A newly uncovered vulnerability in artificial intelligence systems used in self-driving vehicles could allow cybercriminals to silently take control of autonomous cars, according to researchers at Georgia Tech. The flaw, named VillainNet, represents a critical security blind spot that could enable attackers to hijack AI-powered vehicles under specific real-world conditions—without detection until the moment of attack. The vulnerability was discovered by David Oygenblik, a Ph.D. student at Georgia Tech and lead researcher on the project. VillainNet exploits the architecture of "SuperNets"—AI systems designed to be highly adaptive by dynamically switching between specialized subnetworks depending on the driving scenario. While this flexibility improves performance, it also creates a hidden attack surface. Oygenblik explained that SuperNets function like a Swiss Army knife, selecting the right subnetwork for the task at hand. However, attackers can embed malicious code into just one of these subnetworks. The attack remains dormant and undetectable until the compromised subnetwork is activated—such as when the vehicle’s AI responds to rain, slippery roads, or changing traffic patterns. Once triggered, VillainNet is nearly guaranteed to succeed, giving hackers full control over the vehicle’s decision-making. In a worst-case scenario, an attacker could force a self-driving taxi to swerve into traffic, stop abruptly, or even threaten passengers by holding them hostage. The researchers demonstrated that VillainNet can be embedded at any stage of development, making it extremely difficult to detect. The attack can be hidden among billions of legitimate configurations, effectively turning the search for the flaw into finding a single needle in a haystack of up to 10 quintillion possible scenarios. Experiments showed that the attack achieved a 99% success rate when activated, while remaining completely invisible to standard AI security tools. Detecting such a backdoor would require 66 times more computational power and time than current methods allow—making it practically infeasible with today’s technology. The team presented their findings at the 2025 ACM SIGSAC Conference on Computer and Communications Security. The paper, titled "VillainNet: Targeted Poisoning Attacks Against SuperNets Along the Accuracy-Latency Pareto Frontier," was co-authored by Oygenblik, master’s students Abhinav Vemulapalli and Animesh Agrawal, Ph.D. student Debopam Sanyal, Associate Professor Alexey Tumanov, and Associate Professor Brendan Saltaformaggio. The research serves as a wake-up call for the AI and automotive industries. As autonomous systems grow more complex and reliant on adaptive AI, the need for new, proactive security measures becomes urgent. The findings underscore the importance of rethinking how AI models are validated, tested, and secured—especially when they operate in safety-critical environments like transportation.