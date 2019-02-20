from the Do-these-trick-other-vendor's-systems? dept.
Hackers can trick a Tesla into accelerating by 50 miles per hour:
This demonstration from the cybersecurity firm McAfee is the latest indication that adversarial machine learning can potentially wreck autonomous driving systems, presenting a security challenge to those hoping to commercialize the technology.
Mobileye EyeQ3 camera systems read speed limit signs and feed that information into autonomous driving features like Tesla's automatic cruise control, said Steve Povolny and Shivangee Trivedi from McAfee's Advanced Threat Research team.
The researchers stuck a tiny and nearly imperceptible sticker on a speed limit sign. The camera read the sign as 85 instead of 35, and in testing, both the 2016 Tesla Model X and that year's Model S sped up 50 miles per hour.
This is the latest in an increasing mountain of research showing how machine-learning systems can be attacked and fooled in life-threatening situations.
[...] Tesla has since moved to proprietary cameras on newer models, and Mobileye EyeQ3 has released several new versions of its cameras that in preliminary testing were not susceptible to this exact attack.
There are still a sizable number of Tesla cars operating with the vulnerable hardware, Povolny said. He pointed out that Teslas with the first version of hardware cannot be upgraded to newer hardware.
"What we're trying to do is we're really trying to raise awareness for both consumers and vendors of the types of flaws that are possible," Povolny said "We are not trying to spread fear and say that if you drive this car, it will accelerate into through a barrier, or to sensationalize it."
So, it seems this is not so much that a particular adversarial attack was successful (and fixed), but that it was but one instance of a potentially huge set. Obligatory xkcd.
Previously:
Protecting Smart Machines From Smart Attacks
A New Clothing Line Confuses Automated License Plate Readers
A Simple Sticker Tricked Neural Networks Into Classifying Anything as a Toaster
3D Printed Turtles Fool Google Image Classification Algorithm
Slight Street Sign Modifications Can Completely Fool Machine Learning Algorithms
Related Stories
Submitted via IRC for Bytram
It's very difficult, if not impossible, for us humans to understand how robots see the world. Their cameras work like our eyes do, but the space between the image that a camera captures and actionable information about that image is filled with a black box of machine learning algorithms that are trying to translate patterns of features into something that they're familiar with. Training these algorithms usually involves showing them a set of different pictures of something (like a stop sign), and then seeing if they can extract enough common features from those pictures to reliably identify stop signs that aren't in their training set.
This works pretty well, but the common features that machine learning algorithms come up with generally are not "red octagons with the letters S-T-O-P on them." Rather, they're looking [at] features that all stop signs share, but would not be in the least bit comprehensible to a human looking at them. If this seems hard to visualize, that's because it reflects a fundamental disconnect between the way our brains and artificial neural networks interpret the world.
The upshot here is that slight alterations to an image that are invisible to humans can result in wildly different (and sometimes bizarre) interpretations from a machine learning algorithm. These "adversarial images" have generally required relatively complex analysis and image manipulation, but a group of researchers from the University of Washington, the University of Michigan, Stony Brook University, and the University of California Berkeley have just published a paper showing that it's also possible to trick visual classification algorithms by making slight alterations in the physical world. A little bit of spray paint or some stickers on a stop sign were able to fool a deep neural network-based classifier into thinking it was looking at a speed limit sign 100 percent of the time.
Source: http://spectrum.ieee.org/cars-that-think/transportation/sensors/slight-street-sign-modifications-can-fool-machine-learning-algorithms
OpenAI has a captivating and somewhat frightening background article: Attacking Machine Learning with Adversarial Examples.
MIT researchers have fooled a Google image classification algorithm into thinking that a turtle is a rifle and a baseball is an espresso:
The team built on a concept known as an "adversarial image". That's a picture created from the ground-up to fool an AI into classifying it as something completely different from what it shows: for instance, a picture of a tabby cat recognised with 99% certainty as a bowl of guacamole.
Such tricks work by carefully adding visual noise to the image so that the bundle of signifiers an AI uses to recognise its contents get confused, while a human doesn't notice any difference.
But while there's a lot of theoretical work demonstrating the attacks are possible, physical demonstrations of the same technique are thin on the ground. Often, simply rotating the image, messing with the colour balance, or cropping it slightly, can be enough to ruin the trick.
The MIT researchers have pushed the idea further than ever before, by manipulating not a simple 2D image, but the surface texture of a 3D-printed turtle. The resulting shell pattern looks trippy, but still completely recognisable as a turtle – unless you are Google's public object detection AI, in which case you are 90% certain it's a rifle.
The researchers also 3D printed a baseball with pattering to make it appear to the AI like an espresso, with marginally less success – the AI was able to tell it was a baseball occasionally, though still wrongly suggested espresso most of the time.
The researchers had access to the algorithm, making the task significantly easier.
Also at The Verge.
Image recognition technology may be sophisticated, but it is also easily duped. Researchers have fooled algorithms into confusing two skiers for a dog, a baseball for espresso, and a turtle for a rifle. But a new method of deceiving the machines is simple and far-reaching, involving just a humble sticker.
Google researchers developed a psychedelic sticker that, when placed in an unrelated image, tricks deep learning systems into classifying the image as a toaster. According to a recently submitted research paper about the attack, this adversarial patch is "scene-independent," meaning someone could deploy it "without prior knowledge of the lighting conditions, camera angle, type of classifier being attacked, or even the other items within the scene." It's also easily accessible, given it can be shared and printed from the internet.
Garments from Adversarial Fashion feed junk data into surveillance cameras, in an effort to make their databases less effective.
The news: Hacker and designer Kate Rose unveiled the new range of clothing at the DefCon cybersecurity conference in Las Vegas. In a talk, she explained the that hoodies, shirts, dresses, and skirts trigger automated license plate readers (ALPRs) to inject useless data into systems used to track civilians.
False tags: The license-plate-like designs on a garment are picked up and recorded as vehicles by readers, which frequently misclassify images like fences as license plates anyway, according to Rose (pictured above modeling one of her dresses). The idea is that feeding more junk data into the systems will make them less effective at tracking people and more expensive to deploy.
[...] Fashion fights back: Though it's the first to target ALPRs, this isn't the first fashion project aimed at fighting back against surveillance. Researchers have come up with adversarial images on clothing aimed at bamboozling AI, makeup that lets you hide your face from recognition systems, and even a hat that can trick systems into thinking you're Moby.
Machines' ability to learn by processing data gleaned from sensors underlies automated vehicles, medical devices and a host of other emerging technologies. But that learning ability leaves systems vulnerable to hackers in unexpected ways, researchers at Princeton University have found.
In a series of recent papers, a research team has explored how adversarial tactics applied to artificial intelligence (AI) could, for instance, trick a traffic-efficiency system into causing gridlock or manipulate a health-related AI application to reveal patients' private medical history. As an example of one such attack, the team altered a driving robot's perception of a road sign from a speed limit to a "Stop" sign, which could cause the vehicle to dangerously slam the brakes at highway speeds; in other examples, they altered Stop signs to be perceived as a variety of other traffic instructions.
(Score: 2, Insightful) by fustakrakich on Wednesday February 19, @09:52PM (2 children)
A cleverly disguised sign will fool a human driver, but they know other conditions will cause doubts. The machine has to "know" its surroundings with many different kinds of sensors.
These machines will barely be usable and kind of dangerous only because of extreme cost cutting measures. The wrong kinds of people are in charge of the process.
Shouldn't the "Messages" tab/button go here [soylentnews.org]?
(Score: 2) by ikanreed on Wednesday February 19, @09:57PM
Sanity checks are a fool's game. Move fast, break things, especially the spines of a whole family!
(Score: 0) by Anonymous Coward on Wednesday February 19, @10:50PM
I would think that there should be a hierarchy of conditions that should be met. If the car is in a residential area then the max speed limit is 25 MPH no matter what the sign apparently says.
The conditions should be so that the car take the safest precautions when there are two conflicting signals (residential speed limit = 25 MPH. Posted speed limit = 75 MPH. Obviously it should chose the 25 MPH if it's in a residential area).
(Score: 0) by Anonymous Coward on Wednesday February 19, @10:30PM (4 children)
These types of attacks work because the state of the art in ML is to throw different types of neural nets at a problem. The top research is going into making those nets more efficient to train rather than coming up with better algorithms to do specific things. For example, if speed sign reading was done with OCR analyzing...
...I had to stop myself right there after double-checking the article. I had mistakenly assumed they put a static, QR-like sticker on the sign to mess with a neural net. What they actually did was extend the middle of a 3 to make it look like an 8. Not being told ahead of time and being given only a glance at that sign, most people would probably see 85 too. They're basically saying they re-wrote the number on the sign and it fooled the computer. Well of course it did! If you put white tape over the left half of an 8 you could fool everyone into thinking it was a 3 as well.
If we want to continue to argue about this, then a better designed system should have reported both a 3 and an 8 with similar probabilities then some other component of the car could have checked it's surroundings (highway, city road, everyone else doing 40?) to determine which was more likely.
(Score: 0) by Anonymous Coward on Wednesday February 19, @10:38PM (2 children)
Yes. But people aren't AI, they are real-intelligent: They will pick up that it is unreasonable for the speed limit to suddenly go from 35 to 85 on a little street, and will guess someone fucked with the sign.
(Score: 1) by Ethanol-fueled on Wednesday February 19, @10:52PM (1 child)
The same assholes driving in these cars are the same assholes watching Harry Potter with self-driving enabled and totally oblivious to the outside world. They ain't gonna notice shit until they get punched in the face with an airbag and then locked inside to die in a fiery inferno.
(Score: 2) by c0lo on Wednesday February 19, @11:11PM
FTFY
I would totally pay more taxes if I knew they are gonna be used for installing public, free of charge, "asshole punching and incinerating" facilities where this can happen without endangering the rest of decent humans.
(who am I kidding, tho', the "decent human" race got extinct. Probably with Neanderthals)
(Score: 2) by c0lo on Wednesday February 19, @11:19PM
No need for better designed systems. Just switch the speed limit signs to use numerals less prone to adversarial attacks (cheaper for driverless car makers too, the change of the limit signs are gonna be supported by public money; a small investment in lobbying can go a long way).
I don't know, maybe use Mandarin numerals? Because sooner or later, those are gonna be lingua franca anyway.
(large grin)
(Score: 0) by Anonymous Coward on Wednesday February 19, @10:31PM (1 child)
Something is driving up the stock to crazy heights recently, it hit over $900 today. A company that makes no money is traded higher than GE or IBM.
(Score: 0) by Anonymous Coward on Wednesday February 19, @10:45PM
Something drove up the price of DeLorean stock too.
(Score: 2) by SomeGuy on Wednesday February 19, @10:35PM
"He pointed out that Teslas with the first version of hardware cannot be upgraded to newer hardware."
In other words, get ready to be bombarded with advertising and propaganda that will brainwash 99.9% of the people that they should just throw their old cars away and buy a new one every year.
News anchor 1: ...the car he was driving was more than TWO YEARS old.
News anchor 2: So unsafe! And now to Tom with the wather...
(Score: 0) by Anonymous Coward on Wednesday February 19, @11:13PM
Now you're a "hacker" for putting a sticker on something!? Man, my toddler's gonna get us raided by the FBI...