D-SLAMSpoof: An Environment-Agnostic LiDAR Spoofing Attack using Dynamic Point Cloud Injection

Abstract

In this work, we introduce Dynamic SLAMSpoof (D-SLAMSpoof), a novel attack that compromises LiDAR SLAM even in feature-rich environments. The attack leverages LiDAR spoofing, which injects spurious measurements into LiDAR scans through external laser interference. By designing both spatial injection shapes and temporally coordinated dynamic injection patterns guided by scan-matching principles, D-SLAMSpoof significantly improves attack success rates in real-world, feature-rich environments such as urban areas and indoor spaces, where conventional LiDAR spoofing methods often fail. Furthermore, we propose a practical defense method, ISD-SLAM, that relies solely on inertial dead reckoning signals commonly available in autonomous systems. We demonstrate that ISD-SLAM accurately detects LiDAR spoofing attacks, including D-SLAMSpoof, and effectively mitigates the resulting position drift. Our findings expose inherent vulnerabilities in LiDAR-based SLAM and introduce the first practical defense against LiDAR-based SLAM spoofing using only standard onboard sensors, providing critical insights for improving the security and reliability of autonomous systems.

Figures (8)

• Figure 1: (Top) Real-world spoofing attack demonstration under a feature-rich environment is shown. Only D-SLAMSpoof (red line) successfully disrupted LiDAR odometry estimated by FAST-LIO2 fastlio2, whereas conventional attack methods (blue and green lines) had no effect on the estimation. (Bottom) While conventional point cloud injection injects a cylindrical wall at a fixed distance, our method strengthens the attack by designing efficient point cloud shapes and periodically varying their distance.
• Figure 2: An overview of our proposed method. (a) Threat model overview. The attacker aims to induce errors in the self-localization of the target vehicle by placing a roadside laser source that tampers the point cloud through malicious laser shooting. The attacker is assumed to know the target's route in advance. (b) Overview of D-SLAMSpoof. The attacker designs the injected point cloud shape based on geometric constraints in scan matching and periodically moves the point cloud in the radial direction to maximize inter-frame displacement, thereby strengthening the attack. Details for designing the injection shape is detailed in § \ref{['propose_injection_shape']}, and the method for moving the injected point cloud is described in § \ref{['propose_injection_dynamic']}.
• Figure 3: Overview of ISD-SLAM. The system defends against LiDAR spoofing through four modules: (1) detection of localization errors, (2) switching to inertial navigation, (3) restarting SLAM after the attack, and (4) coordinate transformation to ensure trajectory consistency.
• Figure 4: Comparison between conventional static injection and the proposed D-SLAMSpoof attack. Attack Success Rate (ASR) values are expressed in %. (a) Comparison of ASR on an open dataset (MCD TUHH dataset) in simulation. D-SLAMSpoof achieves an ASR 3.82 times higher than that of the conventional static injection. (b) Comparison of ASR in real-world experiments (Sec. \ref{['real_world_experiment']}). The ASR is defined as the ratio of trials exceeding the threshold (3.0 m) over 100 trials with randomized seeds. D-SLAMSpoof is the only method that successfully compromises all three SLAM algorithms with high probability.
• Figure 5: Experimental environment. (a) MCD TUHH map. The start and goal positions vary depending on the scenarios (tuhh_03, 07, and 09); the map shown here encompasses the entire area covered by all scenarios.(b)Ablation study map. The starting point is set as the origin $(x=0, y=0)$, and the trajectory proceeds toward the lower-right direction (positive x-axis, negative y-axis). (c) Real-world experiment map. The start position is set as the origin, consistent with (b), and the vehicle travels straight along the positive x-axis.