2026-06-18 — views
Physical AI Cybersecurity 2026 — Waymo LIDAR Spoofing vs Tesla FSD Adversarial Attacks: The AV Security Benchmark
Waymo multi-sensor fusion resists LIDAR spoofing and adversarial patches. Tesla camera-only FSD faces different attack surfaces. OTA security matters for both.
Article 210 in the Physical AI Benchmark Series — AV Cybersecurity Deep Dive
Cybersecurity in consumer electronics is a data-protection problem. Cybersecurity in autonomous vehicles is a safety problem. When a threat actor exploits a vulnerability in a smart speaker, the consequence is a privacy breach. When a threat actor exploits a vulnerability in an autonomous vehicle, the consequence can be a multi-ton machine braking at highway speed, navigating to the wrong destination, or ignoring a traffic signal. The attack surface of a modern AV spans wireless communications, sensor hardware, positioning systems, vehicle control networks, passenger applications, and over-the-air software update infrastructure — a combination that is structurally more diverse than any previous category of consumer device.
This article benchmarks where Waymo and Tesla FSD stand on AV cybersecurity in 2026: what attack categories researchers have demonstrated, how each company’s architecture affects its exposure, what regulatory frameworks now mandate (or recommend), and which structural security advantages cannot be remedied without hardware changes. All figures labeled (est.) are estimates where companies have not published official disclosures.
Section 1 — The AV Attack Surface: Why Cybersecurity Is a Safety Issue
The distinction between a cybersecurity problem and a safety problem is the most important framing issue in AV security. In consumer IoT, a successful cyberattack compromises data or service availability. In an AV, a successful cyberattack can directly actuate the physical world — causing emergency braking, steering changes, or loss of localization on a vehicle carrying passengers at speed. This fundamentally changes the threat model: the attacker’s objective is not data exfiltration, it is physical consequence.
The AV attack surface has multiple distinct layers:
Wireless communications — Every modern AV carries an LTE or 5G cellular modem for over-the-air software updates, fleet monitoring, and remote operations. This modem is an always-on internet connection to the vehicle. Unlike a personal vehicle driven for one to two hours per day, commercial AV fleets operate continuously, extending their attack exposure window by an order of magnitude.
Sensor hardware — LIDAR sensors emit and receive laser pulses to build 3D point clouds. Camera systems capture real-time video. Radar transceivers measure velocity and range. Each of these sensors can, in principle, be targeted: LIDAR receivers can receive spurious laser pulses from external sources; cameras can be deceived by adversarial visual patterns; radar can be jammed or spoofed. The sensor layer is a physical attack surface that has no equivalent in traditional consumer devices.
Positioning systems — GPS/GNSS signals are extraordinarily weak (est. -130 dBm received power (est.)), making them susceptible to jamming and spoofing. A GPS-spoofed AV could have a corrupted position estimate. How each AV handles GPS degradation — through fallback localization methods — is a consequential security architecture decision.
Vehicle control network — The CAN bus connects safety-critical vehicle systems (steering, braking, throttle) to electronic control units. Originally designed without security in mind, the CAN bus has been demonstrated as exploitable in classic automotive research (the 2015 Jeep Cherokee remote hack by Miller and Valasek). Modern AVs have made architectural improvements, but the in-vehicle network remains a consequential attack surface if an internet-connected component can bridge to it.
Passenger interface — Consumer-facing mobile applications (the Waymo app, the Tesla app) expose API endpoints, OAuth flows, and account management surfaces to millions of users. A compromised mobile app or backend could expose vehicle location, trip history, or account access.
Remote operations center — Waymo’s commercial fleet includes a remote operations capability: trained operators can monitor trips and intervene when the vehicle encounters novel situations. A compromised remote operations center could, in theory, affect fleet behavior.
Over-the-air software updates — The highest-value target in the AV attack surface. A successful OTA exploit affects every vehicle in the fleet simultaneously. Both Waymo and Tesla deliver software updates wirelessly; the security of the update pipeline — from server authentication to cryptographic signature verification on the vehicle — is the most consequential single point of failure.
What makes AV cybersecurity categorically different from traditional automotive cybersecurity is the combination of three factors: (1) AVs operate unsupervised in public space, with no human to override a security-induced malfunction; (2) commercial AV fleets are always-on and always-connected, creating continuous attack exposure; (3) the safety-critical nature of AV decision-making means a successful attack has immediate physical consequences, not merely data consequences.
Section 2 — LIDAR Spoofing and Sensor Attacks: What Researchers Have Demonstrated
| Attack category | Demonstrated? | Method | Waymo exposure | Tesla FSD exposure | Mitigation status |
|---|---|---|---|---|---|
| LIDAR spoofing (ghost objects) | YES — research demonstrated (Duke/UCSB/Michigan teams): attacker uses a laser device to inject false point cloud data, creating ghost vehicles or pedestrians in AV LIDAR perception; demonstrated causing AV emergency braking on ghost vehicle | Commercial laser diode array pointed at LIDAR receiver; requires est. line-of-sight within est. 30-100 meters (est.); spoofed points appear as solid objects in point cloud; demonstrated at USENIX Security and IEEE S&P conferences | Waymo uses LIDAR plus camera plus radar multi-modal fusion; an attacker must create consistent false objects across all three modalities simultaneously to cause AV action; a LIDAR ghost absent from camera and radar can be filtered; HD map consistency check provides additional anomaly detection | Tesla FSD uses camera-only (no LIDAR); LIDAR spoofing as defined does not apply to Tesla camera-only architecture; however Tesla camera systems face adversarial patch attacks that LIDAR-based systems handle differently | Waymo mitigation: multi-modal fusion makes spoofing significantly harder but not impossible; anomaly detection on multi-modal disagreement; LIDAR receiver hardware modifications to detect spoofing pulse timing; Tesla: LIDAR spoofing not applicable |
| Camera adversarial patches | YES — research demonstrated (UW/UCSB/Michigan): small printed patterns on road signs or road surfaces cause misclassification in neural-net camera systems; demonstrated causing STOP sign misclassification and speed limit misreading in controlled environments | High-contrast patterns optimized against neural network classifier; placed on physical surfaces (stop signs, lane markings); does not require electronics or proximity — a static sticker on a stop sign can affect any passing vehicle | Waymo uses LIDAR plus camera plus radar fusion; a STOP sign with an adversarial patch is still in its correct 3D map position and detectable by LIDAR as a sign-shaped object; camera classification failure can be cross-validated against LIDAR map position; significantly more resilient than camera-only systems | Tesla FSD is camera-only; adversarial patches targeting camera classifiers are Tesla’s most direct sensor-level security concern; Tesla’s end-to-end neural net may have some implicit robustness from training on diverse sign conditions, but adversarial patches are specifically optimized to fool neural nets | Multi-modal fusion (Waymo advantage); temporal consistency checking (a sign that changes appearance mid-approach is anomalous); fleet-wide anomaly detection; adversarial training during neural net development |
| GPS spoofing and jamming | YES — demonstrated in civilian contexts: GPS jamming by commercial devices; GPS spoofing demonstrated in drone applications and near military conflict zones; GPS signal is weak (est. -130 dBm (est.)), making it susceptible to interference; commercial jammers reported at est. 5-50 meter to est. 10-20 kilometer effective range (est.) depending on device | Commercial GPS jammers; GPS spoofing requires signal generation equipment; signal is weak making it susceptible to interference | Waymo primary localization: LIDAR point cloud matched against HD map (not GPS); GPS is a secondary input; if GPS contradicts LIDAR map-matching, the LIDAR map-match wins; GPS spoofing attack that cannot also fool LIDAR map-matching is ineffective against Waymo’s localization | Tesla FSD localization relies more heavily on visual landmarks (lane lines, road signs, building facades) for position estimation; GPS used for map matching and routing; vision-based localization provides some GPS spoofing resilience but is dependent on visual landmark quality and environment density | LIDAR map-matching (Waymo) and visual-inertial localization (Tesla) provide fallback positioning; multi-constellation and multi-frequency GPS antenna design improves spoofing detection; IMU provides short-term dead-reckoning if GPS fails |
| OTA software update attack | NO public demonstration on production AV fleets; theoretical high-value attack vector; comparable attacks demonstrated on non-automotive IoT; both Tesla and Waymo OTA infrastructure uses cryptographic code signing | Compromise OTA update server or intercept distribution channel; push malicious firmware to vehicles; single compromise affects entire fleet simultaneously | Waymo est. 2,500 commercial vehicles (est.) in 4 US cities; safety-critical drive systems are air-gapped from internet-connected update systems, limiting OTA attack blast radius; smaller fleet means faster anomaly detection if one vehicle behaves unexpectedly | Tesla est. 6 million plus consumer FSD-capable vehicles (est.) worldwide represent the largest OTA attack surface in the automotive industry; a successful Tesla OTA attack would be unprecedented in scale; Tesla has 10-plus years of OTA security hardening experience; HSM-based key management | Both companies use cryptographic code signing; hardware security modules protect signing keys; on-device signature verification before any update is applied; attack requires compromising the signing infrastructure or key storage, not merely the distribution channel |
| CAN bus and in-vehicle network | YES — classic automotive research (Miller/Valasek 2015 Jeep Cherokee remote hack); modern AVs have improved CAN security; both Waymo and Tesla have in-vehicle network security programs | Physical OBD port access or via compromised internet-connected component that bridges to CAN; requires either physical access or prior compromise of a networked component | Waymo commercial fleet: physical access attacks require access to the commercial vehicle; fleet management controls vehicle access; air-gap between internet systems and safety-critical CAN systems limits remote-to-CAN attack paths | Tesla consumer vehicles: physical OBD access available to vehicle owner; Tesla has implemented zone-based CAN architecture separating safety-critical from infotainment networks; millions of vehicles in private hands creates more diverse physical access scenarios than Waymo’s controlled commercial fleet | Modern AV architecture isolates safety-critical from internet-connected systems via hardware separation, firewalls, and cryptographic access control; Waymo’s commercial-only fleet provides better physical access control than consumer vehicles |
Section 3 — Regulatory and Standards Landscape for AV Cybersecurity
| Standard / regulation | Jurisdiction | Key requirement | AV applicability | Status |
|---|---|---|---|---|
| UNECE WP.29 Cybersecurity | EU, Japan, Korea (mandatory); global de facto standard | Requires Cyber Security Management System (CSMS) certification; covers vehicle lifecycle (design, production, post-production); manufacturers must maintain CSMS and update it over the vehicle lifetime | Directly applicable to Waymo and Tesla vehicles in EU, Japan, and Korea markets; mandates threat analysis and risk assessment (TARA) for all vehicle systems; mandates incident monitoring and response | Mandatory from July 2022 for new type approvals in EU, Japan, Korea; most stringent and most globally adopted AV cybersecurity standard |
| ISO/SAE 21434 | Global standard (non-mandatory) | Automotive cybersecurity engineering standard; TARA methodology; security by design lifecycle; post-production cybersecurity management | The technical engineering standard that UNECE WP.29 compliance references; defines how to build automotive cybersecurity processes; TARA for LIDAR spoofing, OTA attacks, and sensor adversarial attacks covered under this framework | Published August 2021; widely adopted by automotive suppliers as baseline; Tier 1 sensor manufacturers providing to Waymo, Tesla, and Aurora must be ISO/SAE 21434 aligned |
| NHTSA Cybersecurity Best Practices | US (voluntary guidelines, 2022) | Voluntary best practices for motor vehicle cybersecurity; covers access control, threat monitoring, incident response, OTA updates, and network segmentation | Voluntary guidance for US-sold vehicles; NHTSA has moved toward proposing mandatory rules but has not yet enacted mandatory automotive cybersecurity regulation in the US | Voluntary as of 2026; NHTSA Moving Forward regulatory agenda includes proposed mandatory CSMS rule; US remains behind EU in mandatory AV cybersecurity regulation |
| China GB/T 38628 | China (mandatory for connected vehicles) | Automotive cybersecurity management system standard for connected vehicles; similar scope to UNECE WP.29 | Applies to all connected vehicles sold in China; particularly relevant for Tesla’s Shanghai manufacturing footprint; China’s standard emphasizes data localization — AV data collected in China must remain in China | Mandatory in China; enforced by MIIT; data sovereignty requirements add complexity for foreign AV companies with global data pipelines |
| SAE J3061 | US/Global (voluntary) | Cybersecurity guidebook for cyber-physical vehicle systems; process framework for automotive cybersecurity engineering | Predecessor to ISO/SAE 21434; widely referenced in industry; relevant for AV cybersecurity design process | Published 2016; partially superseded by ISO/SAE 21434 for newer programs; still referenced in existing programs |
| EU NIS2 Directive | EU (mandatory) | Network and information security requirements for critical infrastructure; transportation sector included | Connected vehicle infrastructure (fleet management servers, OTA update infrastructure, remote operations centers) may fall under NIS2 critical infrastructure requirements | Transposed into EU member state law by October 2024; AV fleet operators in EU must comply with NIS2 incident reporting requirements |
Section 4 — Comparative Security Architecture: Waymo vs Tesla FSD
| Security dimension | Waymo | Tesla FSD | Edge | Key uncertainty |
|---|---|---|---|---|
| Sensor redundancy against attack | Multi-modal fusion (LIDAR plus camera plus radar plus HD map): attacker must fool multiple independent sensors simultaneously; this is Waymo’s single largest cybersecurity structural advantage | Camera-only: a successful adversarial attack against the camera system has no independent LIDAR or radar validation to catch the error; redundancy is temporal (multiple camera frames) and geometric (multiple camera angles) but not modality-based | Waymo: multi-modal sensor redundancy is a structural security advantage that cannot be matched by camera-only systems without hardware changes | Does Waymo’s multi-modal fusion actually catch adversarial patch attacks in real-world production? Academic research is controlled-environment; real-world adversarial patch durability (weather, lighting, physical wear) affects attack effectiveness |
| Fleet attack surface | Est. 2,500 commercial vehicles (est.) in 4 US cities; controlled commercial deployment; physical access to vehicles is controlled by fleet management; smaller total network surface | Est. 6 million plus consumer FSD-capable vehicles (est.) in dozens of countries; private consumer ownership means diverse and less controlled physical access; largest OTA attack surface in the automotive industry | Tesla: FSD scale creates security complexity but also security investment resources; Tesla’s 10-plus years of consumer OTA security hardening is meaningful operational experience | Tesla’s scale means a successful fleet-level attack has est. 2,400 times greater reach than a comparable Waymo attack (est.); this asymmetry may be the most important security risk comparison |
| OTA update security | Air-gapped safety-critical systems (drive system isolated from internet-connected update systems); cryptographic code signing; smaller fleet enables faster anomaly detection if one vehicle behaves unexpectedly | HSM-based key management; cryptographic code signing; fleet-wide OTA rollout with staged deployment (small percentage of fleet first, monitor, then expand); 10-plus years of consumer OTA security hardening | Comparable (both have strong OTA security programs); Tesla has more years of real-world OTA hardening; Waymo’s air-gap on safety-critical systems provides blast-radius limitation | Air-gap architecture is the ideal design; the question is whether Waymo’s implementation is fully realized or whether bridged components exist |
| Bug bounty program | Waymo has a security vulnerability disclosure program; scope includes vehicle systems, cloud infrastructure, and mobile apps | Tesla Bug Bounty since 2014; one of the longest-running automotive bug bounty programs; has paid out significant rewards; community of security researchers know Tesla systems well | Tesla: 10-plus year program history means more researchers have studied Tesla security, more vulnerabilities have been found and fixed; Waymo’s program is newer with a smaller researcher community | Bug bounty effectiveness depends on researcher community size and reward levels; larger programs find and fix more vulnerabilities over time |
| Regulatory compliance | UNECE WP.29 applicable for international markets; US NHTSA voluntary guidelines followed; ISO/SAE 21434 engineering standard | UNECE WP.29 applicable for EU, Japan, Korea markets where Tesla sells vehicles; US NHTSA voluntary; China GB/T 38628 critical for Tesla Shanghai manufacturing | Comparable (both are global companies subject to the same mandatory standards); Tesla’s larger China manufacturing footprint makes China GB/T 38628 more operationally important | NHTSA mandatory CSMS rule, if enacted, would be the most impactful US regulatory change for both companies |
Section 5 — Physical AI Cybersecurity Benchmark Scorecard
| Security dimension | Waymo | Tesla | Aurora (AV trucking) | 2028 outlook |
|---|---|---|---|---|
| Sensor attack resilience | HIGH: multi-modal fusion (LIDAR plus camera plus radar plus HD map) requires attacker to fool multiple independent modalities; structural advantage for sensor-level attacks | MEDIUM: camera-only creates potential adversarial patch vulnerability; compensated by temporal and geometric redundancy but not modality redundancy | HIGH: Aurora Driver uses LIDAR plus camera plus radar fusion similar to Waymo; highway-only operational design domain reduces exposure to urban adversarial patch scenarios | Waymo and Aurora structural sensor security advantage persists as long as Tesla FSD remains camera-only; if Tesla adds radar redundancy, the gap narrows |
| Fleet-level attack surface | LOW (contained): est. 2,500 commercial vehicles (est.); controlled physical access; smaller cloud surface | HIGH: est. 6 million plus consumer vehicles (est.); diverse private ownership; largest automotive OTA surface in the world; compensated by 10-plus years of security hardening | LOW (contained): commercial trucking fleet; controlled depot access; smaller than Waymo | Tesla’s scale creates ongoing fleet-level security complexity; Waymo and Aurora smaller commercial fleets are inherently more manageable |
| OTA update security | HIGH: safety-critical air-gap plus cryptographic signing; smaller fleet enables faster anomaly detection | HIGH: 10-plus years consumer hardening; HSM; staged rollout; but millions of vehicles extend exposure window per update cycle | HIGH: commercial fleet with controlled update deployment | Both Waymo and Tesla have mature OTA security; Tesla’s additional years of consumer hardening is a meaningful capability advantage despite its larger surface |
| Regulatory compliance posture | HIGH: UNECE WP.29 mandatory in target expansion markets; active compliance program | HIGH: UNECE WP.29 mandatory in current EU, Japan, Korea markets; China GB/T 38628 active for Shanghai operations | MEDIUM-HIGH: trucking-specific regulatory environment; similar mandatory standards apply | Global mandatory standards (UNECE WP.29, China GB/T 38628) will be the floor for all AV companies operating in these markets |
| Overall verdict | AV cybersecurity in 2026 is a domain where Waymo has a structural sensor-level advantage (multi-modal fusion makes sensor spoofing significantly harder than camera-only systems), but Tesla has a deeper security culture advantage (10-plus years of consumer OTA security hardening, the longest-running automotive bug bounty, and a large internal security team). The most important unresolved risk is scale: a successful fleet-level attack on Tesla’s est. 6 million plus vehicles (est.) would have approximately 2,400 times the reach of a comparable attack on Waymo’s est. 2,500 vehicle fleet (est.). The most important structural security advantage is Waymo’s multi-modal sensor fusion — camera adversarial patches and LIDAR spoofing cannot simultaneously fool LIDAR, camera, radar, and the HD map. Until Tesla FSD adds hardware modality redundancy (radar or other non-camera sensor), this structural gap persists. |
Sources: UNECE WP.29 Cybersecurity Regulation (unece.org); ISO/SAE 21434 Automotive Cybersecurity Engineering (iso.org); NHTSA Cybersecurity Best Practices for Modern Vehicles (nhtsa.gov); Tesla Bug Bounty Program (tesla.com/support/security). Academic research references: USENIX Security, IEEE S&P conference proceedings on automotive cybersecurity and adversarial machine learning. All figures marked (est.) are estimates based on public disclosures, regulatory filings, and third-party reporting; they have not been independently verified and may differ from company internal data.
Sources
- UNECE WP.29 Cybersecurity Regulation — UNECE ↗
- ISO/SAE 21434 Automotive Cybersecurity Engineering — ISO ↗
- NHTSA Cybersecurity Best Practices for Modern Vehicles — NHTSA ↗
- Tesla Bug Bounty Program — Tesla Security ↗