Security of sensor fusion systems: Mission statement

Systems have been using sensors for a long time, to gain an understanding of their environment. More recently, the advent of autonomous systems, and the increasing demands of reliability, have led to the multiplication of sensor inputs.

So we now commonly have systems that estimate their location using a mix of GPS, odometry, LIDAR, cameras, and more. Then, the control system takes into account the error margin of each sensor and the possibility that each of them might fail. It adapts to external conditions: for example, it might reduce the importance of cameras at night, or ignore GPS altogether in a tunnel. Mixing these inputs together, it computes the location as well as possible. These systems are referred to as sensor fusion systems.

Current standards only address the safety of these sensors, that is to say the accidental failure of sensors, to assess the safety of the overall system. However, intentional malicious attacks against the sensors are possible: famously,  GPS spoofing  is not science fiction, and dropping banana peels on a race track has been used by Mario and others with great success to confuse odometry sensors. Automotive engineers tend to wave the risk away, assuming that “we have enough sensors, surely the attackers can’t confuse them all at once.”

The issue here is that we have two categories of engineers: control command engineers that understand the control law, but not the security risk, and security engineers that do not understand the control law, and have no method to communicate that risk. Current research shows that just spoofing GPS might be enough to confuse a car’s perception of its location by up to 2 metres, which is way more than enough to cause catastrophic events. This shows that both sides of the discussion are wrong and need to communicate.

We intend to study the link between the security risk of intentional attacks towards sensors, and the resulting risk on control law systems. The primary goal is two-pronged:

  • Security risk analysts need a methodology to assess the likelihood of each type of attack on a sensor, and crucially the likelihood of combined attacks.
  • Control law engineers need a synthetic view of how intentional attacks can affect their sensors, and take the security context into account in the design of the control laws.

In a later stage, it will be useful to build a central database of attack types against sensor classes, to consolidate the knowledge of known attacks and reach industry-wide agreement on their likelihoods. This would be similar to the CVE database, along with CVSS, adapted to sensors.

We are currently in the first steps of our study. Please contact us if you are interested in discussing this topic with us!

Author

Yves Rütschlé