 So we're going to start you off with this wall that we created here while we were using our LiDAR center to test out environment. So this is a wall that's just made out of really cheap materials, so it's supposed to be a method of showing how low-cost implementation of messing with the system can then interfere with the LiDAR system to then produce false results or to make the system have misrepresentation of what's going on in the environment. What you see in the left and the right are two people they're going to push the button to keep going on the left is a small vertical thing that's how LiDAR sees a person on the right you're going to see we're going to start again you'll see the two people walking away and what you see is a wall that's created that lasts for about 20 to 30 seconds that's that was the very first provision which is flour and a couple other compounds in it which gets suspended in the air and if you make it thick enough LiDAR interprets it as a wall so we're going to go ahead i'm going to show this to you first to provide some context what's happening so go ahead get it forward let's let it run and out of nowhere out of nowhere you see the wall coming up there see it's spreading slowly the people are walking away slowly from it and it's just hanging in the air and it looks like a solid object as you'll see us when we talk later and the idea is you can create that was the first generation now we're up to the third generation of powder which has an even better hang time so just by with your hands throwing something in the air you can create an object for an autonomous vehicle okay now second so uh just a quick overview of the disclaimer um anything seen here uh if you you all would like to try it or replicate it uh just do so responsibly i'd also like to throw it out there that uh a lot of this is osi layer level one so um we did do some traditional cybersecurity work um however a lot of it or the things that were exploitable potentially uh could break the device and it was eight eight thousand dollars for one and it was the only one we had so not only did we not have eight thousand dollars to break but uh we also only had one device to test um so with that uh we'll continue so our project is tell me lies automotive lidar and low tech obfuscation uh this is partnered with capital tech university uh hawk cyber llc and asp global llc um the squad this is our group um unfortunately mike b couldn't be here today but uh he was great help on the project um uh ola right here behind me uh we have cyrus cyrus right here and then we have alijah rick and then me i'm bret uh abstract professor this was trying to determine what you could do what we call layer one which is the signals you receive passively which means we didn't inject any energy into it and the idea is what if you had an opponent who could use only readily available parts that were not technology based and the theory was as we'll show later there's significant issues with the algorithms used to safely drive autonomous vehicles of any kind and we're going to show you some background in other systems we've had that and we've got cases where for example using uh particular shapes where a human being in a trash bag disappears from the view of the lighter until it's too late you're within a factor of 10 to 20 feet before you can you would spot as a significant obstruction the wall over there obviously after 10 20 30 40 seconds will dissipate but for that time the car is going to come to a stop and we can all think of the issues that would cause and as we said layer one that's an area where uh we're doing some research a lot that's changing the voltage on a network cable that's absorbing an rf signal selectively so it changes its characteristics in this case it's literally throwing very fine dust in the air and seeing certain size particles provide a greater return so you want something hangs there but it's also a big enough particle that provides a great return so it's very hard to predict how an AI machine learning algorithm is going to handle an obstacle like that we're going to show you some examples of other things where they've had trouble so interesting bit of research and I hope you enjoy it thank you so on the left you can see like a typical cyber security practice you know coming up with some very complex solution to an issue it may work it may not in this case it didn't work but on the right was our team which was basically drug him hit him with with a five-dollar wrench and until he tells us the password and low tech wins for sure the methods we used in this presentation could essentially be used by anybody who doesn't doesn't necessarily have a lot of technical skills if they have a little bit of physics knowledge and also can think critically and it's even very cheap too so even people in third world countries could you know test this with self-driving vehicles again traditional cyber requires knowledge of industry standards programming skills system administration etc and again this project necessarily didn't although we did have some traditional cyber findings as well which were the web interface contains an unvalidated file upload area which essentially you could play around with the firmware because it's flashed without code signing before the device is in operation so essentially this is more of a proof of proof of concept because although we found this issue we couldn't necessarily test for it because we would have been thrown away eight thousand dollars so we do accept donations if anybody would like to assist in this project also the system config could potentially again be vulnerable to xxy this is another traditional like cyber finding that wasn't just the physical pentesting we did and then nmap revealed an open telnet port which is pretty self-explanatory so potentially you could tell that into the device as well again what we did doesn't require industry knowledge or certification or real technical experience and you know in a real-life situation maybe a bus automated or self-driving bus is driving down a highway and somebody just throws a powder off the bridge or maybe there's construction and dust gets blown there's no way to tell you know who if somebody threw powder or it was you know construction or what so it'd be very hard to catch somebody doing something like that so that's it off to stars for the donation it's $50,000 or more by the way so for the lair one attacks we had to analyze two threat surfaces the first would be us physically connecting to the device and we would have to test with nmap or burp street or you know security accredited industry tools that are used in traditional cyber security but then you know there's also the other threat surface of the physical sensor itself how the sensor receives the data from from external output and you know how we can manipulate that you know the sensor used in these cars it's a 904 nanometer sorry infrared sensor they know even the smallest spec would be picked up so if we had something that could create a cloud that's thick enough it would come by as of all as you could see on the previous slides like a human is even best dispersed than the cloud itself so you know it could even detect it as a as something even more solid than a human or a baby carriage for example so it could be a dangerous thing yeah in the digital world you think of a pulse as something that looks like this very square very sharp very well defined when you go ahead when something comes back what makes this all possible is you have to do a lot of digital lot of digital signal processing to separate the signal from the noise and that means it makes assumptions about what's real and what's not real so you'll have something that's very weak a very interesting interesting return coming back and then the AI and machine learning has to go ahead and figure out was that really a signal was that really noise and in these these sort of systems amplify when you inject noise in there for example the proper sized dust the proper sized surface that absorbs lights so the U.S. could accidentally hide a system see in the road for example an airplane or a car sends out pulses builds a map that shows its environment and it watches how things moves and it decides is that benign is it coming toward me do I have a clear path that seems pretty simple here's one of the most expensive projects in recent history for self-driving it's a f-16 airplane was flying over clear water at 100 feet the only difference was there was a very swelite breeze which caused ripples in the water which caused the same type of noise we're talking about here and the plane decided it would be a good idea at 100 feet above the water to bend over and aim straight at the water and take the pallet down in about a 1g turn you know headed toward the headed toward the water that that means 600 knots airspeed 100 feet above ground level wasn't turning seeing they're testing the terrain following system and it's really the algorithms we use which make all this possible looking at our friends at tesla who everyone knows is tesla has a problem with red fire trucks they use AI machine learning to use visible light to determine their environment and is they have a problem is wired magazine this is from wired magazine with red fire trucks there have been a number of crashes involving tesla where they have an algorithm it's trying to discriminate between the surroundings and the red fire truck and there's a small issue but the other side of it is there's Volvo and what's called pilot assist if a car is in front of you and it switches to the left lane and you are going slower than you want it will your car will automatically accelerate even if there was a car stopped in the road if you look there that's a desired behavior if you read the manual so if your car someone swerves left to void a car your car may accelerate and go into it once again it's the human programming the algorithm that doesn't sufficiently understand the complex environment and that's what makes these kind of attacks possible so after all this information like we could see that you can manipulate the sensors with physics different types of powder different types of density within the powder and you can use different colors and different different hues or the spectrum itself you could just so we tested this we did a bunch of tests with different colors surfaces and uh yeah if you look at the top the old f1 17 fighter knows has angles on it and it's also black one of the interesting features is if sun isn't shining directly on it you can't tell whether it's going up or down you can't see features on it because like it's reflected away it looks like a black hole in the sky and we'll show you we did some experimentation with different types of trash bags to find one with the right color that could be held at the proper angle like they have there which causes light to get when light comes to it gets reflected away from it the laser light and that doesn't get that which doesn't get reflected away a significant amount of it gets absorbed which means to have seen me at 600 feet away the distance shrinks down to 10 to 20 feet so here uh in the photos uh on the left you have me holding a box with uh dvds uh taped to it uh the bottom side of the dvds actually absorb the lasers from the lidar and then on the right uh you have uh rick and ola ola's the one in the trash bag um and you'll see later on we have a video uh showing um how the sensor was reacting to that as well and then uh ladies and gentlemen on the left you have our version of the stealth bomber uh this was our budget stealth bomber um so that was Cyrus laying down in the trash bag um wasn't able to detect him uh picture in the middle is the car we used to test uh the lidar on top um and we were testing i believe that was confetti in that photo um and that also was blocking the sensor as well um so it showed like a wall as soon as it was thrown out but very short duration yeah very very short duration so that's where we ended up coming up with uh other types of powders and things to test as well um and then on the far right you have ola again and the professor again uh however this time ola was walking into a wall so i thought i'd throw that in there as well uh so this is a excuse me this is a list of all the things we went through so now we're gonna rate them on at their uh level of danger that they pose to everyday functionalities um which one is it all right so this one is the so this one you'll see that um on the far left side uh that is remember that that's me and that's us throwing things into the street uh on the bottom you have the measurements of danger of relativity how close things are and how the lidar is reading them of course when you see this start moving blue means it's a low strength return the lidars gain that's the minimum strength that can detect something so if something's blue it means it's have not getting much light reflected back from it and so what you'll see is when things are close they'll turn from oh it's blue as the person walks away you'll see them turning all of a sudden they'll just be gone so whereas you and i stand they'll move away it will still be blue just a little bit weaker using the right surfaces at the right angle it disappears very very quickly and uh just again to clarify uh the hole we were in here it was about 50 50 feet long so imagine you're on a highway um going like 60 miles per hour uh to stop at 50 feet just suddenly you wouldn't you wouldn't be able to you'll notice in this and professor Hanson's hand here he has a little plastic uh black plate that's also just another material that just happens to not register very well with the lidar sensor and that's me in the trash bag so then you'll see as we get farther away how uh how we'll be less noticeable within the point cloud so if we had two sensors then that would provide more data to work with but you could still see what's going on in this environment so you'll you'll still see professor Hanson here but then you'll notice that it's really hard for to see me inside the trash bag this is the test that we just showed you in the beginning of the of our presentation just showcasing our powder test so it's me driving the fiat Cyrus is controlling the lidar sensor and then Elijah through the through the powder for us and you see how long it lingers and how it creates a lidar shadow so while that's being registered everything behind that's not so then like that situation with the the wall the way it's it's anonymous uh it's it's similar to one another since if if it's registering a wall then it doesn't notice what's behind it so if it makes a decision based off of what it first saw then that could have disastrous cause consequences depending on what's going on in that situation we already showed you the confetti so that's professor hinson right there in a trash bag near the side of the road we're not allowed to go uh on the road while testing with the car because you know there's like insurance liability and whatnot so he took that on for us and then we have this video showing the data from that from that experiment so this is me in the driving the fiat Cyrus controlling it there's a little car over here and then where the mouse is right here that's how to professor hinson so he's blended in to the background actually it's only once you get a little bit closer that's when you actually see some of the distortion so we're gonna turn back we're gonna make a u-turn right here so there's just some shrubbery and trees in the building then now we're gonna turn back around we're gonna head back towards professor hinson he's gonna be on the left side so right over here so he's right there so it's really hard to see him in relation to the to the environment which is more disastrous when you're dealing with higher speed situations so here's our final ranking of all different materials that we worked with the organic powder was the best because of how long it lingered and how it created uh almost an instantaneous wall to the lidar system the the shopping bags we used there there was this thing where we found out that home depot bags were pretty good at absorbing some of the spectrum of light that's produced by liars sensors but in that for our case depends on the angle of approach so it wasn't really that effective and then the cd disk that was okay but that's it's more a stationary object and maybe if you like broke them apart and made like a just I don't know just glue it onto something I don't know maybe that could be a little bit better and the confetti although it did create a wall of us in a sense it didn't linger very long so it wasn't really that effective and we have also tried other like pieces of black plastic like that little uh plastic plate that was pretty effective but it would be hard to use that in a quick sense without leaving evidence and whatnot and for the black spray paint although that may not be as useful on trying to cover up a material it could be useful and just spraying like a lidar sensor so if you're targeting someone you could cover up their lidar sensor so that takes out one of their sensors for whatever vehicle they're using or a drum so that's another attack vector for that we propose a hydrophobic spray so then it will not allow water or oil base paints to stick onto a sensor since it usually has glass on the outside so in conclusion there are a number of ways that an attacker could use low tech and really low cost materials or everyday things to to interact with the lidar sensor in order to help it in order to not well not have it to help it misunderstand its under its environment so if a system is heavily using a lidar system then it will be harder for that system to be able to react positively in an environment if an attacker is using some of these type of methods or more or or more effective methods like a like a well placed uh cannon of some sort with a specific type of nozzle now this is the as is state which was explained what kind of chaos you could have checked into a system using simple materials available to you we did not illuminate it with 904 nanometer light which is readily available from other sources that'll make it more that'll make it give a bigger return in effect we didn't haven't had time yet to also put a little bit of what's called chaff in there small pieces of wire to give you a radar reflection the current generation Priuses use laser and radar together light our and radar together for speed now if you'll check the the one of the big problems is a lack of sophisticated processing on the lidar and radar I'll have better data on that we're able to get some active analysis on there in a military system or in a police system you'll you'll code the signal you'll have a number of pulses is specific spacing that identifies the signal that appears to be lacking now in these systems which means we don't know what's going to happen to get three or four hundred of them in a city block in a traffic jam as well so this is once again what would happen to it just with things you could buy at the grocery store and does this really work there's a mold cycle called a gold wing and there's one with 101,000 miles on it that's been tested in many lidar encounters you can cut the lidar detection range from 2,000 feet down to under 400 feet by coding the reflective surfaces you can also there are things you can use which are meant to jam lidar which single point surface lidar and if you were to send this through a small reflective cloud it would cause the cloud to appear illuminated in a much wider spread because there's no pulse coding so you send a pulse out you get a pulse back as opposed to sending a group of spaced pulses and getting something back further research in the fall if all comes out right we're going to be able to have some better test equipment and hopefully for a short-term loan of two lidars we're going to test it in a real stereo stereo vision type environment with the active things that a more knowledgeable attacker would employ and they're going to include seeing what you can do with limited because we've got a very small size area we're allowed to do GPS research because of the potential for interference we've got a very small test range for this we're going to see if you have an autonomous vehicle with which self-guided it's using radar and lidar and seeing if there's what I call low budget under a thousand dollar tax you can do to go ahead and cause great issues with an autonomous vehicle so yeah like we said like do not do this unless you have the money to do it and you're having the funding like we do well not that much money but still and then also we had the we didn't have enough stuff to test like the organic powders we were trying to get really fine weed which is there's a whole scientific process to getting really fine weed and there's a whole danger about combusting and just really small dry particles so you know we we wanted more equipment we wanted more stuff to test and if we had that we could do a more ad conclusive proof of concept on this so thank you I'd like to thank you all for this opportunity and uh we're really glad we could uh share this information here at DEF CON this is uh some of our first time here so really excited thank you and thank you and give these young gentlemen credit they did a lot of very hard work trying to number different substances and for someone asked I heard someone crowd ask how does a cd reflect visible light and absorb infrared the answer is that they use an infrared laser to burn holes in the cd and to read the cd it's designed to trap light it's a little uh photon trap in there so it would look totally silver to you and me but at that particular frequency of light it's invisible so it's a little conundrum I don't know um what sort of chaos could be done with that information but I'm sure you'll think of it thank you