A team of researchers from four American universities has provided a troubling preview of how self-driving cars could be tricked into making dangerous mistakes. By altering street signs in ways that look innocuous to a human observer, the researchers were able to completely alter how an artificial intelligence interpreted them.
This isn’t just a matter of slapping paint across a sign. The team, whose work was first highlighted by Ars Technica, designed an attack algorithm that carefully tailors the visual “perturbations” to be applied to an existing sign. The alterations, made using standard color printing or stickers, look like either graffiti or general wear to a human. One example will be familiar to many urban drivers – stickers that change a standard Stop sign to instead read “Love Stop Hate.”
But to the demonstration neural network used by the researchers, these ho-hum alterations became mind-bending hallucinations. In the most dramatic example of the bunch, a Stop sign altered with what looks like natural weathering was consistently seen by the neural network as a 45 mph speed limit sign. In another test, just four carefully-placed rectangular stickers caused a Stop sign to be seen as a speed limit sign only slightly less consistently.
Those misinterpretations could, obviously, be incredibly dangerous. And they held up under a wide variety of conditions, including different distances and viewing angles.