SLAMSpoof: Practical LiDAR Spoofing Attacks on Localization Systems Guided by Scan Matching Vulnerability Analysis

TL;DR

SLAMSpoof addresses the critical problem of LiDAR spoofing compromising localization in autonomous vehicles. It introduces SMVS, a scan matching vulnerability score, and builds a three-step framework to identify optimal spoofing locations and demonstrate practical effectiveness. Real-world experiments show position errors of at least $4.2$ meters across three LiDAR-based SLAM algorithms, underscoring safety implications and the need for defenses such as pulse-signature LiDAR and IMU fusion. The work provides a concrete vulnerability assessment tool and design guidance for strengthening localization systems in real-world deployments.

Abstract

Accurate localization is essential for enabling modern full self-driving services. These services heavily rely on map-based traffic information to reduce uncertainties in recognizing lane shapes, traffic light locations, and traffic signs. Achieving this level of reliance on map information requires centimeter-level localization accuracy, which is currently only achievable with LiDAR sensors. However, LiDAR is known to be vulnerable to spoofing attacks that emit malicious lasers against LiDAR to overwrite its measurements. Once localization is compromised, the attack could lead the victim off roads or make them ignore traffic lights. Motivated by these serious safety implications, we design SLAMSpoof, the first practical LiDAR spoofing attack on localization systems for self-driving to assess the actual attack significance on autonomous vehicles. SLAMSpoof can effectively find the effective attack location based on our scan matching vulnerability score (SMVS), a point-wise metric representing the potential vulnerability to spoofing attacks. To evaluate the effectiveness of the attack, we conduct real-world experiments on ground vehicles and confirm its high capability in real-world scenarios, inducing position errors of $\geq$4.2 meters (more than typical lane width) for all 3 popular LiDAR-based localization algorithms. We finally discuss the potential countermeasures of this attack. Code is available at https://github.com/Keio-CSG/slamspoof

Figures (6)

• Figure 1: Real-world attack demo of SLAMspoof on driving vehicle. SLAMSpoof attack successfully deviates the victim vehicle from the planned benign trajectory (while line) to the attack-influenced trajectories (dotted red lines) corresponding to the three major localization algorithms. The induced position errors are $\geq$4.2 meter, which is wider than the typical lane width as shown in the lower-left table.
• Figure 2: The effects of spoofing attacks on LiDAR. In an injection attack (top-right), false point cloud data representing a non-existent wall is inserted into the LiDAR scan. In a removal attack (bottom-right), injected noise obscures the pedestrians' point cloud, effectively erasing them from the LiDAR scan.
• Figure 3: The overview of the SLAMSpoof framework, which is based on Scan Matching Vulnerability Score (SMVS). First, the attacker replicates the target's route to acquire map data. The SMVS distribution is generated from the map data to identify the optimal attack location. The calculation methods for point-wise SMVS are described in III-B-1, for frame-wise SMVS in § \ref{['sec:Frame-wise']}, and the process of determining the spoofer placement is detailed in § \ref{['sec:attack_loc_sel']}.
• Figure 4: Frame-wise SMVS calculation. We create an angular polar plot from point-wise SMVS ($score_{Rk}$), and then the frame-wise SMVS is calculated if the region is within the attack range or not, for each angular region.
• Figure 5: (Left) Example of low SMVS. The point cloud is distributed across a wide range of directions, allowing accurate pose estimation from the point cloud outside the spoofing range. (Right) Example of high SMVS. The directional distribution of the point cloud is biased, making it vulnerable as almost all points can be tampered with by spoofing.