LiDAR (Light Detection And Ranging) is an indispensable sensor for precise long- and wide-range 3D sensing, which directly benefited the recent rapid deployment of autonomous driving (AD). Meanwhile, such a safety-critical application strongly motivates its security research. A recent line of research demonstrates that one can manipulate the LiDAR point cloud and fool object detection by firing malicious lasers against LiDAR. However, these efforts face 3 critical research gaps: (1) evaluating only on a specific LiDAR (VLP-16); (2) assuming unvalidated attack capabilities; and (3) evaluating with models trained on limited datasets.
To fill these critical research gaps, we conduct the first large-scale measurement study on LiDAR spoofing attack capabilities on object detectors with 9 popular LiDARs in total and 3 major types of object detectors. To perform this measurement, we significantly improved the LiDAR spoofing capability with more careful optics and functional electronics, which allows us to be the first to clearly demonstrate and quantify key attack capabilities assumed in prior works. However, we further find that such key assumptions actually can no longer hold for all the other (8 out of 9) LiDARs that are more recent than VLP-16 due to various recent LiDAR features. To this end, we further identify a new type of LiDAR spoofing attack that can improve on this and be applicable to a much more general and recent set of LiDARs. We find that its attack capability is enough to (1) cause end-to-end safety hazards in simulated AD scenarios, and (2) remove real vehicles in the physical world. We also discuss the defense side.
So far, all prior works on object injection attack side [Shin et al., 2017 [9], Cao et al., 2019 [10] , Jiachen et al., 2020[11], Hallyburton et al., 2022 [13]] assume a Chosen Pattern Injection (CPI) attack capability, i.e., an attacker can successfully inject a specifically-chosen spoofed point cloud pattern that was carefully crafted/identified offline before the actual attack time (e.g., from an offline optimization process). However, none of these prior works have clearly demonstrated such an attack capability in the physical world.
To achieve the CPI attack capability, we significantly improved the LiDAR spoofing capability with more careful optics and more functional electronics.
Ø1" N-BK7 Plano-Convex Lens, SM1-Threaded Mount, f = 25.4 mm, Uncoated
Laser board
Pulse laser
The frame consists of a bottom acrylic plate, a top acrylic plate, and an aluminum hollow screw. The laser board is fixed to the bottom acrylic plate. A female screw is dug in the top acrylic plate so that the hollow screw can be moved up and down. The acrylic plates are joined to each other by hexagonal posts connected in series. Thorlab's lenses in the mount are internally threaded so they can be attached to the end of a hollow screw.
CAD File: lens_unit.f3z
bottom plate
top plate
hollow screw
Velodyne VLP-16 has been dominantly used in the prior works since it is viewed as a de facto choice for LiDAR spoofing evaluation after the first practical spoofing attack was proposed in 2017. Although these results are valid on VLP-16, there is no guarantee that these results are still valid in more recent LiDARs, known as next-generation LiDARs. However, none of the prior works on LiDAR spoofing attacks has evaluated the security property of such next-generation LiDAR. These major design differences are likely to cause significant differences in their security characteristics, which thus motivates this study.
We identified a new type of LiDAR spoofing attack, named high-frequency removal (HFR) attack, which can achieve point removal without synchronizing with the LiDAR scanning patterns and can be effective against LiDAR even with the timing randomization. We compare our attack with the state-of-the-art removal attack. Physical Removal Attack (PRA) [Cao et al., 2022].
Target LiDAR: VLP-32c
Camera
Benign
PRA Attack w/ our spoofer
HFR Attack
We evaluate the end-to-end consequence in AD scenarios with closed-loop simulation. We apply the attack success rate at each azimuth for each point at every frame to decide whether the point is to be remained or be removed.
AD system: Baidu Apollo 7.0
Simulator: LGSVL
Attack Start Distance: 18 m
Driving Speed: 40 km/h
Attack success rate at each azimuth
Benign
VLP-32 (HFR)
VLP-16 (PRA)
NextG② (HFR)
VLP-16 (HFR)
NextG③ (HFR)
Target LiDAR: VLP-16
Distance between Spoofer and LiDAR: 5 m
Benign: Until 8 seconds
Attack: After 8 seconds