Engineers Develop Hack to Make Automotive Radar Hallucinate | Duke Pratt School of Engineering


Because there are now so many different cars using radar on a typical highway, it is unlikely that any two vehicles will have the exact same operating parameters, even if they share a make and model. For example, they might use slightly different operating frequencies or take measurements at slightly different intervals. Because of this, previous demonstrations of radar-spoofing systems have needed to know the specific parameters being used.

“Think of it like trying to stop someone from listening to the radio,” explained Pajic. “To block the signal or to hijack it with your own broadcast, you’d need to know what station they were listening to first.”

In the MadRadar demonstration, the team from Duke showed off the capabilities of a radar-spoofing system they’ve built that can accurately detect a car’s radar parameters in less than a quarter of a second. Once they’ve been discovered, the system can send out its own radar signals to fool the target’s radar.

“You have to be judicious about adding signals to the radar system, because if you simply flooded the entire field of vision, it’d immediately know something was wrong.”

David Hunt
ECE PhD Student

In one demonstration, MadRadar sends signals to the target car to make it perceive another car where none actually exist. This involves modifying the signal’s characteristics based on time and velocity in such a way that it mimics what a real contact would look like.

In a second and much more complicated example, it fools the target’s radar into thinking the opposite — that there is no passing car when one actually does exist. It achieves this by delicately adding masking signals around the car’s true location to create a sort of bright spot that confuses the radar system.

“You have to be judicious about adding signals to the radar system, because if you simply flooded the entire field of vision, it’d immediately know something was wrong,” said David Hunt, a PhD student working in Pajic’s lab.

In a third kind of attack, the researchers mix the two approaches to make it seem as though an existing car has suddenly changed course. The researchers recommend that carmakers try randomizing a radar system’s operating parameters over time and adding safeguards to the processing algorithms to spot similar attacks.

“Imagine adaptive cruise control, which uses radar, believing that the car in front of me was speeding up, causing your own car to speed up, when in reality it wasn’t changing speed at all,” said Pajic. “If this were done at night, by the time your car’s cameras figured it out you’d be in trouble.”

Each of these attack demonstrations, the researchers emphasize, were done on real-world radar systems in actual cars moving at roadway speeds. It’s an impressive feat, given that if the spoofing radar signals are even a microsecond off the mark, the fake datapoint would be misplaced by the length of a football field.

“These lessons go far beyond radar systems in cars as well,” Pajic said. “If you want to build drones that can explore dark environments, like in search and rescue or reconnaissance operations, that don’t cost thousands of dollars, radar is the way to go.”

This research was supported by the Office of Naval Research (N00014-23-1-2206, N00014-20-1-2745), the Air Force Office of Scientific Research (FA9550-19-1-0169), the National Science Foundation (CNS-1652544, CNS-2211944), and the National AI Institute for Edge Computing Leveraging Next Generation Wireless Networks (Athena) (CNS-2112562).

CITATION: “MadRadar: A Black-Box Physical Layer Attack Framework on mmWave Automotive FMCW Radars,” David Hunt, Kristen Angell, Zhenzhou Qi, Tingjun Chen, and Miroslav Pajic. Network and Distributed System Security Symposium (NDSS) 2024. DOI: 10.14722/ndss.2024.24135


Leave a Reply

Your email address will not be published. Required fields are marked *