pith. sign in

arxiv: 1906.09765 · v1 · pith:F67KXLTPnew · submitted 2019-06-24 · 💻 cs.CR

MobilBye: Attacking ADAS with Camera Spoofing

Dudi Nassi , Raz Ben-Netanel , Yuval Elovici , Ben Nassi This is my paper

Pith reviewed 2026-05-25 17:38 UTC · model grok-4.3

classification 💻 cs.CR
keywords camera spoofingADAS attacktraffic sign recognitionMobileyedrone projectorvehicle securityprojection attackcyber physical attack
0
0 comments X

The pith

A drone with a projector can make Mobileye interpret spoofed traffic signs as real.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper examines whether Mobileye, a common ADAS, can be tricked by projected fake traffic signs. The authors use a drone to carry a projector that displays signs onto a moving car while varying conditions like color, shape, speed, size, and light. Their tests show that Mobileye accepts the spoofed signs as genuine. This is important because ADAS rely on camera input for safety alerts and controls, so spoofing could lead to incorrect responses. The setup aims to simulate a realistic attack scenario.

Core claim

The experiments demonstrate that it is possible to fool Mobileye so that it interprets the drone carried spoofed traffic sign as a real traffic sign. The attack involves projecting signs using a portable projector carried by a drone onto a driving car, and testing various environmental parameters to assess attack success.

What carries the argument

The drone-carried portable projector that projects spoofed traffic signs onto a moving vehicle to test Mobileye's recognition.

If this is right

  • Changes in color, shape, projection speed, diameter, and ambient light affect whether the spoofed sign is accepted.
  • The attack succeeds in a realistic driving scenario using a drone.
  • Mobileye can be made to treat projected signs as authentic traffic signs.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • This type of attack could potentially be adapted to other camera-based ADAS if similar projection methods are used.
  • Defenses might involve cross-verifying signs with other sensors like GPS or radar.
  • The vulnerability highlights risks in relying solely on visual recognition without additional validation.

Load-bearing premise

The drone-carried projector setup in a driving scenario accurately represents feasible real-world attack conditions without additional detection mechanisms or environmental interferences affecting the outcome.

What would settle it

A repeated experiment where the projected sign is displayed but Mobileye consistently fails to recognize it as a valid traffic sign or issues no response.

Figures

Figures reproduced from arXiv: 1906.09765 by Ben Nassi, Dudi Nassi, Raz Ben-Netanel, Yuval Elovici.

Figure 1
Figure 1. Figure 1: Mobileye 630 PRO components cyclist; this feature can only be used during daylight and is activated when the driving speed is under 50 km/h (this feature can be configured to be up to 70 km/h). 3) Forward collision warning: This feature notifies the driver about rear-end collisions with any type of vehicle. 4) Headway monitoring and warning: This feature notifies the driver when there is an unsafe distance… view at source ↗
Figure 4
Figure 4. Figure 4: (a) examples of different colored traffic signs, (b) an example of a [PITH_FULL_IMAGE:figures/full_fig_p003_4.png] view at source ↗
Figure 3
Figure 3. Figure 3: Influence of the sign’s diameter 1) Experimental Setup: In this case, we investigate whether the size of the projected sign influences the distance from which the Mobileye 630 PRO’s sensor can detect the projected sign. We repeated the experiment five times, projecting a different sized sign each time, and calculated the average detection distance. 2) Results [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Influence of Ambient Light since the opacity of the projected sign depends on the ambient light as well as the projector used (a better success rate may be achieved with a better projector). F. Influence of the Speed of the Projection Time 1) Experimental Setup: Here we assessed the speed of the projection time that is needed to fool the system. We conducted a few experiments that measured the amount of ti… view at source ↗
Figure 4
Figure 4. Figure 4: c). 2) Results [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗
Figure 6
Figure 6. Figure 6: Attacking a car while driving (a) the drone with the projector used in our experiments, (b) visualization of the threat model implementation, (c) the [PITH_FULL_IMAGE:figures/full_fig_p005_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Mobileye display before and during the attack. [PITH_FULL_IMAGE:figures/full_fig_p005_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Traffic sign authentication countermeasure. (a) example of the traffic [PITH_FULL_IMAGE:figures/full_fig_p005_8.png] view at source ↗
read the original abstract

Advanced driver assistance systems (ADASs) were developed to reduce the number of car accidents by issuing driver alert or controlling the vehicle. In this paper, we tested the robustness of Mobileye, a popular external ADAS. We injected spoofed traffic signs into Mobileye to assess the influence of environmental changes (e.g., changes in color, shape, projection speed, diameter and ambient light) on the outcome of an attack. To conduct this experiment in a realistic scenario, we used a drone to carry a portable projector which projected the spoofed traffic sign on a driving car. Our experiments show that it is possible to fool Mobileye so that it interprets the drone carried spoofed traffic sign as a real traffic sign.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The manuscript describes experiments attacking the Mobileye ADAS by projecting spoofed traffic signs from a drone-carried portable projector onto a moving vehicle. It tests the influence of environmental parameters including color, shape, projection speed, diameter, and ambient light on whether Mobileye interprets the projected sign as real, claiming that successful spoofing is possible under these conditions.

Significance. If the results are supported by quantitative data and the drone setup is shown to be representative, the work would provide a concrete demonstration of a physical spoofing attack on a widely deployed camera-based ADAS, underscoring the need for robustness testing against projection-based threats in autonomous driving systems.

major comments (2)
  1. [Abstract] The abstract asserts successful attacks after varying parameters but supplies no quantitative results, success rates, controls, sample sizes, or error analysis; without these the central claim that Mobileye can be fooled cannot be evaluated.
  2. [Experimental Setup (implied by abstract description of drone use)] The drone-carried projector setup introduces unaddressed variables (vibration affecting focus, real-time positioning relative to a moving vehicle, and potential visibility to other sensors) that undermine the claim of a realistic driving scenario; these factors are load-bearing for generalizing the attack beyond the specific experimental configuration.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed review and constructive feedback on our manuscript. We address each major comment below and indicate where revisions will be made to strengthen the paper.

read point-by-point responses

  1. Referee: [Abstract] The abstract asserts successful attacks after varying parameters but supplies no quantitative results, success rates, controls, sample sizes, or error analysis; without these the central claim that Mobileye can be fooled cannot be evaluated.

    Authors: The abstract is intentionally concise and summarizes the overall finding that spoofing is possible. The full manuscript reports the experimental outcomes across the tested parameters (color, shape, speed, size, and light), including observed success under those conditions. To improve evaluability, we will revise the abstract to incorporate key quantitative details such as the range of success rates and number of trials conducted. revision: yes

  2. Referee: [Experimental Setup (implied by abstract description of drone use)] The drone-carried projector setup introduces unaddressed variables (vibration affecting focus, real-time positioning relative to a moving vehicle, and potential visibility to other sensors) that undermine the claim of a realistic driving scenario; these factors are load-bearing for generalizing the attack beyond the specific experimental configuration.

    Authors: We agree these variables merit explicit discussion. The experiments were performed with the drone maintaining stable projection onto the moving target vehicle under the reported conditions, but the manuscript does not detail mitigation steps for vibration or positioning accuracy. We will add a dedicated subsection in the experimental setup describing how these factors were managed during trials and any observed effects on projection quality. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical attack demonstration

full rationale

The paper reports physical experiments injecting spoofed traffic signs via drone-carried projector and measuring Mobileye's response under varied conditions (color, shape, speed, diameter, light). No equations, derivations, fitted parameters, model predictions, or self-referential claims appear. The central result is a direct empirical observation rather than a computed output that reduces to its inputs. No self-citations are load-bearing for any derivation. The work is self-contained against external benchmarks (replicable physical setup) and receives the default non-circularity finding.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No mathematical model, parameters, or theoretical constructs are present in the abstract; the work rests entirely on the described experimental setup.

pith-pipeline@v0.9.0 · 5652 in / 988 out tokens · 26765 ms · 2026-05-25T17:38:53.183415+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Safety in Embodied AI: A Survey of Risks, Attacks, and Defenses

    cs.CR 2026-03 unverdicted novelty 6.0

    The survey organizes over 400 papers on embodied AI safety into a multi-level taxonomy and flags overlooked issues such as fragile multimodal fusion and unstable planning under jailbreaks.

Reference graph

Works this paper leans on

13 extracted references · 13 canonical work pages · cited by 1 Pith paper · 3 internal anchors

  1. [1]

    Advanced driver-assistance systems — Wikipedia, the free encyclopedia,

    Wikipedia contributors, “Advanced driver-assistance systems — Wikipedia, the free encyclopedia,” 2019, [Online; accessed 27-May- 2019]. [Online]. Available: https://en .wikipedia.org/w/index.php?title= Advanced_driver-assistance_systems&oldid=898181591

    work page 2019

  2. [2]

    Threat of adversarial attacks on deep learning in computer vision: A survey,

    N. Akhtar and A. Mian, “Threat of adversarial attacks on deep learning in computer vision: A survey,” IEEE Access, vol. 6, pp. 14 410–14 430, 2018

    work page 2018

  3. [3]

    Standard detectors aren't (currently) fooled by physical adversarial stop signs

    J. Lu, H. Sibai, E. Fabry, and D. Forsyth, “Standard detectors aren’t (currently) fooled by physical adversarial stop signs,” arXiv preprint arXiv:1710.03337, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  4. [4]

    Remote attacks on automated vehicles sensors: Experiments on camera and lidar,

    J. Petit, B. Stottelaar, M. Feiri, and F. Kargl, “Remote attacks on automated vehicles sensors: Experiments on camera and lidar,” Black Hat Europe, vol. 11, p. 2015, 2015

    work page 2015

  5. [5]

    Researchers trick tesla autopilot into steering into oncoming traffic,

    D. GOODIN, “Researchers trick tesla autopilot into steering into oncoming traffic,” https://arstechnica .com/information-technology/2019/ 04/researchers-trick-tesla-autopilot-into-steering-into-oncoming-traffic/, 2019

    work page 2019

  6. [6]

    Driving assistance systems in s-class: Intelligent drive next level

    mercedes benz, “Driving assistance systems in s-class: Intelligent drive next level.” https://www .mercedes-benz.com/en/mercedes-benz/ innovation/the-new-s-class-intelligent-drive-next-level/, 2019

    work page 2019

  7. [7]

    Driving assistance systems in s-class: Intelligent drive next level

    audi, “Driving assistance systems in s-class: Intelligent drive next level.” https://www.audi-mediacenter.com/en/technology-lexicon-7180/ driver-assistance-systems-7184, 2017

    work page 2017

  8. [8]

    Autonomous car — Wikipedia, the free encyclopedia,

    Wikipedia contributors, “Autonomous car — Wikipedia, the free encyclopedia,” 2019, [Online; accessed 18-June- 2019]. [Online]. Available: https://en .wikipedia.org/w/index.php?title= Autonomous_car&oldid=902246624

    work page 2019

  9. [9]

    DARTS: Deceiving Autonomous Cars with Toxic Signs

    C. Sitawarin, A. N. Bhagoji, A. Mosenia, M. Chiang, and P. Mittal, “Darts: Deceiving autonomous cars with toxic signs,” arXiv preprint arXiv:1802.06430, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  10. [10]

    Robust Physical-World Attacks on Deep Learning Models

    K. Eykholt, I. Evtimov, E. Fernandes, B. Li, A. Rahmati, C. Xiao, A. Prakash, T. Kohno, and D. Song, “Robust physical-world attacks on deep learning models,” arXiv preprint arXiv:1707.08945 , 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  11. [11]

    Can you trust autonomous vehicles: Contactless attacks against sensors of self-driving vehicle,

    C. Yan, W. Xu, and J. Liu, “Can you trust autonomous vehicles: Contactless attacks against sensors of self-driving vehicle,” DEF CON, vol. 24, 2016

    work page 2016

  12. [12]

    Hackers remotely kill a jeep on the highway-with me in it (2015),

    A. Greenberg, “Hackers remotely kill a jeep on the highway-with me in it (2015),” URL https://www.wired.com/2015/07/hackers-remotely-kill- jeep-highway, 2017

    work page 2015

  13. [13]

    Comprehensive experimental analyses of automotive attack surfaces

    S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, T. Kohno et al. , “Comprehensive experimental analyses of automotive attack surfaces.” in USENIX Security Symposium, vol. 4. San Francisco, 2011, pp. 447–462

    work page 2011