Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

From Pixels to Reality: Physical-Digital Patch Attacks on Real-World Camera

Victoria Leonenkova, Ekaterina Shumitskaya, Dmitriy Vatolin, Anastasia Antsiferova

Abstract

This demonstration presents Digital-Physical Adversarial Attacks (DiPA), a new class of practical adversarial attacks against pervasive camera-based authentication systems, where an attacker displays an adversarial patch directly on a smartphone screen instead of relying on printed artifacts. This digital-only physical presentation enables rapid deployment, removes the need for total-variation regularization, and improves patch transferability in black-box conditions. DiPA leverages an ensemble of state-of-the-art face-recognition models (ArcFace, MagFace, CosFace) to enhance transfer across unseen commercial systems. Our interactive demo shows a real-time dodging attack against a deployed face-recognition camera, preventing authorized users from being recognized while participants dynamically adjust patch patterns and observe immediate effects on the sensing pipeline. We further demonstrate DiPA's superiority over existing physical attacks in terms of success rate, feature-space distortion, and reductions in detection confidence, highlighting critical vulnerabilities at the intersection of mobile devices, pervasive vision, and sensor-driven authentication infrastructures.

From Pixels to Reality: Physical-Digital Patch Attacks on Real-World Camera

Abstract

This demonstration presents Digital-Physical Adversarial Attacks (DiPA), a new class of practical adversarial attacks against pervasive camera-based authentication systems, where an attacker displays an adversarial patch directly on a smartphone screen instead of relying on printed artifacts. This digital-only physical presentation enables rapid deployment, removes the need for total-variation regularization, and improves patch transferability in black-box conditions. DiPA leverages an ensemble of state-of-the-art face-recognition models (ArcFace, MagFace, CosFace) to enhance transfer across unseen commercial systems. Our interactive demo shows a real-time dodging attack against a deployed face-recognition camera, preventing authorized users from being recognized while participants dynamically adjust patch patterns and observe immediate effects on the sensing pipeline. We further demonstrate DiPA's superiority over existing physical attacks in terms of success rate, feature-space distortion, and reductions in detection confidence, highlighting critical vulnerabilities at the intersection of mobile devices, pervasive vision, and sensor-driven authentication infrastructures.

Paper Structure

This paper contains 7 sections, 1 equation, 2 figures, 1 table.

Table of Contents

  1. Introduction and Related Work
  2. Approach
  3. Regularization Variants
  4. Evaluation Across Digital--Physical and Real Pervasive Settings
  5. Experimental Protocol
  6. Demo
  7. Conclusion

Figures (2)

  • Figure 1: The overview of the proposed demonstration. The user uploads a photo to the server and receives a set of digital adversarial patches designed to cause dodging physical attack for a real camera in a completely black-box setting, along with images for white-box attacks on online face recognition models.
  • Figure 2: DiPA attack on real-world camera. Note that simply displaying a black or white screen or a patch with a random pattern will still result in the person being correctly detected.