Trapped by Their Own Light: Deployable and Stealth Retroreflective Patch Attacks on Traffic Sign Recognition Systems

TL;DR

This work identifies a real-world vulnerability in traffic sign recognition systems by introducing Adversarial Retroreflective Patch (ARP) attacks, which activate only under retroreflective headlight illumination to combine patch deployability with stealthy nighttime perturbations. The authors develop a physics-based Blender simulation coupled with black-box optimization (TPE) to design patches that maximize nighttime misclassification while preserving daylight stealth, and validate the approach with digital, physical, driving, and production-system experiments. ARP achieves up to 100% ASR in digital tests and up to 75% ASR on production TSR systems, with user studies indicating high perceptual stealth; they further propose DPR Shield, a polarization-based defense that can neutralize ARP’s effect on STOP signs and substantially mitigate SL65 attacks. Overall, the paper demonstrates a concrete, physically grounded threat to current TSR pipelines and offers a practical countermeasure, highlighting the need for polarization-aware defenses in autonomous driving perception stacks.

Abstract

Traffic sign recognition plays a critical role in ensuring safe and efficient transportation of autonomous vehicles but remain vulnerable to adversarial attacks using stickers or laser projections. While existing attack vectors demonstrate security concerns, they suffer from visual detectability or implementation constraints, suggesting unexplored vulnerability surfaces in TSR systems. We introduce the Adversarial Retroreflective Patch (ARP), a novel attack vector that combines the high deployability of patch attacks with the stealthiness of laser projections by utilizing retroreflective materials activated only under victim headlight illumination. We develop a retroreflection simulation method and employ black-box optimization to maximize attack effectiveness. ARP achieves $\geq$93.4\% success rate in dynamic scenarios at 35 meters and $\geq$60\% success rate against commercial TSR systems in real-world conditions. Our user study demonstrates that ARP attacks maintain near-identical stealthiness to benign signs while achieving $\geq$1.9\% higher stealthiness scores than previous patch attacks. We propose the DPR Shield defense, employing strategically placed polarized filters, which achieves $\geq$75\% defense success rates for stop signs and speed limit signs against micro-prism patches.

Figures (22)

• Figure 1: Structure of a retroreflective sheet. The surface film determines the color, while the inner retroreflector layer (glass beads or micro-prisms) in charge of the retroreflectivity, which reflect incoming lights back to their source direction as drawn with the light path diagrams.
• Figure 2: Overview of the ARP attack threat model. The victim's headlights are considered as the attack trigger, and parameters are adopted from previous patch-based attacks.
• Figure 3: Overview of ARP Attack Generation. This process involves three main steps: 1. ARP Physical Property Measurement: capturing images with the target camera. 2. Physics-Based Retroreflection Modeling: configuring patch material properties. 3. Day-Night Condition-Based ARP Attack Optimization: optimizing patch position and size
• Figure 4: Experimental setup of physical world experiment. The headlight and camera are set on top of the carriage.
• Figure 5: ASR for single- and two-stage TSR in different camera positions. N/A: traffic sign is not visible in the images.