update from HQ will come after you start again, but the second car to come to the changed sign will now do the right thing.

So if a stop is one day replaced with a yield sign? The very first car stops at the yield sign, and the second one treats it like a yield. Perhaps the tiniest bit of bad road behavior.

There are some combinations which the signs are contradictory, and so the only safe thing to do is come to a stop. There is also a short window after a sign is changed by the city that an attacker could re-change it to a third sign.

You may also be able to rely on a passenger for help on this. Cars with nobody in them will not drive in areas with no data connection if they fear this sort of problem.

Robocars will obey the rules of the road, but they’ll obey the rules of safety more

As noted, if a human sees a speed limit sign saying 85mph, their own “sanity check” will consider that there are no roads with 85mph limits, or they will notice the road they are on is clearly not one for which that speed is suitable. The early Tesla uses a human as its sanity check, but a full robocar will have a sanity check of a similar nature.

Human drivers trust road engineers to have set the speed limits and other rules properly. Robocars won’t. Their designers will work out their own concepts for what their car can do safely on each type of road. They won’t go faster than they think is safe, even if the speed limit says a higher number. They will obey a lower limit because they must obey the law, but not safety may not actually require it. As such, the most that most road signs can do is make the car more conservative, not less.

Cities can help

This can be made even better if cities start to participate in maintaining the “virtual infrastructure” which includes the maps used by self-driving cars. To do this, we would just want a few simple rules:

No change to the road is legally enforced until it is entered in a public database. No road contractor is paid until the enter their activity into the public database.

To enter things in a database, all that’s needed is a simple mobile phone app which lets road crews enter their position (starting with GPS) and a photo of the changes, plus possibly a description of them. They just need to run the app when the start a job and when they complete any change. Their phone will remind them if they leave the site without logging their change.

While I can’t speak directly for the companies, I would wager that Waymo, Cruise, Zoox and all the other companies would be very happy to provide such an app and database for free if they knew cities would require its use as above. Note that the workers would not be required to do detailed work, just take a GPS tagged photo. The mapping companies would compete the work, though help from the workers could make their job easier.

Even a database like this doesn’t prevent griefers from trying to trick cars on the road. There will not be many of them, but if they do try something, it makes it easier to handle. Any good car with a map immediately knows when the road differs from its map. The only question is what to do when there is such a conflict. A database like that above would make it vastly less likely that such conflicts are due to official city work, and that helps a car figure out the best course — a highly conservative course, which may just involve stopping. This only happens for the first car to get a surprise.

What should we worry about?

We get an emotional reaction to robots action like idiots, which is to say missing something that’s obvious even to a stupid human. It naturally makes us wonder what other thing that’s obvious to humans that they won’t handle, and will that be dangerous. This causes a flurry of panic when attacks like this are shown. We will always find ways in which machine perception is very different from our own, but systems will be tested to assure those don’t create unsafe vehicles in ordinary operation.

People will always be able to trick cars into stopping. You don’t need fancy digital attacks. Throw a basketball in front of them. When it comes to computer security, there are real risks. Most of those risks involve any attempt to make the car “connected,” in particular, connected to anybody except its own highly security-audited HQ master servers. Car computers should be suspicious of all communications from outside, or even from untrusted devices within the car. They should never talk directly to other cars or infrastructure — that way lies madness. External takeover attacks are the real thing to be worried about.

