Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Supply Chain Exploitation of Secure ROS 2 Systems: A Proof-of-Concept on Autonomous Platform Compromise via Keystore Exfiltration

Tahmid Hasan Sakib, Yago Romano Martinez, Carter Brady, Syed Rafay Hasan, Terry N. Guo

TL;DR

This paper addresses the risk that supply-chain compromises can undermine SROS 2-secured autonomous systems by demonstrating a PoC where a malicious Debian package exfiltrates keystore materials via DNS during keystore creation. The attacker reconstructs credentials to rejoin the DDS graph and impersonate legitimate nodes, enabling both control and perception spoofing on a Quanser QCar2 during a four-stop-sign navigation task. The work provides a concrete, end-to-end attack workflow—from Trojan package delivery and DNS exfiltration to authenticated impersonation and unsafe vehicle behavior—and offers mitigations spanning secure build practices, code signing, and runtime semantic validation. The study highlights the practical significance of supply-chain integrity and runtime trust checks for safeguarding DDS-based autonomous systems against insider and impersonation threats.

Abstract

This paper presents a proof-of-concept supply chain attack against the Secure ROS 2 (SROS 2) framework, demonstrated on a Quanser QCar2 autonomous vehicle platform. A Trojan-infected Debian package modifies core ROS 2 security commands to exfiltrate newly generated keystore credentials via DNS in base64-encoded chunks to an attacker-controlled nameserver. Possession of these credentials enables the attacker to rejoin the SROS 2 network as an authenticated participant and publish spoofed control or perception messages without triggering authentication failures. We evaluate this capability on a secure ROS 2 Humble testbed configured for a four-stop-sign navigation routine using an Intel RealSense camera for perception. Experimental results show that control-topic injections can cause forced braking, sustained high-speed acceleration, and continuous turning loops, while perception-topic spoofing can induce phantom stop signs or suppress real detections. The attack generalizes to any data distribution service (DDS)-based robotic system using SROS 2, highlighting the need for both supply chain integrity controls and runtime semantic validation to safeguard autonomous systems against insider and impersonation threats.

Supply Chain Exploitation of Secure ROS 2 Systems: A Proof-of-Concept on Autonomous Platform Compromise via Keystore Exfiltration

TL;DR

This paper addresses the risk that supply-chain compromises can undermine SROS 2-secured autonomous systems by demonstrating a PoC where a malicious Debian package exfiltrates keystore materials via DNS during keystore creation. The attacker reconstructs credentials to rejoin the DDS graph and impersonate legitimate nodes, enabling both control and perception spoofing on a Quanser QCar2 during a four-stop-sign navigation task. The work provides a concrete, end-to-end attack workflow—from Trojan package delivery and DNS exfiltration to authenticated impersonation and unsafe vehicle behavior—and offers mitigations spanning secure build practices, code signing, and runtime semantic validation. The study highlights the practical significance of supply-chain integrity and runtime trust checks for safeguarding DDS-based autonomous systems against insider and impersonation threats.

Abstract

This paper presents a proof-of-concept supply chain attack against the Secure ROS 2 (SROS 2) framework, demonstrated on a Quanser QCar2 autonomous vehicle platform. A Trojan-infected Debian package modifies core ROS 2 security commands to exfiltrate newly generated keystore credentials via DNS in base64-encoded chunks to an attacker-controlled nameserver. Possession of these credentials enables the attacker to rejoin the SROS 2 network as an authenticated participant and publish spoofed control or perception messages without triggering authentication failures. We evaluate this capability on a secure ROS 2 Humble testbed configured for a four-stop-sign navigation routine using an Intel RealSense camera for perception. Experimental results show that control-topic injections can cause forced braking, sustained high-speed acceleration, and continuous turning loops, while perception-topic spoofing can induce phantom stop signs or suppress real detections. The attack generalizes to any data distribution service (DDS)-based robotic system using SROS 2, highlighting the need for both supply chain integrity controls and runtime semantic validation to safeguard autonomous systems against insider and impersonation threats.

Paper Structure

This paper contains 10 sections, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. SROS 2 Testbed and Threat Model Implementation on Quanser QCar2
  3. System & Threat Model
  4. Secure Runtime Setup
  5. Trojan Package Creation
  6. DNS Exfiltration Mechanism
  7. Reassembly and Spoofed Node Deployment
  8. Attack Execution and Effects
  9. Potential Mitigations
  10. Conclusion

Figures (5)

  • Figure 1: End-to-end supply-chain attack in a secure ROS 2 testbed: a malicious third-party package triggers DNS-based exfiltration of keystore credentials, enabling the attacker to rejoin the network and impersonate control or perception nodes.
  • Figure 2: Build pipeline for a malicious SROS 2 Debian package at a third-party distributor.
  • Figure 3: Topic discovery in a secured ROS 2 network: attacker can list topics only after stealing victim’s keystore and enclaves.
  • Figure 4: Navigation Routine with Spoofing Injection Points.
  • Figure 5: Representative spoofing attack on QCar2 ROS 2 topics, showing attacker injection of falsified data at high frequency, control node misinterpretation, and altered perception in the YOLOv8-annotated camera feed, leading to unsafe navigation outcomes.