The rapid deployment of Autonomous Driving (AD) technologies on public roads presents significant social challenges. The security of LiDAR (Light Detection and Ranging) is one of the emerging challenges in AD deployment, given its crucial role in enabling Level 4 autonomy through accurate 3D environmental sensing. Recent lines of research have demonstrated that LiDAR can be compromised by LiDAR spoofing attacks that overwrite legitimate sensing by emitting malicious lasers to the LiDAR. However, previous studies have successfully demonstrated their attacks in controlled environments, yet gaps exist in the feasibility of their attacks in realistic high-speed, long-distance AD scenarios. To bridge these gaps, we design a novel Moving Vehicle Spoofing (MVS) system consisting of 3 subsystems: the LiDAR detection and tracking system, the auto-aiming system, and the LiDAR spoofing system. Furthermore, we design a new object removal attack, an adaptive high-frequency removal (A-HFR) attack, that can be effective even against recent LiDARs with pulse fingerprinting features, by leveraging gray-box knowledge of the scan timing of target LiDARs. With our MVS system, we are not only the first to demonstrate LiDAR spoofing attacks against practical AD scenarios where the victim vehicle is driving at high speeds (60 km/h) and the attack is launched from long distances (110 meters), but we are also the first to perform LiDAR spoofing attacks against a vehicle actually operated by a popular AD stack. Our object removal attack achieves ≥96% attack success rates against the vehicle driving at 60 km/h to the braking distances (20 meters). Finally, we discuss possible countermeasures against attacks with our MVS system. This study not only bridges critical gaps between LiDAR security and AD security research but also sets a foundation for developing robust countermeasures against emerging threats.
To practically deploy long-range LiDAR spoofing attacks against AD vehicles driving at high speeds, we design a Moving Vehicle Spoofing system (MVS system). Fig. 1 illustrates the overview of our MVS system consisting of three subsystems: (1) IR camera-based detection and tracking system, (2) auto-aiming system, and (3) LiDAR spoofing system.
For the IR camera-based detection and tracking system, we design a novel methodology with an IR camera to accurately localize the target LiDAR even at longer ranges (e.g., 100 m) than the prior vision-based method, which can only detect a LiDAR up to 5 m.
For the auto-aiming system, we design a responsive and accurate auto-aiming system that can precisely aim at any horizontal angle with a high-precision servo motor.
For the LiDAR spoofing system, we build a novel spoofer upon the existing LiDAR spoofers to handle long-range attack scenarios. We further improved the electronics and optics.
Overview
IR Camera-based Detection
LiDAR Spoofer
We design a new object removal attack, A-HFR, which can be effective against LiDARs with pulse fingerprinting by utilizing a gray-box knowledge of the target LiDAR to avoid overheating the laser diode. The A-HFR attack can remove >96% of points within attack angles even under pulse fingerprinting.
The pulse fingerprinting in recent New-Gen LiDARs presumably uses a pair of pulses to measure a point and embeds the fingerprint into the interval of a pair of pulses. The pulse intervals of each pair randomly vary and the LiDAR can authenticate the reflected laser based on whether the interval matches the one the LiDAR emitted or not. Thus, high-frequency pulses can bypass the authentication as described in Fig. 7. However, we find that it is not trivial to increase the frequency due to a trade-off between pulse frequency and peak power. Specifically, emitting a pulsed laser at a higher frequency causes overheating of the laser driver and the laser itself, significantly degrading the laser's peak power.
To overcome the trade-off between pulse frequency and peak power, we design the adaptive-HFR (A-HFR) attack. As the name implies, the A-HFR attack adaptively changes its attack laser frequency to avoid overheating. As shown in Fig. 8, the A-HFR attack strategically boosts the frequency only when the target LiDAR scans the specific object the attacker wants to hide. This design allows the diode to rest most of the time and effectively cool down during the rest. To know when the LiDAR scans the target objects, we utilize a photodiode (PD) similar to the existing white-box LiDAR spoofing attacks that require synchronization with the target LiDAR. However, unlike white-box attacks that require precise knowledge of when the LiDAR scans each point and a predictable scan pattern, A-HFR only needs a coarse-grained understanding of the victim LiDAR's state. Due to this reduced information requirement compared to white-box synchronization attacks, we classify the A-HFR attack as a gray-box attack and term the coarse-grained requirement as weak synchronization.
Fig. 13 illustrates the overview of our experimental setup. We rent a private testing road with exclusive-use permission to ensure a controlled environment. We placed the MVS system device 2 m away from the driving lane and positioned the victim pedestrian 10 m away from the MVS system device. To prioritize safety, the victim pedestrian is also 2 m away from the driving lane, not directly in the lane. The target vehicle with a mounted LiDAR on its roof is approaching from 100 m away from the victim pedestrian, i.e., the attack distance between the MVS system and the target vehicle is up to 110 m. We measure the attack effectiveness starting from 70 m away from the victim, where the target vehicle reaches the desired speed. We evaluate the system at 6 different speeds from 10 km/h to 60 km/h. For each speed, we collected data from 4 different traces. All evaluation metrics are averaged over the 4 traces.
Side Camera View (60 km/h)
Front Camera View (60 km/h)
Benign (60 km/h)
HFR Attack (60 km/h)
A-HFR Attack (Follow View)
Injection Attack (Follow View)
Injection Attack (Top View)
The right figure shows the experimental setup for the end-to-end attack evaluation on an AD vehicle, PIXKIT with a VLP-32c LiDAR controlled by Autoware.ai version 1.14.1 For the LiDAR object detection, we use the LiDAR Euclidean cluster detection, which is officially supported by Autoware.ai. We placed our MVS system on the roadside of our private road with exclusive use permission. The AD vehicle started accelerating 40 meters away from our MVS system. For the removal attack, we placed an SUV-sized inflatable mock car 5 meters away from the MVS system and tried to make the mock car undetected by the HFR attack. For the injection attack, we injected a ghost wall as shown in Fig.~\ref{fig:pixkit_injection_attack} to see if the AD vehicle would stop before the ghost wall. We accelerate the AD vehicle up to 5 km/h and 15 km/h for injection and removal attacks, respectively. The 15 km/h for injection attacks is the maximum speed we could test on the testing road. The 5 km/h for removal attacks is an acceptable speed to avoid damage to the facilities. To ensure safety, the experiments were conducted only during nighttime.
Experimental Setup for Removal Attack
PIXKIT w/ VLP-32c and Autoware.ai
Benign
Benign Rviz View
Attack
Benign Rviz View
Benign
Benign RvizView
Attack (Front View)
Attack (Side View)
Attack Rviz View
The experiments were safely carried out in controlled conditions on a private road with exclusive-use permission. A human with a driving license drove the experimental vehicle, and the area was surveilled to keep people off the road. During the experiments, participants potentially exposed to the attack laser wore protective goggles for eye safety.
[NDSS'25] On the Realism of LiDAR Spoofing Attacks against Autonomous Driving Vehicle at High Speed and Long Distance
Takami Sato*, Ryo Suzuki*, Yuki Hayakawa* (co-first authors), Kazuma Ikeda, Ozora Sako, Rokuto Nagata, Ryo Yoshida, Qi Alfred Chen, and Kentaro Yoshioka
ISOC Network and Distributed System Security (NDSS) Symposium, 2025. (Acceptance rate TBA)
[PDF]
BibTex for citation:
@inproceedings{sato2025lidar-spoofing-realism,
title={{On the Realism of LiDAR Spoofing Attacks against Autonomous Driving Vehicle at High Speed and Long Distance}},
author={Takami Sato and Ryo Suzuki and Yuki Hayakawa and Kazuma Ikeda and Ozora Sako and Rokuto Nagata and Ryo Yoshida and Qi Alfred Chen and Kentaro Yoshioka},
booktitle={ISOC Network and Distributed System Security Symposium (NDSS)},
year={2025}
}
Takami Sato, Ph.D. student, University of California, Irvine
Ryo Suzuki, M2 Students, Keio University
Yuki Hayakawa, M2 Students, Keio University
Kazuma Ikeda, M1 Students, Keio University
Ozora Sako, M1 Students, Keio University
Rokuto Nagata, M1 Students, Keio University
Ryo Yoshida, B4 Students, Keio University
Qi Alfred Chen, Assistant Professor, University of California, Irvine
Kentaro Yoshioka, Senior Assistant Professor, Keio University
This research was supported by
NSF under grants CNS-1929771 and CNS-2145493;
USDOT under Grant 69A3552348327 for the CARMEN+ University Transportation Center.
JST CREST JPMJCR23M4, JST PRESTO JPMJPR22PA, JSPS KAKENHI 24K02940, and Amano Institute of Technology