This paper explores the vulnerability of machine learning systems to adversarial examples in physical-world scenarios, particularly when using camera signals as input. The authors demonstrate that adversarial images, which are perceptually indistinguishable from clean images but are misclassified by machine learning models, can still cause significant misclassifications when observed through a cell phone camera. They generate adversarial images using various methods, including a fast method and iterative methods, and measure their classification accuracy on an ImageNet Inception classifier. The results show that a large fraction of adversarial examples remain misclassified even when perceived through a camera. The authors also investigate the impact of physical transformations, such as printing and photographing, on the robustness of adversarial examples, finding that some fraction of adversarial examples remain misclassified even after these transformations. The paper concludes by discussing the implications for security and future research directions, including the development of defenses against such attacks.This paper explores the vulnerability of machine learning systems to adversarial examples in physical-world scenarios, particularly when using camera signals as input. The authors demonstrate that adversarial images, which are perceptually indistinguishable from clean images but are misclassified by machine learning models, can still cause significant misclassifications when observed through a cell phone camera. They generate adversarial images using various methods, including a fast method and iterative methods, and measure their classification accuracy on an ImageNet Inception classifier. The results show that a large fraction of adversarial examples remain misclassified even when perceived through a camera. The authors also investigate the impact of physical transformations, such as printing and photographing, on the robustness of adversarial examples, finding that some fraction of adversarial examples remain misclassified even after these transformations. The paper concludes by discussing the implications for security and future research directions, including the development of defenses against such attacks.