Autonomous driving and advanced driver assistance systems (ADAS) rely on cameras to control the driving. In many prior approaches an attacker aiming to stop the vehicle had to send messages on the specialized and better-defended CAN bus. We suggest an easier alternative: manipulate the IP-based network communication between the camera and the ADAS logic, inject fake images of stop signs or red lights into the video stream, and let the ADAS stop the car safely. We created an attack tool that successfully exploits the GigE Vision protocol. Then we analyze two classes of passive anomaly detectors to identify such attacks: protocol-based detectors and video-based detectors. We implemented multiple detectors of both classes and evaluated them on data collected from our test vehicle and also on data from the public BDD corpus. Our results show that such detectors are effective against naive adversaries, but sophisticated adversaries can evade detection. Finally, we propose a novel class of active defense mechanisms that randomly adjust camera parameters during the video transmission, and verify that the received images obey the requested adjustments. Within this class we focus on a specific implementation, the width-varying defense, which randomly modifies the width of every frame. Beyond its function as an anomaly detector, this defense is also a protective measure against certain attacks: by distorting injected image patches it prevents their recognition by the ADAS logic. We demonstrate the effectiveness of the width-varying defense through theoretical analysis and by an extensive evaluation of several types of attack in a wide range of realistic road driving conditions. The best the attack was able to achieve against this defense was injecting a stop sign for a duration of 0.2 seconds, with a success probability of 0.2%, whereas stopping a vehicle requires about 2.5 seconds.

翻译：自动驾驶和高级驾驶辅助系统（ADAS）依赖摄像头来控制驾驶。在以往的许多方法中，攻击者若想使车辆停止，必须在专门且防护更好的CAN总线上发送消息。我们提出一种更简单的替代方案：操纵摄像头与ADAS逻辑之间基于IP的网络通信，向视频流中注入伪造的停车标志或红灯图像，从而让ADAS安全地停止车辆。我们创建了一个攻击工具，成功利用了GigE Vision协议。然后，我们分析了两类用于识别此类攻击的被动异常检测器：基于协议的检测器和基于视频的检测器。我们实现了这两类的多种检测器，并在从我们的测试车辆收集的数据以及公开的BDD数据集上对其进行了评估。我们的结果表明，此类检测器对简单的攻击者有效，但复杂的攻击者可以规避检测。最后，我们提出了一类新颖的主动防御机制，该机制在视频传输过程中随机调整摄像头参数，并验证接收到的图像是否遵循所请求的调整。在此类机制中，我们专注于一种具体的实现——宽度变化防御，它随机修改每一帧的宽度。除了作为异常检测器的功能外，这种防御也是一种针对特定攻击的保护措施：通过扭曲注入的图像块，防止ADAS逻辑识别它们。我们通过理论分析和对多种攻击类型在广泛真实道路驾驶条件下的广泛评估，证明了宽度变化防御的有效性。攻击在面对此防御时所能达到的最佳效果是注入一个持续时间为0.2秒的停车标志，成功概率为0.2%，而停止一辆车辆大约需要2.5秒。