Search papers, labs, and topics across Lattice.
The paper introduces Digital-Physical Adversarial Attacks (DiPA), a novel method for generating adversarial patches displayed directly on smartphone screens to attack face recognition systems. DiPA improves transferability and deployment speed by eliminating the need for printed artifacts and total-variation regularization. The authors demonstrate a real-time dodging attack against a deployed face-recognition camera, achieving higher success rates and feature-space distortion compared to traditional physical attacks.
Forget printed posters – now a smartphone screen displaying a dynamically generated adversarial patch can reliably spoof face recognition systems in real-time.
This demonstration presents Digital-Physical Adversarial Attacks (DiPA), a new class of practical adversarial attacks against pervasive camera-based authentication systems, where an attacker displays an adversarial patch directly on a smartphone screen instead of relying on printed artifacts. This digital-only physical presentation enables rapid deployment, removes the need for total-variation regularization, and improves patch transferability in black-box conditions. DiPA leverages an ensemble of state-of-the-art face-recognition models (ArcFace, MagFace, CosFace) to enhance transfer across unseen commercial systems. Our interactive demo shows a real-time dodging attack against a deployed face-recognition camera, preventing authorized users from being recognized while participants dynamically adjust patch patterns and observe immediate effects on the sensing pipeline. We further demonstrate DiPA's superiority over existing physical attacks in terms of success rate, feature-space distortion, and reductions in detection confidence, highlighting critical vulnerabilities at the intersection of mobile devices, pervasive vision, and sensor-driven authentication infrastructures.
