1. Behind the Glamour of Autonomous Driving

As intelligent driving assistance technologies spread rapidly, recently frequent traffic accidents have sparked a systematic review of the safety of autonomous driving in the industry. In February 2025, a Cybertruck running the latest version (V13) of Tesla’s Full Self-Driving (FSD) (Supervised) software exhibited abnormal behaviors during a lane change at midnight. According to officially disclosed surveillance records, the vehicle failed to execute the expected evasive maneuvers when approaching a section where the lane lines gradually narrowed, which led to the vehicle colliding with roadside infrastructure and breaking a pole structure of 30 cm diameter.

The latest technical analysis report from the National Highway Traffic Safety Administration (NHTSA) points out that during the accident, the autonomous driving system of the vehicle made a significant misjudgment in road topology recognition. When the vehicle entered the area where the lane markings faded and gradually disappeared, its decision-making module failed to activate the emergency takeover protocol in time. This revealed the deficiency of the current visual-dominant autonomous driving solutions in adapting to scenarios of complex road junctions.

Figure 1 Tesla Cybertruck Crashing into A Pole

Source: Jonathan Challinger, Software Developer, Kraus Hamdani Aerospace

The root cause of such accidents lies in the rising false alarm rates of cameras in complex scenarios such as strong glare, tunnel entrances and exits, and low-light conditions at night, leading to issues like lane line deviation and delayed recognition of obstacles. However, by introducing modeling of 4D mmWave radar and closed-loop training with multi-modal data, the miss rates of sensor systems in low-light scenarios can be significantly reduced.

Nevertheless, more in-depth research has revealed a significant increase in both the possibility and potential harm of cyber attacks targeting sensors. According to a study published in March 2025 on commercial camera electronic control units (ECUs) for ADAS, hackers used reverse engineering and other techniques to analyze the camera's protocols, finding two User Datagram Protocol (UDP) ports: Dynamic Host Configuration Protocol (DHCP) and Command and Control (C&C). They exploited these ports for payload spoofing attacks against the internal units.

Figure 2 Cybersecurity Attack on ADAS Sensors

Through this attack path, hackers can carry out video stream failure attacks or replacement attacks for various purposes, including:

• Injecting looping forged videos
• Permanently blocking the recovery of authentic video streams
• Dynamically switching between different pre-recorded content

Figure 3 Camera Sensors Compromised by Cyber Attacks

Source: https://plaxidityx.com/blog/cyber-security-blog/hacking-automotive-ethernet-cameras/

Despite the experimental subjects only include automotive cameras, similar vulnerabilities can extend to:

• Injecting tampered point cloud data to ADAS mmWave radar
• Tampering with ranging information of Light Detection and Ranging (LiDAR) devices
• Executing man-in-the-middle (MITM) attacks in V2X communication

Among these, mmWave radar, with its 24/7 all-weather operational capability (seeing through rain, fog, dust, etc.) and effective detection range exceeding 200 meters, has become an indispensable sensor in the perception layer of ADAS and autonomous driving systems. An analysis report indicates that compared to camera solutions, 4D mmWave radar solutions are more efficient in applicability and performances, unaffected by glares or low-light environments.

Figure 4 Performance Comparison of 4D mmWave Radar, LiDAR, and Camera Under Adverse Environments^[1] 

Figure 5 Data Spoofing Attack on Positioning Based on Sensor Fusion^[2]

As shown in Figure 5, when the perception system experiences data anomalies or information integrity failures, the decision-making algorithms face a higher risk of misjudgment. Even with a multi-source data fusion verification mechanism, the system still requires additional computational resources for anomaly filtering and cross validation of multi-source information, leading to a 23% to 45% increase in the delay of generating time-sensitive control commands. When driving at high speeds (≥ 80 km/h), such delay will weaken the effectiveness of the safety redundancy architecture.

In real-world cases, the interval between a system warning to a collision is only 4 seconds, while a vehicle traveling at 80 km/h typically requires 2.78 seconds for braking. An evaluation of an autonomous driving safety model conducted jointly by Huawei and the China Automotive Technology and Research Center (CATARC) indicates that the cognitive decision-making cycle for skilled Chinese drivers in emergency braking scenarios is usually about 1.06 seconds^[3]. This means that if hackers successfully carry out a 160-ms data spoofing attack, which is to paralyze the effective perception capability of the system through sensor data fabrication or signal noise injection, an irreversible decision-making error chain can be triggered within the safety redundancy failure window.

Figure 6 Path Deviation Caused by Data Spoofing Attacks^[2]

Although in most cases, attacks on systems can barely achieve basic effects, empirical data shows that when the period for specific attack opportunities (i.e., attack window) reaches 14% of the vehicle’s operation time, the system exhibits a positioning deviation exceeding 2 meters—sufficient to achieve some attack goals. Research indicates that by fabricating radar signals (radar spoofing attacks), the positioning deviation can rapidly expand in a short time. The key reason is that during the attack window when the deviation expands rapidly, the fabricated sensor data dominates the core computational module of the vehicle's positioning system. Although the system can identify radar data anomalies in the later stages of the attack, it cannot correct the path deviation in time due to the delayed response of the error correction mechanism. This phenomenon fundamentally subverts the design logic of multi-sensor fusion systems—"multi-source verification with fault tolerance and interference resistance".

For hackers, this attack method has the following special values:

• Precise Control of Vehicle Trajectory: It can cause horizontal deviation of a vehicle, including forcing the vehicle to change its lane, drive in the opposite direction, and other dangerous behaviors.
• Scalable Attack Effects: By continuously triggering multiple attack windows, the vehicle can be driven completely out of control.
• High Concealment: The vehicle system still displays "Normal Operation" during an attack, delaying the intervention of safety mechanisms.

Figure 7 Off-Road Attack and Wrong-Way Attack^[2] 

1.1 Analysis of Untrusted Communication Attack Path

In the security threat scenarios for intelligent connected vehicles (ICV), sensor spoofing attacks targeting ADAS exhibit extremely high technical feasibility and security risks. Specifically, hackers can implant malicious code in radar sensor of a vehicle through supply chain infiltration,  remote exploitation of vulnerabilities, and other methods. Such embedded attacks often exploit security vulnerabilities in sensor firmware (such as unauthenticated mechanisms of firmware update) to establish hidden hardware backdoors and maintain persistent access. The malicious code can tamper with the original radar signal data at the driver layer, simulating data packets of multimodal sensors, including mmWave radar and LiDAR, with high precision.

The core vulnerability that allows the implementation of this attack path is the lack of fundamental security mechanisms in automotive communication protocols.

• The transmission packets for control commands and point-cloud data lack an integrity verification mechanism
• Communication data lacks the most basic layer of encryption protection  

 Figure 8 Radar Electrical/Electronic Architecture

As shown in Figure 8, in early the functional definition of the radar electrical/electronic architecture, due to insufficient consideration of communication security and restrictions from real-time performance, obvious security vulnerabilities existed in the CAN bus communication protocol (e.g., MAC or digital signature) between the electronic control unit (ECU) and the central control unit (CCU). This could lead to specific risks including the lack of encryption protection and integrity verification mechanisms of communication packets, which might enable  hackers to launch Man-in-the-Middle (MITM) attacks and  conduct protocol reverse engineering, tamper with packet content, or carry out replay attacks to packets. The untrusted communication between the ECU and CCU could cause the CCU to receive tampered or falsified commands, such as fabricated sensor data, illegal control commands, etc., thus resulting in the disfunction of autonomous driving algorithms and even loss of vehicle control and dangerous driving behaviors.

2. Security Architecture of Radar Communication

From the system perspective of  safety, radar should be equipped with secure SoCs exclusively for  firmware protection, data encryption, and communication packet verification. These SoCs require natively integrated Cryptographic Coprocessors at the hardware layer, management units of cryptographic key lifecycle, and Trusted Boot engines, which provide the upper-layer systems with encryption acceleration services and trust anchors.

Developers can rely on chip-level security capabilities to construct a protection system. For heterogeneous automotive network (CAN/Ethernet), the protocol stack can invoke the hardware cryptographic engine to achieve Security Onboard Communication (SecOC) that conforms to the AUTOSAR standard and multi-dimensional communication encryption such as the Transport Layer Security (TLS) protocol 1.3. Meanwhile, the system can expand to include Secure Diagnostics (via UDS SecAccess), Firmware Over the Air (FOTA), signature verification, and X509 certificate management system.

At the application layer, reinforcement measures are required, such as code obfuscation and anti-debugging, and thus, with the hardware trusted root, a four-layer closed-loop security architecture covering chips, protocols, systems, applications can be formed to achieve the overall protection goal. This architecture ensures the intrinsic security of the radar systems in a complex automotive environment through the cross-layer collaboration of cryptographic primitives and security mechanisms.

 Figure 9 Architecture of Radar Cybersecurity Protection

2.1 In-Depth Protection Based on EVITA-Full

To ensure the communication security of radar, Calterah has established an in-depth protection system based on the EVITA-Full standard.

Figure 10 Calterah Hardware Security Module (HSM) Compliant to EVITA Full  

• Isolation of Secure Domain: An independent security subsystem (exclusive CPU/RAM included) is built in a cryptographic isolation area created with the hardware Root of Trust (RoT), which stringently confines the invocation rights of cryptographic services.
• Secure Sharing of Resources: An isolation mechanism is deployed between the secure domain and the regular domain to ensure the security arbitration of cross-domain communications and external device access.
• Security Baselines of SoCs: The HSM integrates key storage encryption (through non-volatile memory), a secure debugging interface, a trust chain startup engine, and an anti-side-channel attack mechanism to meet the security baseline requirements of automotive devices.

2.2 Performance Requirements for Secure Communication

Cybersecurity is crucial to radar in various architectures. In the satellite radar structure, when the radar module outputs raw data streams, the massive real-time data throughput rate will pose a challenge to cybersecurity. When choosing chips and designing radar systems, we should prioritize the evaluation of security chain integrity, the bandwidth of the encryption bus, and the capability of real-time key rotation, to avoid security degrading risks triggered by computing power bottlenecks.

Figure 11 Satellite Radar Communications

• Traditional CAN Network Protection

The SecOC protocol is applied at the underlying layer to ensure data integrity. At the application layer, the protocol data unit (PDU) should be encrypted to realize confidentiality protection.

• Vehicle Ethernet Protection

MACsec is applied at the chain layer for encryption protection, while the upper layer continues to apply the PDU format of SecOC to ensure compatibility between the old and new systems.

This layered design can effectively prevent attacks at different levels, but it increases the computational burden of the system. For instance, when transmitting raw data, the system must be capable of both PDU encryption (e.g., AES algorithm) and SecOC integrity verification (e.g., CMAC algorithm). Especially in a Gigabit Ethernet environment, the encryption engine needs to achieve a processing speed of over 2000 Mbps:

• Small MCUs often fail to meet this performance requirement due to cost limitations.
• SoCs are relatively more capable as they are equipped with exclusive hardware acceleration (HWA) modules.

3 Cybersecurity for Data Stream Architecture

The camera security framework (based on the CSI-2 protocol), developed by the Mobile Industry Processor Interface (MIPI) Alliance for automotive scenarios, integrates three core protection mechanisms:

• Component Authentication: Enables identity authentication between imaging system sensors and network components;
• Data Protection: Ensures the integrity of image data and provides optional encryption capabilities;
• Interface Protection: Protect the command-and-control interfaces of sensors against attacks.

Meanwhile, this modular design can adapt to various needs in automotive scenarios at different security levels.

 Figure 12 End-to-End Security Protection of MIPI Camera Security Framework

The camera security framework has the following definitions:

• End-to-End Data Protection

Image data must be fully protected throughout the process of transmission, from the "data source" of each image sensor to the "data receiving end" of its corresponding SoC and ECU. Due to this requirement, security solutions at the application layer are used more often, compared to chain-layer security solutions. Since the former not only provides end-to-end protection, but also avoids the impact of underlying communication network technologies and topology structures.

• Authentication of Component Identities

The components in the imaging system must be trusted. The SoCs and ECUs should be able to authenticate the image sensors and the communication network components, such as SerDes bridges, that connect the sensors to the SoCs and ECUs.

•  Source-Selective Security

To ensure the SoCs and ECUs can verify the authenticity and integrity of data generated by the image sensors, an authentication label with the message authentication code (MAC) needs to be embedded in the image data stream.

• Data Encryption

If the risk of malicious theft of image system data exists, the end-to-end data encryption function should be enabled.

• Secure Command and Control Interface

The Command and Control Interface (CCI) of image sensors based on I2C sideband interface is usually used, which can reduce the risks caused by incorrect sensor configuration through security reinforcement measures.

To sum up, for high-speed sensors like cameras, multi-layer protection is required to ensure the integrity and confidentiality of data. This framework also serves as an important reference to the future evolution of radar system communications.

4 Conclusion

As intelligent driving assistance systems evolve towards the wide application of L3+, the communication security of mmWave radar—a core sensor for environmental perception, has become a strategic focus that integrates cybersecurity (ISO 21434) and functional safety (ISO 26262). Dangers in communication security may lead to function failures of intelligent driving assistance systems, threatening the safety of vehicles, drivers and passengers. Hence, it is a pressing task for OEMs, Tier-1s, chip suppliers, and security solution providers to create a three-dimensional protection system, which encompasses physical hardware encryption, signal integrity verification, and trusted transmission of data packets, via collaboration, jointly elevating safety for intelligent driving assistance.

[1]  Xiangyuan Peng, Miao Tang, Huawei Sun, Lorenzo Servadei and Robert Wille，“4D mmWave Radar in Adverse Environments for Autonomous Driving: A Survey” https://arxiv.org/abs/2503.24091. Accessed: 2025-03-31

[2]  Drift with Devil :Security of Multi-Sensor Fusion based Localization in High-Level Autonomous Driving under GPS Spoofing, 2020

[3]  CARTARC, HUAWEI, “Research on Autonomous Driving Safety Model”, 2024

[4]  MIPI-Alliance-White-Paper-Guide-to-Camera-Security-Framework-for-Automotive-Applications, 2024

[5]  Mihai Ordean, Flavio D. Garcia, “Millimeter-Wave Automotive Radar Spoofing” https://arxiv.org/abs/2205.06567. Accessed: 2025-04-07

[6]  T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O’Hanlon, and P. M. Kintner, “Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer,” in ION GNSS’08, 2008.

[7]  SAE On-Road Automated Vehicle Standards Committee and others,“Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles,” SAE International: Warrendale, PA, USA, 2018.

[8]  Mohamed Abdel-Aty, Shengxuan Ding,“A matched case-control analysis of autonomous vs human-driven vehicle accidents, ”https://www.nature.com/articles/s41467-024-48526-4. Accessed: 2025-04-07

[9]  Biao Wu，Xichan Zhu，Maozhu Liao, “Research on the Model of Safety Boundary Condition Based on Vehicle Intersection Conflict and Collision”, 2019

[10] National Technical Committee of Auto Standardization, “White Paper on Mature Driving Model for Intelligent Connected Vehicles”，2023