What Would Trojans Do? Exploiting Partial-Information Vulnerabilities in Autonomous Vehicle Sensing

TL;DR

This work investigates cyber-level vulnerabilities in autonomous-vehicle sensing, emphasizing hardware Trojans and partial-information attackers targeting a single sensor within multi-sensor AVs. It shows camera-only attacks have limited safety impact, while LiDAR-based tampering can drive unsafe outcomes through perception, tracking, and prediction stages. The authors propose two defenses— a probabilistic data-asymmetry monitor and decentralized track-to-track fusion for 3D LiDAR and monocular detections (T2T-3DLM)—and demonstrate substantial reductions in attack success and safety incidents in both simulators and real datasets. By combining realistic threat modeling with large-scale evaluations, the paper provides practical guidance for securing AV perception against sophisticated, low-information attacks.

Abstract

Safety-critical sensors in autonomous vehicles (AVs) form an essential part of the vehicle's trusted computing base (TCB), yet they are highly susceptible to attacks. Alarmingly, Tier 1 manufacturers have already exposed vulnerabilities to attacks introducing Trojans that can stealthily alter sensor outputs. We analyze the feasible capability and safety-critical outcomes of an attack on sensing at a cyber level. To further address these threats, we design realistic attacks in AV simulators and real-world datasets under two practical constraints: attackers (1) possess only partial information and (2) are constrained by data structures that maintain sensor integrity.Examining the role of camera and LiDAR in multi-sensor AVs, we find that attacks targeting only the camera have minimal safety impact due to the sensor fusion system's strong reliance on 3D data from LiDAR. This reliance makes LiDAR-based attacks especially detrimental to safety. To mitigate the vulnerabilities, we introduce security-aware sensor fusion incorporating (1) a probabilistic data-asymmetry monitor and (2) a scalable track-to-track fusion of 3D LiDAR and monocular detections (T2T-3DLM). We demonstrate that these methods significantly diminish attack success rate.

Figures (24)

• Figure 1: AVs connect diverse services mainly over a CAN bus. Attacks at the firmware/driver levels will only have access to isolated information at each subsystem.
• Figure 2: Datagrams follow a consistent structure across sensors within the same family. For example, the Velodyne VLP and HDL series (16, 32, and 64) have nearly identical structures (see velodynemanual). An attacker targeting LiDAR in a cyber level accesses only the LiDAR datagrams and can manipulate the data only within the constraints of the datagram.
• Figure 3: Fusing information from multiple sensors can be achieved using many different architectures/designs; thus, it is critical to evaluate several common implementations.
• Figure 4: Track fusion performance metrics via 2021hotametric; better performance is towards the upper right. (a) Adding significant noise ($\sigma=100~pix$) to 2D detections results in minimal tracking performance change compared to the baseline in 2021eagermot, indicating reliance on 3D data. (b) Adding minor noise ($\sigma=0.5~m$) to 3D LiDAR detections significantly degrades tracking, suggesting LiDAR is a TCB component.
• Figure 5: Even compromising only LiDAR data percolates through AV pipeline despite the multiple sensors' data use. Incoming data packets are the attacker's only knowledge.