- Presents a more powerful “spear” in the spear-and-shield battle — points to directions for safer autonomous driving technology.

- Up to 11.8× more effective than existing attacks; presented at the top AI conference IJCAI 2025.

A research team led by Professor Hyeongboo Baek of the Department of Artificial Intelligence, University of Seoul, has developed a novel AI-based hacking technique called BankTweak which exploits a vulnerability in multi-object tracking (MOT), a core component of autonomous driving systems. The work was accepted for presentation at the International Joint Conference on Artificial Intelligence (IJCAI 2025), one of the world’s most prestigious AI conferences.

The study has attracted strong attention from both academia and industry because it is the first to reveal a concrete security weakness in autonomous vehicle perception systems and to highlight the urgent need for more robust defensive techniques.

MOT acts as an autonomous vehicle’s “eyes,” simultaneously tracking and predicting the movements of multiple objects, such as pedestrians and vehicles, based on camera footage.

Previous AI attacks on MOT typically aimed to make an object briefly disappear (false negative) or to perturb its predicted position to trigger identity switches. Those attacks are often brittle: systems can mitigate them by tuning detection boundaries (Mahalanobis distance threshold), so they lack strong robustness.

BankTweak, by contrast, targets the feature bank—the memory that stores each object’s distinctive feature information. Rather than displacing an object in space, BankTweak subtly corrupts the feature representations so that the tracker persistently confuses the object’s identity while the object remains physically unchanged. The entire attack unfolds over only five consecutive video frames. In a short “preparation” phase, specially crafted feature vectors are stealthily injected into the target object’s feature banks. In a subsequent “identity-switching” phase, those implanted features are leveraged together with a specific vulnerability in the Hungarian matching algorithm so that identity swaps remain in effect even after the attack has finished.

In experiments, BankTweak induced identity confusion up to 11.8 times more effectively than state-of-the-art attacks. Unlike prior approaches that flood the scene with many fake detections, making them easier to spot, BankTweak is harder to detect and is broadly applicable across different tracking systems.

This research is significant because it uncovers a fundamental vulnerability of feature-based MOT systems and introduces a new attack paradigm that defenders must address.

“This study provides a stronger ‘spear’ in the spear-and-shield contest,” said Professor Hyeongboo Baek. “More importantly, it points toward critical directions for research on defensive technologies that can substantially improve the security and reliability of autonomous driving systems.”

▶ Professor Hyeongboo Baek