The car is not “looking.” It is building a temporary version of reality.
A self-driving vehicle does not simply look out the windshield and think, road, truck, child, stop sign. It builds a rolling, mathematical guess about the world around it. Cameras read color, lane lines, traffic lights, signs, body language, brake lights, construction cones, and the weird little social cues that make roads work. Radar measures motion and distance, especially when visibility is poor. LiDAR, when used, paints the surroundings with laser pulses to build a 3D shape of nearby objects. GPS and inertial sensors estimate where the vehicle is. High-definition maps tell it what the road is supposed to look like. Software then fuses all of that into a “world model”: what exists, where it is going, what it might do next, and what the vehicle should do about it.
That is the miracle. It is also the vulnerability. A human driver can be fooled, but a human also has messy general knowledge. We know a stop sign printed on a T-shirt is not commanding traffic. We know a plastic bag is probably not a boulder, even if it briefly looks dramatic. We know a person standing in the street making eye contact might be asking us to stop, even if no traffic law covers that exact moment. A vehicle has to infer all of this from sensors, maps, probabilities, and rules.
This is why the phrase “self-driving car” hides more than it explains. The serious term is operational design domain, or ODD: the conditions where the system is designed to operate. City, highway, weather, lighting, mapped area, road type, speed range, construction complexity, emergency scenes — all of that matters. Today’s best driverless systems are not magic cars that can go anywhere. They are very carefully bounded machines that are getting better at specific kinds of places.
Where we really are now: impressive, useful, and still fenced in.
As of 2026, fully driverless vehicles are real, but they are not universal. Waymo has been operating paid robotaxi rides in major U.S. markets such as Phoenix, San Francisco, Los Angeles, and Austin, and has been preparing expansion into more cities. Aurora launched commercial driverless trucking in Texas in 2025, starting with specific freight routes rather than every highway in America. Tesla has pushed aggressively into robotaxi service in Texas, while also remaining under scrutiny over the safety and limits of its driver-assistance and autonomy claims.
The honest map looks like this: Level 2 driver assistance is common, meaning the human is still responsible. Level 4 autonomy exists, but usually within known routes, mapped cities, chosen weather conditions, and remote-assistance frameworks. Level 5 — a vehicle that can drive anywhere a human can, under essentially all normal conditions — is still not here. The gap between Level 4 and Level 5 is not a software update. It is the difference between being very good in Phoenix and being trusted on an icy rural road at midnight after a storm has knocked out traffic lights and somebody is waving a flashlight near a downed tree.
Trucks are a different story than cars. Highways are more structured than city streets, which sounds easier, but the stakes are heavier. A driverless semi at 65 mph has long stopping distances, huge mass, and a business model built around running for long hours. That makes autonomous trucking economically tempting and operationally frightening in equal measure. The first deployments are not “send it anywhere.” They are corridor businesses: known lanes, known depots, known weather policies, known fallback plans.
The ways a self-driving vehicle can be fooled.
The cartoon version is a hacker with a laptop taking over the steering wheel. That risk exists in the broad cybersecurity sense, but it is not the only or even always the easiest attack. Autonomous vehicles sit at the intersection of cyber, physical, and social systems. Bad inputs can come from the internet, from the road, from infrastructure, from people, or from the vehicle’s own assumptions.
Physical perception tricks are the most intuitive. Researchers have shown that visual systems can be confused by altered signs, adversarial markings, unusual lighting, or objects that do not look important to humans but disturb the model. LiDAR can be attacked or confused by carefully shaped reflections, spoofed points, or surfaces that create phantom objects or hide real ones. Radar can struggle with odd reflections and clutter. Cameras can be blinded by glare, dirt, stickers, weather, or deliberately placed visual noise. The point is not that every trick works on every vehicle. The point is that the road itself becomes part of the attack surface.
Location and map attacks are subtler. A vehicle uses GPS, inertial sensors, maps, lane geometry, and landmarks to determine where it is. If one signal is wrong, the others may catch it. If several signals become inconsistent, the vehicle may slow, stop, or request remote assistance. A bad actor does not always need to make the vehicle crash. Causing confusion, delay, rerouting, or emergency fallback can be enough.
Electronic and network attacks include the familiar world of software vulnerabilities, compromised fleet tools, fake updates, weak supplier systems, cloud outages, or attacks against vehicle-to-infrastructure messages. Modern vehicles are rolling computers with cellular connections, diagnostics, over-the-air updates, payment systems, apps, fleet portals, and vendor dependencies. The autonomous stack may be hardened, but the business around the vehicle still has doors.
Social engineering may be the least discussed and most human. Robotaxi companies rely on remote assistance, incident response teams, depot workers, customer-support workflows, emergency services coordination, contractors, and local regulators. A criminal who cannot fool the LiDAR may try to fool the help desk. A cargo thief who cannot hack the truck may target the pickup appointment, the yard access badge, the dispatch credentials, or the person authorized to release a trailer.
Why would anyone do this?
The motives are not exotic. They are the same motives behind older crimes, with newer tools. Money is the obvious one: cargo theft, ransom, insurance fraud, extortion, stolen ride credits, stolen accounts, or attacks on a competitor’s fleet. A truck full of electronics, pharmaceuticals, or groceries does not become less valuable because the driver seat is empty.
Hijacking becomes more interesting when there is no driver to threaten. Traditional cargo theft relies on people, timing, and access. Autonomous freight may shift the target from the driver to the route, the depot, the trailer, the authentication system, or the remote operations channel. A criminal might not need to “drive” the truck away. They may only need to make it stop in the wrong place, accept the wrong instruction, or arrive at a fake handoff.
Disruption is another motive. A city with thousands of robotaxis has a new kind of traffic dependency. A coordinated attempt to confuse vehicles near airports, stadiums, ports, bridges, or downtown corridors could create gridlock without destroying anything. Even a small number of stopped vehicles can cause outsized trouble if they stop in the wrong locations.
Politics and spectacle matter too. Autonomous vehicles are symbols. Activists have already learned that robotaxis can be stopped physically, sometimes with absurdly simple methods. That does not make every protest a security threat, but it shows a larger truth: driverless vehicles operate in public, and the public can touch them.
Have there already been cases?
There have been real-world safety failures, public interference, and many research demonstrations. The famous 2023 Cruise incident in San Francisco was not a “bad actor” attack, but it became a defining example of how an autonomous vehicle can mishandle an edge case after a human-driven vehicle struck a pedestrian and pushed her into the robotaxi’s path. The vehicle stopped, then moved again and dragged the pedestrian during a pullover maneuver. The fallout was not only technical; regulators said Cruise failed to fully report key details, and the company’s operations collapsed into investigations, penalties, and suspended permits.
Waymo has had its own regulatory and operational scrutiny, including investigations into behavior around stopped school buses and questions about robotaxi readiness during citywide disruptions. Again, those are not necessarily malicious attacks. But they are useful previews of what attackers would study: unusual angles, emergency scenes, broken infrastructure, flashing signals, remote-assistance overload, and conditions that force the machine out of its comfort zone.
On the intentional side, researchers have repeatedly demonstrated that autonomous perception can be manipulated. Some studies have explored LiDAR spoofing, including creating phantom obstacles or hiding real ones. Others have examined GPS/GNSS spoofing, adversarial signs, camera attacks, and sensor-fusion failures. Many of these demonstrations require expertise, equipment, positioning, or controlled conditions. That matters. A vulnerability in a paper is not the same as a cheap street crime. But papers have a habit of becoming cheaper over time.
The annoying truth: some attacks are easy, some are very hard, and both matter.
It is usually hard to make a modern autonomous vehicle do one precise dangerous thing on command. These systems use redundant sensors, safety rules, remote monitoring, simulations, testing, geofences, fallback behavior, and conservative planning. If a sensor looks suspicious, the vehicle may slow down or stop. If the map disagrees with the camera, the vehicle may ask for help. If the weather gets bad, the service may restrict operations. That is why “take over a robotaxi with a laser pointer” is mostly fantasy.
But it can be much easier to make autonomous vehicles become useless for a while. Confuse them. Block them. Make them stop. Force remote assistance. Create a fake construction scene. Abuse pickup and drop-off behavior. Jam a weak signal. Put an object where the machine becomes more cautious than a human. For the public, a stopped robotaxi is comedy. For a fleet operator, a stopped robotaxi at scale is a business problem. For emergency services, it can be a public-safety problem.
This distinction matters because attackers do not need cinematic success. They need profitable success. A thief does not need to defeat autonomy forever. They need one delivery to pause in the wrong lot. A vandal does not need to break the AI. They need a viral video. A ransomware group does not need to touch the steering system. They need to freeze fleet operations long enough for the company to pay.
How companies reduce the risk.
The first defense is sensor fusion. If cameras, radar, LiDAR, GPS, inertial sensors, and maps all agree, confidence rises. If one source lies, the others can challenge it. The strongest systems do not treat sensors as decorative extras; they use redundancy so the vehicle can survive partial failure, poor visibility, and weird scenes.
The second defense is operational humility. That means limiting service to areas, weather, speeds, and road types the system has proven it can handle. This is why geofencing is not an embarrassment. It is the safety case. The public wants “drive anywhere.” Engineers want “define exactly where this thing is allowed to be trusted.” Engineers are annoying that way because physics keeps siding with them.
The third defense is cybersecurity discipline: secure updates, signed software, isolated safety-critical systems, intrusion detection, supplier audits, fleet monitoring, hardened remote-assistance tools, access controls, incident logging, and fast patching. Autonomous vehicles are not just cars. They are fleets, apps, cloud services, depots, maps, sensors, and people. The security program has to cover all of it.
The fourth defense is abuse testing. Companies need to test not only normal driving, but malicious driving environments: fake signs, blocked sensors, staged construction, deceptive lights, map conflicts, remote-assistance overload, social engineering, cargo-yard fraud, and coordinated disruption. In cybersecurity, defenders eventually learned that “nobody would do that” is not a strategy. Roads are learning the same lesson.
How much is this slowing full deployment?
There is no clean public percentage. Companies do not release a pie chart that says “37% cyber risk, 22% rain, 18% lawyers, 9% cones.” But the honest answer is that malicious manipulation is probably not the main thing slowing deployment today. The bigger blockers are still ordinary reality: edge cases, weather, construction, emergency vehicles, regulatory approval, liability, cost, public trust, remote operations, scaling hardware, mapping, maintenance, and proving safety statistically.
Security is more like a multiplier. If the system already struggles with unusual construction, a malicious fake construction scene becomes more plausible. If remote assistance is already a bottleneck during outages, an attacker who creates many confusing situations can exploit that bottleneck. If public trust is fragile, one spectacular abuse case can delay permits faster than a thousand normal rides can repair confidence.
So the number may not be “security is half the delay.” It is more like this: security is the thing that can turn a technical limitation into a headline, a headline into a regulator meeting, and a regulator meeting into a deployment freeze.
What happens next.
The near future is not one giant national switch from human driving to robot driving. It is a patchwork. Robotaxis will expand city by city. Driverless trucks will expand lane by lane. Some vehicles will use LiDAR-heavy sensor suites. Some will try camera-first approaches. Some will rely more on maps and remote support. Some will be conservative and boring, which is exactly what you want from a machine that weighs several thousand pounds.
Regulators are moving too, though not always at the same speed as deployment. In the U.S., NHTSA has been modernizing its automated-vehicle framework, holding safety forums, investigating incidents, and collecting crash reports. Internationally, UNECE’s WP.29 process has pushed vehicle cybersecurity and automated-driving rules into a more formal global framework. The EU AI Act also adds pressure around high-risk AI systems, transparency, and safety governance. None of this eliminates risk. It creates paperwork, accountability, and audit trails — which sounds dull until something goes wrong.
The most likely future is not that bad actors effortlessly hijack every self-driving car. It is also not that the vehicles become invulnerable. The future is messier: fleets get safer, attackers get more creative, regulators demand more proof, companies narrow their operating domains, and the public slowly learns that “autonomous” does not mean “all-powerful.”
The best self-driving vehicles may eventually be safer than average humans in many settings. That is a big deal. Humans are, frankly, a terrible baseline. But autonomy has a different weakness: it can fail in unfamiliar, repeatable, machine-shaped ways. Once criminals, pranksters, activists, and bored teenagers learn those shapes, the road becomes a security environment.
And that is the strange future of transportation. The car can see 360 degrees. It can react in milliseconds. It can monitor objects a football field away. But it still has to answer the oldest question in driving: what is really happening here?