Robust Physical Hard-Label Attacks on Deep Learning Visual Classification

Existing physical adversarial examples for computer vision rely on white-box access. In this work, we investigate physical examples in the black-box hard-label case -- where the attacker has only query access to the model and only receives the top-1 class label without confidence information. This threat model is more realistic for cyber-physical systems -- the main target when considering physical attacks on computer vision. Key challenges in this setting include obtaining reliability against environmental variations and creating area-limited perturbations without access to model gradients. We base our work on recent advances in gradient-free optimization and present GRAPHITE, the first algorithm for black-box hard-label physical attacks on computer vision models. We evaluate GRAPHITE on a traffic sign classifier and a publicly-available Automatic License Plate Recognition (ALPR) tool using only query access. We successfully cause a Stop sign to be misclassified as a Speed Limit 30 in 92.9% of physical test images and cause errors in 95% of cases for the ALPR tool.