LiDAR Spoofing Meets the New-Gen: Capability Improvements, Broken Assumptions, and
New Attack Strategies
Summary
LiDAR (Light Detection And Ranging) is an indispensable sensor for precise long- and wide-range 3D sensing, which directly benefited the recent rapid deployment of autonomous driving (AD). Meanwhile, such a safety-critical application strongly motivates its security research. A recent line of research finds that one can manipulate the LiDAR point cloud and fool object detectors by firing malicious lasers against LiDAR. However, these efforts face 3 critical research gaps: (1) considering only one specific LiDAR (VLP-16); (2) assuming unvalidated attack capabilities; and (3) evaluating object detectors with limited spoofing capability modeling and setup diversity.
To fill these critical research gaps, we conduct the first large-scale measurement study on LiDAR spoofing attack capabilities on object detectors with 9 popular LiDARs, covering both first- and new-generation LiDARs, and 3 major types of object detectors trained on 5 different datasets. To facilitate the measurements, we (1) identify spoofer improvements that significantly improve the latest spoofing capability, (2) identify a new object removal attack that overcomes the applicability limitation of the latest method to new-generation LiDARs, and (3) perform novel mathematical modeling for both object injection and removal attacks based on our measurement results. Through this study, we are able to uncover a total of 15 novel findings, including not only completely new ones due to the measurement angle novelty, but also many that can directly challenge the latest understandings in this problem space. We also discuss defenses.
Chosen Pattern Injection (CPI)
So far, all prior works on object injection attack side [Shin et al., 2017 [9], Cao et al., 2019 [10] , Jiachen et al., 2020[11], Hallyburton et al., 2022 [13]] assume a Chosen Pattern Injection (CPI) attack capability, i.e., an attacker can successfully inject a specifically-chosen spoofed point cloud pattern that was carefully crafted/identified offline before the actual attack time (e.g., from an offline optimization process). However, none of these prior works have clearly demonstrated such an attack capability in the physical world.
with prior attacks and ours.
3D Pattern Injection: Pedestrian
3D Pattern Injection: Car
3D Pattern Injection: Text
Our Improved LiDAR Spoofer & Optics
To achieve the CPI attack capability, we significantly improved the LiDAR spoofing capability with more careful optics and more functional electronics.
Parts used for the spoofer
Ø1" N-BK7 Plano-Convex Lens, SM1-Threaded Mount, f = 25.4 mm, Uncoated
Laser board
Pulse laser
Spoofer frame design
The frame consists of a bottom acrylic plate, a top acrylic plate, and an aluminum hollow screw. The laser board is fixed to the bottom acrylic plate. A female screw is dug in the top acrylic plate so that the hollow screw can be moved up and down. The acrylic plates are joined to each other by hexagonal posts connected in series. Thorlab's lenses in the mount are internally threaded so they can be attached to the end of a hollow screw.
CAD File: lens_unit.f3z
bottom plate
top plate
hollow screw
Target LiDARs
Velodyne VLP-16 has been dominantly used in the prior works since it is viewed as a de facto choice for LiDAR spoofing evaluation after the first practical spoofing attack was proposed in 2017. Although these results are valid on VLP-16, there is no guarantee that these results are still valid in more recent LiDARs, known as next-generation LiDARs. However, none of the prior works on LiDAR spoofing attacks has evaluated the security property of such next-generation LiDAR. These major design differences are likely to cause significant differences in their security characteristics, which thus motivates this study.
High-Frequency Removal (HFR):
New Asynchronized Spoofing Technique for Object Removal.
New Asynchronized Spoofing Technique for Object Removal.
To address inapplicable to new-gen LiDARs of existing attacks, we identify a new adaptation of the saturation attack, which still does not require synchronization, but instead of using high-power continuous laser, it uses high-frequency pulsed laser. This new attack is thus called high-frequency removal (HFR) attack. The key idea is to fire a large number of attack laser pulses to the victim LiDAR at a frequency that is higher than the laser-firing frequency of the victim LiDAR. This allows the attack laser to hit every laser-firing event of the victim LiDAR in the scanning range hit by the spoofer, which can thus achieve the spoofing effect for every points in that range without any knowledge of the victim scanning pattern (i.e., without requiring synchronization). We compare our attack with the state-of-the-art removal attack. Physical Removal Attack (PRA) [Cao et al., 2022].
Attack Demos
Target LiDAR: VLP-32c
Camera
Benign
PRA Attack w/ our spoofer
HFR Attack
Attack Demos on Other LiDARs
VLS-128: Injection Attack (Laser Pattern)
Leddar Pixell: Relay Attack
XT32: HFR Attack
Helios: HFR Attack
Livox Horizon: HFR Attack
Realsense L515: HFR Attack
Helios HFR Attack (Wide)
OS1-32: HFR Attack
Removal Attack Evaluation on Closed-Loop Simulation
We evaluate the end-to-end consequence in AD scenarios with closed-loop simulation. We apply the attack success rate at each azimuth for each point at every frame to decide whether the point is to be remained or be removed.
AD system: Baidu Apollo 7.0
Simulator: LGSVL
Attack Start Distance: 18 m
Driving Speed: 40 km/h
Attack success rate at each azimuth
Benign
VLP-32 (HFR)
VLP-16 (PRA)
XT32 (HFR)
VLP-16 (HFR)
Helios 5515 (HFR)
Real Vehicle Removal with HFR attack
Target LiDAR: VLP-16
Distance between Spoofer and LiDAR: 5 m
Benign: Until 8 seconds
Attack: After 8 seconds
Responsible Vulnerability Disclosure
We initiated the responsible disclosure process early in October 2023 to 10 companies that are developing LiDARs or autonomous vehicles with LiDARs. 5 (50%) have replied saying that they have started investigations.
Research Paper
[NDSS 2024] LiDAR Spoofing Meets the New-Gen: Capability Improvements, Broken Assumptions, and New Attack Strategies
Takami Sato*, Yuki Hayakawa*, Ryo Suzuki*, Yohsuke Shiiki, Kentaro Yoshioka, Qi Alfred Chen (* denotes co-first)
Published in the e Network and Distributed System Security (NDSS) Symposium 2024 (Acceptance rate 15%)
BibTex for citation:
@inproceedings{sato2024lidar,
title={{LiDAR Spoofing Meets the New-Gen: Capability Improvements, Broken Assumptions, and New Attack Strategies}},
author={Sato, Takami and Hayakawa, Yuki and Suzuki, Ryo and Shiiki, Yohsuke and Yoshioka, Kentaro and Chen, Qi Alfred},
booktitle={{Network and Distributed System Security Symposium (NDSS)}},
year={2024}
}
Team
Takami Sato, Ph.D. candidate, CS, UC Irvine
Yuki Hayakawa, MS, EEE, Keio University
Ryo Suzuki, MS, EEE, Keio University
Yohsuke Shiiki, Ph.D., EEE, Keio University
Kentaro Yoshioka, Assistant Professor, EEE, Keio University
Qi Alfred Chen, Assistant Professor, CS, UC Irvine
Acknowledgments
This research was supported in part by the NSF CNS-1932464, CNS-1929771, CNS-2145493, USDOT UTC Grant 69A3552047138, JST SPRING JPMJSP2123, JST PRESTO JPMJPR22PA, and JSPS KAKENHI 21K20413.