If you haven’t lived underneath a rock for the past decade or so, you will have seen a lot of arguing in the media by prominent figures and their respective fanbases about what the right sensor package is for autonomous vehicles, or ‘self-driving cars’ in popular parlance. As the task here is to effectively replicate what is achieved by the human Mark 1 eyeball and associated processing hardware in the evolutionary layers of patched-together wetware (‘human brain’), it might seem tempting to think that a bunch of modern RGB cameras and a zippy computer system could do the same vision task quite easily.

This is where reality throws a couple of curveballs. Although RGB cameras lack the evolutionary glitches like an inverted image sensor and a big dead spot where the optical nerve punches through said sensor layer, it turns out that the preprocessing performed in the retina, the processing in the visual cortex and analysis in the rest of the brain is really quite good at detecting objects, no doubt helped by millions of years of only those who managed to not get eaten by predators procreating in significant numbers.

Hence the solution of sticking something like a Lidar scanner on a car makes a lot of sense. Not only does this provide advanced details on one’s surroundings, but also isn’t bothered by rain and fog the way an RGB camera is. Having more and better quality information makes subsequent processing easier and more effective, or so it would seem.

Computer Vision Things

A Waymo Jaguar I-Pace car in San Francisco. (Credit: Dllu, Wikimedia)
Giving machines the ability to see and recognize objects has been a dream for many decades, and the subject of nearly an infinite number of science-fiction works. For us humans this ability is developed over the course of our development from a newborn with a still developing visual cortex, to a young adult who by then has hopefully learned how to identify objects in their environment, including details like which objects are edible and which are not.

As it turns out, just the first part of that challenge is pretty hard, with interpreting a scene as captured by a camera subject to many possible algorithms that seek to extract edges, infer connections based on various hints as well as the distance to said object and whether it’s moving or not. All just to answer the basic question of which objects exist in a scene, and what they are currently doing.

Approaches to object detection can be subdivided into conventional and neural network approaches, with methods employing convolutional neural networks (CNNs) being the most prevalent these days. These CNNs are typically trained with a dataset that is relevant to the objects that will be encountered, such as while navigating in traffic. This is what is used for autonomous cars today by companies like Waymo and Tesla, and is why they need to have both access to a large dataset of traffic videos to train with, as well as a large collection of employees who watch said videos in order to tag as many objects as possible. Once tagged and bundled, these videos then become CNN training data sets.

This raises the question of how accurate this approach is. With purely RGB camera images as input, the answer appears to be ‘sorta’. Although only considered to be a Class 2 autonomous system according to the SAE’s 0-5 rating system, Tesla vehicles with the Autopilot system installed failed to recognize hazards on multiple occasions, including the side of a white truck in 2016, a concrete barrier between a highway and an offramp in 2018, running a red light and rear-ending a fire truck in 2019.

This pattern continues year after year, with the Autopilot system failing to recognize hazards and engaging the brakes, including in so-called ‘Full-Self Driving’ (FSD) mode. In April of 2024, a motorcyclist was run over by a Tesla in FSD mode when the system failed to stop, but instead accelerated. This made it the second fatality involving FSD mode, with the mode now being called ‘FSD Supervised’.

Compared to the considerably less crash-prone Level 4 Waymo cars with their hard to miss sensor packages strapped to the car, one could conceivably make the case that perhaps just a couple of RGB cameras is not enough for reliable object detection, and that quite possibly blending of sensors is a more reliable method for object detection.

Which is not to say that Waymo cars are perfect, of course. In 2024 one Waymo car managed to hit a utility pole at low speeds during a pullover maneuver, when the car’s firmware incorrectly assessed its response to a situation where a ‘pole-like object’ was present, but without a hard edge between said pole and the road.

This gets us to the second issue with self-driving cars: taking the right decision when confronted with a new situation.

Acting On Perception

The Tesla Hardware 4 mainboard with its redundant custom SoCs. (Source: Autopilotreview.com)
Once you know what objects are in a scene, and merge this with the known state of the vehicle and, the next step for an autonomous vehicle is to decide what to do with this information. Although the tempting answer might be to also use ‘something with neural networks’ here, this has turned out to be a non-viable method. Back in 2018 Waymo created a recursive neural network (RNN) called ChauffeurNet which was trained on both real-life and synthetic driving data to have it effectively imitate human drivers.

The conclusion of this experiment was that while deep learning has a place here, you need to lean mostly on a solid body of rules that provides it with explicit reasoning that copes better with what is called the ‘long tail’ of possible situations, as you cannot put every conceivable situation in a data set.

This thus again turns out to be a place where human input and intelligence are required, as while an RNN or similar can be trained on an impressive data set, it will never be able to learn the reasons for why a decision was made in a training video, nor provide its own reasoning and make reasonable adaptations when faced with a new situation. This is where human experts have to define explicit rules, taking into account the known facts about the current surroundings and state of the vehicle.

Here is where having details like explicit distance information to an obstacle, its relative speed and dimensions, as well as room to divert to prevent a crash are not just nice to have. Adding sensors like radar and Lidar can provide solid data that an RGB camera plus CNN may also provide if you’re lucky, but also maybe not quite. When you’re talking about highway speeds and potentially the lives of multiple people at risk, certainty always wins out.

Tesla Hardware And Sneaky Radars

Arbe Phoenix radar module installed in a Tesla car as part of the Hardware 4 Autopilot hardware. (Credit: @greentheonly, Twitter)
One of the poorly kept secrets about Tesla’s Autopilot system is that it’s had a front-facing radar sensor for most of the time. Starting with Hardware 1 (HW1), it featured a single front-facing camera behind the top of the windshield and a radar behind the lower grille, in addition to 12 ultrasonic sensors around the vehicle.

Notable is that Tesla did not initially use the radar in a primary object detection role here, meaning that object detection and emergency stop functionality was performed using the RGB cameras. This changed after the RGB camera system failed to notice a white trailer against a bright sky, resulting in a spectacular crash. The subsequent firmware update gave the radar system the same role as the camera system, which likely would have prevented that particular crash.

HW1 used Mobileye’s EyeQ3, but after Mobileye cut ties with Tesla, NVidia’s Drive PX 2 was used instead for HW2. This upped the number of cameras to eight, providing a surround view of the car’s surroundings, with a similar forward-facing radar. After an intermedia HW2.5 revision, HW3 was the first to use a custom processor, featuring twelve Arm Cortex-A72 cores clocked at 2.6 GHz.

HW3 initially also had a radar sensor, but in 2021 this was eliminated with the ‘Tesla Vision’ system, which resulted in a significant uptick in crashes. In 2022 it was announced that the ultrasonic sensors for short-range object detection would be removed as well.

Then in January of 2023 HW4 started shipping, with even more impressive computing specs and 5 MP cameras instead of the previous 1.2 MP ones. This revision also reintroduced the forward-facing radar, apparently the Arbe Phoenix radar with a 300 meter range, but not in the Model Y. This indicates that RGB camera-only perception is still the primary mode for Tesla cars.

Answering The Question

At this point we can say with a high degree of certainty that by just using RGB cameras it is exceedingly hard to reliably stop a vehicle from smashing into objects, for the simple reason that you are reducing the amount of reliable data that goes into your decision-making software. While the object-detecting CNN may give a 29% possibility of an object being right up ahead, the radar or Lidar will have told you that a big, rather solid-looking object is lying on the road. Your own eyes would have told you that it’s a large piece of concrete that fell off a truck in front of you.

This then mostly leaves the question of whether the front-facing radar that’s present in at least some Tesla cars is about as good as the Lidar contraption that’s used by other car manufacturers like Volvo, as well as the roof-sized version by Waymo. After all, both work according to roughly the same basic principles.

That said, Lidar is superior when it comes to aspects like accuracy, as radar uses longer wavelengths. At the same time a radar system isn’t bothered as much by weather conditions, while generally being cheaper. For Waymo the choice for Lidar over radar comes down to this improved detail, as they can create a detailed 3D image of the surroundings, down to the direction that a pedestrian is facing, and hand signals by cyclists.

Thus the shortest possible answer is that yes, Lidar is absolutely the best option, while radar is a pretty good option to at least not drive into that semitrailer and/or pedestrian. Assuming your firmware is properly configured to act on said object detection, natch.

hackaday.com/2025/10/30/self-d…

Da agosto 2024, la campagna PhantomRaven ha caricato 126 pacchetti dannosi su npm, che sono stati scaricati complessivamente oltre 86.000 volte. La campagna è stata scoperta da Koi Security, che ha riferito che gli attacchi sono stati abilitati da una funzionalità poco nota di npm che gli consente di aggirare la protezione e il rilevamento.

Si sottolinea che al momento della pubblicazione del rapporto erano ancora attivi circa 80 pacchetti dannosi. Gli esperti spiegano che gli aggressori sfruttano il meccanismo Remote Dynamic Dependencies (RDD).

In genere, uno sviluppatore vede tutte le dipendenze di un pacchetto in fase di installazione, scaricate dall’infrastruttura NPM attendibile. Tuttavia, RDD consente ai pacchetti di estrarre automaticamente il codice da URL esterni, anche tramite un canale HTTP non crittografato. Nel frattempo, il manifest del pacchetto non mostra alcuna dipendenza.

Quando uno sviluppatore esegue npm install, il pacchetto dannoso scarica silenziosamente un payload da un server controllato dagli aggressori e lo esegue immediatamente. Non è richiesta alcuna interazione da parte dell’utente e gli strumenti di analisi statica rimangono inconsapevoli dell’attività.

“PhantomRaven dimostra quanto possano essere sofisticati gli aggressori quando sfruttano i punti ciechi delle soluzioni di sicurezza tradizionali. Le dipendenze dinamiche remote sono semplicemente invisibili all’analisi statica”, affermano i ricercatori.

Si noti che il malware viene scaricato dal server ogni volta che il pacchetto viene installato, anziché essere memorizzato nella cache.

Questo apre le porte ad attacchi mirati: gli aggressori possono controllare l’indirizzo IP della richiesta e inviare codice innocuo ai ricercatori di sicurezza, distribuire codice dannoso per le reti aziendali e distribuire payload specializzati per gli ambienti cloud.

Una volta infettato, il malware raccoglie attentamente informazioni sul sistema della vittima:

• variabili di ambiente con configurazioni dei sistemi interni dello sviluppatore;
• token e credenziali per npm, GitHub Actions, GitLab, Jenkins e CircleCI;
• l’intero ambiente CI/CD attraverso il quale passano le modifiche al codice apportate da diversi sviluppatori.

I token rubati possono essere utilizzati per attaccare le supply chain e iniettare codice dannoso in progetti legittimi. Il furto di dati è organizzato in modo ridondante, utilizzando tre metodi: HTTP GET con dati nell’URL, HTTP POST con JSON e connessioni WebSocket.

Gli esperti scrivono che molti pacchetti dannosi sono mascherati da strumenti GitLab e Apache.

Lo slopsquatting, ovvero lo sfruttamento delle allucinazioni dell’intelligenza artificiale, gioca un ruolo speciale in questa campagna. Gli sviluppatori chiedono spesso agli assistenti LLM quali pacchetti siano più adatti a un particolare progetto. I modelli di intelligenza artificiale spesso inventano nomi inesistenti ma plausibili. Gli operatori PhantomRaven tracciano queste allucinazioni e registrano i pacchetti con questi nomi. Le vittime alla fine installano il malware da sole, seguendo le raccomandazioni di LLM.

Gli sviluppatori di LLM non comprendono ancora le cause esatte di queste allucinazioni e non sono in grado di creare modelli che le prevengano, ed è proprio questo che gli aggressori stanno sfruttando. I ricercatori ricordano di non affidarsi a LLM nella scelta delle dipendenze e di controllare attentamente i nomi dei pacchetti e le loro fonti, installando solo pacchetti provenienti da fornitori affidabili.

L'articolo 100 pacchetti di Infostealer caricati su NPM sfruttando le allucinazioni delle AI proviene da Red Hot Cyber.

I ricercatori di Varonis hanno scoperto la piattaforma MaaS (malware-as-a-service) Atroposia. Per 200 dollari al mese, i suoi clienti ricevono un Trojan di accesso remoto con funzionalità estese, tra cui desktop remoto, gestione del file system, furto di informazioni, credenziali, contenuto degli appunti, wallet di criptovalute, dirottamento DNS e uno scanner integrato per le vulnerabilità locali.

Secondo gli analisti, Atroposia ha un’architettura modulare. Il malware comunica con i server di comando e controllo tramite canali crittografati ed è in grado di bypassare il Controllo Account Utente (UAC) per aumentare i privilegi in Windows.

Una volta infettato, fornisce un accesso persistente e non rilevabile al sistema della vittima. I moduli chiave di Atroposia sono:

HRDP Connect avvia una sessione di desktop remoto nascosta in background, consentendo agli aggressori di aprire applicazioni, leggere documenti ed e-mail e, in generale, interagire con il sistema senza alcun segno visibile di attività dannosa. I ricercatori sottolineano che gli strumenti standard di monitoraggio dell’accesso remoto potrebbero “non rilevare” questa attività.

Il file manager funziona come un familiare Esplora risorse di Windows: gli aggressori possono visualizzare, copiare, eliminare ed eseguire i file. Il componente grabber cerca i dati per estensione o parola chiave, li comprime in archivi ZIP protetti da password e li invia al server di comando e controllo utilizzando metodi in-memory, riducendo al minimo le tracce dell’attacco sul sistema.

Stealer raccoglie dati di accesso salvati, dati del portafoglio di criptovalute e file di chat. Il gestore degli appunti intercetta tutto ciò che l’utente copia (password, chiavi API, indirizzi del portafoglio) in tempo reale e lo conserva per gli aggressori.

Il modulo di spoofing DNS sostituisce i domini con gli indirizzi IP degli aggressori a livello di host, reindirizzando silenziosamente le vittime verso server controllati dagli hacker. Questo apre le porte a phishing, attacchi MitM, falsi aggiornamenti, iniezione di adware o malware e furto di dati tramite query DNS.

Lo scanner di vulnerabilità integrato analizza il sistema della vittima alla ricerca di vulnerabilità non corrette, impostazioni non sicure e software obsoleto. I risultati vengono inviati agli operatori di malware sotto forma di punteggio, che gli aggressori possono utilizzare per pianificare ulteriori attacchi.

I ricercatori avvertono che questo modulo è particolarmente pericoloso negli ambienti aziendali: il malware potrebbe rilevare un client VPN obsoleto o una vulnerabilità di escalation dei privilegi, che può quindi essere sfruttata per ottenere informazioni più approfondite sull’infrastruttura della vittima. Inoltre, lo scanner analizza i sistemi vulnerabili nelle vicinanze per rilevare eventuali movimenti laterali.

Varonis osserva che Atroposia prosegue la tendenza verso la democratizzazione del crimine informatico.

Insieme ad altre piattaforme MaaS (come SpamGPT e MatrixPDF), riduce la barriera tecnica all’ingresso, consentendo anche ad aggressori poco qualificati di condurre efficaci “attacchi in abbonamento”.

L'articolo Atroposia: la piattaforma MaaS che fornisce un Trojan munito di scanner delle vulnerabilità proviene da Red Hot Cyber.