LiDAR Spoofing Meets the New-Gen: Capability Improvements, Broken Assumptions, and New Attack Strategies

TL;DR

This work addresses the security of LiDAR-based perception in autonomous driving by experimentally evaluating spoofing threats across nine LiDARs (spanning first-gen and new-gen designs), three detector families, and five training datasets. It advances the field with spoofer improvements that enable CPI-like control for object injection on VLP-16, while showing that new-gen features like timing randomization and pulse fingerprinting can thwart CPI and large-scale injections. The study introduces a novel high-frequency removal (HFR) attack that does not require synchronization and demonstrates measurement-driven models for both object injection and removal, supported by detector- and system-level analyses. The findings yield 15 new insights and defenses, highlighting practical attack paths and emphasizing timing randomization as a cost-effective mitigation, with implications for the secure deployment of AD sensing pipelines.

Abstract

LiDAR (Light Detection And Ranging) is an indispensable sensor for precise long- and wide-range 3D sensing, which directly benefited the recent rapid deployment of autonomous driving (AD). Meanwhile, such a safety-critical application strongly motivates its security research. A recent line of research finds that one can manipulate the LiDAR point cloud and fool object detectors by firing malicious lasers against LiDAR. However, these efforts face 3 critical research gaps: (1) considering only one specific LiDAR (VLP-16); (2) assuming unvalidated attack capabilities; and (3) evaluating object detectors with limited spoofing capability modeling and setup diversity. To fill these critical research gaps, we conduct the first large-scale measurement study on LiDAR spoofing attack capabilities on object detectors with 9 popular LiDARs, covering both first- and new-generation LiDARs, and 3 major types of object detectors trained on 5 different datasets. To facilitate the measurements, we (1) identify spoofer improvements that significantly improve the latest spoofing capability, (2) identify a new object removal attack that overcomes the applicability limitation of the latest method to new-generation LiDARs, and (3) perform novel mathematical modeling for both object injection and removal attacks based on our measurement results. Through this study, we are able to uncover a total of 15 novel findings, including not only completely new ones due to the measurement angle novelty, but also many that can directly challenge the latest understandings in this problem space. We also discuss defenses.

Figures (25)

• Figure 1: Demonstration of the Chosen Pattern Injection (CPI) attack capability with $>$6,000 spoofed points with our improved LiDAR spoofer. This significantly improves the spoofing attack capability from prior works: shin2017illusion ($\sim$10 points), cao2019adversarial ($\sim$20 points) jiachen2020towards ($\sim$200 points), and hallyburton2022security ($\sim$200 points).
• Figure 2: Illustration of the synchronized and asynchronized LiDAR spoofing techniques with the latest attack capabilities. Synchronized spoofing needs white-box knowledge of the victim LiDAR scanning patterns and an extra device (Photodetector, or PD) for synchronization (§\ref{['sec:lidar_spoofing_attack']}), while asynchronized spoofing does not need these (i.e., black-box LiDAR attack).
• Figure 3: Overview of our LiDAR spoofer setup, the optics design, and the setup of the indoor and outdoor experiments. PD: Photodetector. TIA: Transimpedance amplifier. FG: Function generator. LD: Laser diode. More details in Appendix \ref{['appendix:spoofer']}.
• Figure 4: Standard deviations of inner-frame error on VLP-16.
• Figure 5: Illustration of inner- and inter-frame errors. Inner-frame error causes spoofing inaccuracy along with the ray direction within a frame. Inter-frame error causes the entire pattern to vibrate across consecutive frames.