LiDAR Spoofing Meets the New-Gen: Capability Improvements, Broken Assumptions, and
New Attack Strategies

LiDAR (Light Detection And Ranging) is an indispensable sensor for precise long- and wide-range 3D sensing, which directly benefited the recent rapid deployment of autonomous driving (AD). Meanwhile, such a safety-critical application strongly motivates its security research. A recent line of research finds that one can manipulate the LiDAR point cloud and fool object detectors by firing malicious lasers against LiDAR. However, these efforts face 3 critical research gaps: (1) considering only one specific LiDAR (VLP-16); (2) assuming unvalidated attack capabilities; and (3) evaluating object detectors with limited spoofing capability modeling and setup diversity.

To fill these critical research gaps, we conduct the first large-scale measurement study on LiDAR spoofing attack capabilities on object detectors with 9 popular LiDARs, covering both first- and new-generation LiDARs, and 3 major types of object detectors trained on 5 different datasets. To facilitate the measurements, we (1) identify spoofer improvements that significantly improve the latest spoofing capability, (2) identify a new object removal attack that overcomes the applicability limitation of the latest method to new-generation LiDARs, and (3) perform novel mathematical modeling for both object injection and removal attacks based on our measurement results. Through this study, we are able to uncover a total of 15 novel findings, including not only completely new ones due to the measurement angle novelty, but also many that can directly challenge the latest understandings in this problem space. We also discuss defenses.

Chosen Pattern Injection (CPI)

So far, all prior works on object injection attack side [Shin et al., 2017 [9], Cao et al., 2019 [10] , Jiachen et al., 2020[11], Hallyburton et al., 2022 [13]] assume a Chosen Pattern Injection (CPI) attack capability, i.e., an attacker can successfully inject a specifically-chosen spoofed point cloud pattern that was carefully crafted/identified offline before the actual attack time (e.g., from an offline optimization process). However, none of these prior works have clearly demonstrated such an attack capability in the physical world.

Comparison of LiDAR spoofing attack capabilities
with prior attacks and ours.

3D Pattern Injection: Pedestrian

3D Pattern Injection: Car

3D Pattern Injection: Text

Our Improved LiDAR Spoofer & Optics

To achieve the CPI attack capability, we significantly improved the LiDAR spoofing capability with more careful optics and more functional electronics.

Overview of our LiDAR spoofer setup, the optics design, and the setup of the indoor and outdoor experiments.

Parts used for the spoofer

Thorlabs LA1951-ML

Ø1" N-BK7 Plano-Convex Lens, SM1-Threaded Mount, f = 25.4 mm, Uncoated

EPC9126

Laser board

SPL PL90_3

Pulse laser

Spoofer frame design

The frame consists of a bottom acrylic plate, a top acrylic plate, and an aluminum hollow screw. The laser board is fixed to the bottom acrylic plate. A female screw is dug in the top acrylic plate so that the hollow screw can be moved up and down. The acrylic plates are joined to each other by hexagonal posts connected in series. Thorlab's lenses in the mount are internally threaded so they can be attached to the end of a hollow screw.

CAD File: lens_unit.f3z

acrylic_bottom Drawing.pdf

bottom plate

acrylic_top Drawing.pdf

top plate

lens_screw Drawing.pdf

hollow screw

Target LiDARs

Velodyne VLP-16 has been dominantly used in the prior works since it is viewed as a de facto choice for LiDAR spoofing evaluation after the first practical spoofing attack was proposed in 2017. Although these results are valid on VLP-16, there is no guarantee that these results are still valid in more recent LiDARs, known as next-generation LiDARs. However, none of the prior works on LiDAR spoofing attacks has evaluated the security property of such next-generation LiDAR. These major design differences are likely to cause significant differences in their security characteristics, which thus motivates this study.

High-Frequency Removal (HFR):
New Asynchronized Spoofing Technique for Object Removal.

To address inapplicable to new-gen LiDARs of existing attacks, we identify a new adaptation of the saturation attack, which still does not require synchronization, but instead of using high-power continuous laser, it uses high-frequency pulsed laser. This new attack is thus called high-frequency removal (HFR) attack. The key idea is to fire a large number of attack laser pulses to the victim LiDAR at a frequency that is higher than the laser-firing frequency of the victim LiDAR. This allows the attack laser to hit every laser-firing event of the victim LiDAR in the scanning range hit by the spoofer, which can thus achieve the spoofing effect for every points in that range without any knowledge of the victim scanning pattern (i.e., without requiring synchronization). We compare our attack with the state-of-the-art removal attack. Physical Removal Attack (PRA) [Cao et al., 2022].

Attack Demos

Target LiDAR: VLP-32c

Camera

Benign

PRA Attack w/ our spoofer

HFR Attack

Attack Demos on Other LiDARs

VLS-128: Injection Attack (Laser Pattern)

Leddar Pixell: Relay Attack

XT32: HFR Attack

Helios: HFR Attack

Livox Horizon: HFR Attack

Realsense L515: HFR Attack

Helios HFR Attack (Wide)

OS1-32: HFR Attack

Removal Attack Evaluation on Closed-Loop Simulation

We evaluate the end-to-end consequence in AD scenarios with closed-loop simulation. We apply the attack success rate at each azimuth for each point at every frame to decide whether the point is to be remained or be removed.

AD system: Baidu Apollo 7.0
Simulator: LGSVL
Attack Start Distance: 18 m
Driving Speed: 40 km/h

Attack success rate at each azimuth

Benign

VLP-32 (HFR)

VLP-16 (PRA)

XT32 (HFR)

VLP-16 (HFR)

Helios 5515 (HFR)

Real Vehicle Removal with HFR attack

Target LiDAR: VLP-16
Distance between Spoofer and LiDAR: 5 m

Benign: Until 8 seconds
Attack: After 8 seconds

Responsible Vulnerability Disclosure

We initiated the responsible disclosure process early in October 2023 to 10 companies that are developing LiDARs or autonomous vehicles with LiDARs. 5 (50%) have replied saying that they have started investigations.

Research Paper

[NDSS 2024] LiDAR Spoofing Meets the New-Gen: Capability Improvements, Broken Assumptions, and New Attack Strategies

Takami Sato*, Yuki Hayakawa*, Ryo Suzuki*, Yohsuke Shiiki, Kentaro Yoshioka, Qi Alfred Chen (* denotes co-first)

Published in the e Network and Distributed System Security (NDSS) Symposium 2024 (Acceptance rate 15%)

BibTex for citation:

@inproceedings{sato2024lidar,

title={{LiDAR Spoofing Meets the New-Gen: Capability Improvements, Broken Assumptions, and New Attack Strategies}},

author={Sato, Takami and Hayakawa, Yuki and Suzuki, Ryo and Shiiki, Yohsuke and Yoshioka, Kentaro and Chen, Qi Alfred},

booktitle={{Network and Distributed System Security Symposium (NDSS)}},

year={2024}

}

Team

Takami Sato, Ph.D. candidate, CS, UC Irvine
Yuki Hayakawa, MS, EEE, Keio University
Ryo Suzuki, MS, EEE, Keio University
Yohsuke Shiiki, Ph.D., EEE, Keio University
Kentaro Yoshioka, Assistant Professor, EEE, Keio University
Qi Alfred Chen, Assistant Professor, CS, UC Irvine

Acknowledgments

This research was supported in part by the NSF CNS-1932464, CNS-1929771, CNS-2145493, USDOT UTC Grant 69A3552047138, JST SPRING JPMJSP2123, JST PRESTO JPMJPR22PA, and JSPS KAKENHI 21K20413.