Beyond Crash: Hijacking Your Autonomous Vehicle for Fun and Profit

TL;DR

This paper introduces JackZebra, a novel adversarial framework that can hijack autonomous vehicles' routes over long distances by manipulating their perception in real-time, posing new security risks.

Contribution

The paper presents the first route hijacking attack on vision-based autonomous vehicles using a physically plausible attacker vehicle with real-time control capabilities.

Findings

JackZebra successfully hijacks vehicles in simulation and real-world tests.

The attack maintains effectiveness despite environmental changes and vehicle re-planning.

High success rate in diverting vehicles to attacker-specified destinations.

Abstract

Autonomous Vehicles (AVs), especially vision-based AVs, are rapidly being deployed without human operators. As AVs operate in safety-critical environments, understanding their robustness in an adversarial environment is an important research problem. Prior physical adversarial attacks on vision-based autonomous vehicles predominantly target immediate safety failures (e.g., a crash, a traffic-rule violation, or a transient lane departure) by inducing a short-lived perception or control error. This paper shows a qualitatively different risk: a long-horizon route integrity compromise, where an attacker gradually steers a victim AV away from its intended route and into an attacker-chosen destination while the victim continues to drive ``normally.'' This will not pose a danger to the victim vehicle itself, but also to potential passengers sitting inside the vehicle, who may not notice the route changes. In this paper, we design and implement the first adversarial framework, called JackZebra, which performs route-level hijacking of a vision-based end-to-end driving stack using a physically plausible attacker vehicle with a reconfigurable display and a camera sensor mounted on the rear. The central challenge is temporal persistence: adversarial influence must remain effective in changing viewpoints, lighting, weather, traffic, and the victim's continual replanning -- without triggering conspicuous failures. Our key insight is to treat route hijacking as a closed-loop control problem and to convert adversarial patches into steering primitives that can be selected online via an interactive adjustment loop based on observed victim behavior using the rear camera. Our evaluations in both simulated and real-world scenarios show that JackZebra can successfully hijack victim vehicles to deviate from original routes and stop at places designated by the adversary with a high success rate.