Drift with Devil: Security of Multi-Sensor Fusion based Localization in High-Level Autonomous Driving under GPS Spoofing

Content provided by Junjie Shen, the first-author of the paper Drift with Devil: Security of Multi-Sensor Fusion based Localization in High-Level Autonomous Driving under GPS Spoofing.

Today, various companies are developing high-level self-driving cars, e.g., Level-4 Autonomous Vehicles (AV), and some of them are already providing services on public roads such as self-driving taxi from Google’s Waymo One and Baidu Apollo Go. To enable such high-level driving automation, the Autonomous Driving (AD) system in an AV needs to not only perform the perception of surrounding obstacles, but also centimeter-level localization of its own global positions on the map. Such localization function is highly security & safety critical in the AV context, since positioning errors can directly cause an AV to drive off road or onto a wrong way. One direct threat to it is GPS spoofing, but fortunately, AV systems today predominantly use Multi-Sensor Fusion (MSF) algorithms that are generally believed to have the potential to practically defeat GPS spoofing. However, no prior work has studied whether today’s MSF algorithms are indeed sufficiently secure under GPS spoofing, especially in AV settings.

In this work, we perform the first study on the security of MSF-based localization in AV settings. We find that the state-of-the-art MSF-based AD localization algorithm can indeed generally enhance the security, but have a take-over vulnerability that can fundamentally defeat the design principle of MSF, but only appear dynamically and non-deterministically. Leveraging this insight, we design FusionRipper, a novel and general attack that opportunistically captures and exploits take-over vulnerabilities. We perform both trace-based and simulation-based evaluations, and find that FusionRipper can achieve >= 97% and 91.3% success rates in all traces for off-road and wrong way attacks respectively, with high robustness to practical factors such as spoofing inaccuracies.

What’s New: We are the first to systematically study the security of Multi-Sensor Fusion (MSF) based localization in high-autonomy Autonomous Vehicles (AVs).

We discover a fundamental design vulnerability, named take-over vulnerability, in the most representative MSF-based localization algorithms used in AVs today.

We build an attack by leveraging this vulnerability and achieve over 97% attack success rates to deviate the victim AV off road.

How It Works: Our observation: Take-over vulnerability. We first perform an analysis on the upper-bound attack effectiveness, and discover that when the MSF is in relatively unconfident periods, which is due to a combination of dynamic and non-deterministic real-world factors such as sensor noises and algorithm inaccuracies, GPS spoofing is able to cause exponential growths of deviations in the MSF output. This allows the spoofed GPS to become the dominating input source in the fusion process and eventually cause the MSF to reject other input sources, which thus fundamentally defeats the design principle of MSF.

FusionRipper attack design. Since the vulnerable periods are created dynamically and non-deterministically, we design FusionRipper, a novel and general attack that opportunistically captures and exploits the take-over vulnerabilities with 2 stages: (1) vulnerability profiling, which measures when vulnerable periods appear, and (2) aggressive spoofing, which performs exponential spoofing to exploit the take-over opportunity.

Key Insights: Multi-Sensor Fusion is widely considered as an effective defense solution to GPS spoofing attacks. However, in our work, we prove that even MSF-based localization is still vulnerable to GPS spoofing as long as the attacker performs the spoofing strategically.

Although no fundamental defense solutions available so far, it is important for AV companies to deploy some immediately-available mitigations, such as GPS spoofing detection and camera-based lane detection, to detect the attack and perform emergency stop.

Behind the Scenes: We notice that some AV companies already started public AV testing without safety drivers. However, at this point, we recommend those companies to still keep the safety drivers considering the severity of the FusionRipper attack.

Prior to the publication of this paper, we did a responsible vulnerability disclosure and contacted 29 companies that are developing or testing Autonomous Vehicles. Among them, 17 has started investigating this issue and 1 has already started working on a fix.

The paper Drift with Devil: Security of Multi-Sensor Fusion based Localization in High-Level Autonomous Driving under GPS Spoofing is on arXiv.

Meet the author Junjie Shen from the Computer Science department at the University of California, Irvine.

Share Your Research With Synced Review

Share My Research is Synced’s new column that welcomes scholars to share their own research breakthroughs with over 1.5M global AI enthusiasts. Beyond technological advances, Share My Research also calls for interesting stories behind the research and exciting research ideas. Share your research with us by clicking here.