All vehicles must follow the rules that govern traffic behavior, regardless of whether the vehicles are human-driven or Connected Autonomous Vehicles (CAVs). Road signs indicate locally active rules, such as speed limits and requirements to yield or stop. Recent research has demonstrated attacks, such as adding stickers or projected colored patches to signs, that cause CAV misinterpretation, resulting in potential safety issues. Humans can see and potentially defend against these attacks. But humans can not detect what they can not observe. We have developed an effective physical-world attack that leverages the sensitivity of filterless image sensors and the properties of Infrared Laser Reflections (ILRs), which are invisible to humans. The attack is designed to affect CAV cameras and perception, undermining traffic sign recognition by inducing misclassification. In this work, we formulate the threat model and requirements for an ILR-based traffic sign perception attack to succeed. We evaluate the effectiveness of the ILR attack with real-world experiments against two major traffic sign recognition architectures on four IR-sensitive cameras. Our black-box optimization methodology allows the attack to achieve up to a 100% attack success rate in indoor, static scenarios and a >80.5% attack success rate in our outdoor, moving vehicle scenarios. We find the latest state-of-the-art certifiable defense is ineffective against ILR attacks as it mis-certifies >33.5% of cases. To address this, we propose a detection strategy based on the physical properties of IR laser reflections which can detect 96% of ILR attacks.

翻译：所有车辆——无论是人类驾驶还是自动驾驶的联网自动驾驶汽车（CAVs）——都必须遵守交通行为规范。道路标志指示局部有效的规则，例如限速、让行或停车要求。近期研究表明，通过添加贴纸或投射彩色补丁等方式对标志实施攻击，可导致CAV错误解读，引发潜在安全隐患。人类能够通过视觉识别并可能防御这些攻击，但无法察觉不可观测的威胁。我们开发了一种有效的物理世界攻击方法，利用无滤波器图像传感器的敏感性以及红外激光反射（ILRs）的特性——该反射对人类不可见。该攻击旨在影响CAV摄像头与感知系统，通过诱导分类错误破坏交通标志识别。本文构建了基于ILR的交通标志感知攻击的威胁模型与成功条件。我们针对四种红外敏感相机上的两类主流交通标志识别架构，通过真实场景实验评估了ILR攻击的有效性。采用黑盒优化方法后，该攻击在室内静态场景中可达100%的攻击成功率，在室外移动车辆场景中成功率超过80.5%。我们发现最新可认证防御技术在ILR攻击下失效，其超过33.5%的案例认证错误。为此，我们提出基于红外激光反射物理特性的检测策略，可检测96%的ILR攻击。