Search papers, labs, and topics across Lattice.
This paper uncovers a novel attack vector for LiDAR systems, demonstrating how dormant malware can be remotely activated to manipulate point-cloud data without direct access to the sensor hardware. By embedding malware in the LiDAR firmware and using an optical trigger to modulate signals, the authors successfully demonstrate real-time manipulation, including false object injection and suppression of real objects, under various operational conditions. The findings underscore significant vulnerabilities in the integrity of LiDAR systems, necessitating enhanced security measures in their development and deployment.
Dormant malware in LiDAR systems can be remotely activated to manipulate 3D perception, posing a serious threat to autonomous vehicles' safety.
LiDAR sensors are widely deployed in autonomous systems for 3D perception and safety-critical decision-making. We identify a previously unexplored attack surface in which dormant malware embedded in the LiDAR sensing pipeline remains inactive during normal operation and can be externally triggered after deployment, without requiring access to sensor hardware or networking at attack time. To operationalize this threat, we design malware capable of low-level point-cloud manipulation and embed it into LiDAR firmware. This malware was developed in a closed research test environment with vendor technical support, rather than by exploiting an inherent production supply-chain vulnerability. To selectively trigger attack activation, we design and implement an optical trigger that remotely activates the malware by delivering a modulated signal into the sensing environment. Once triggered, the malware performs real-time point cloud manipulation, and we demonstrate false object injection and real object suppression on static and mobile victim platforms. Our evaluation first establishes attack feasibility, including static operation at 300~ft and recorded drive-by runs reaching 35~mph. We then illustrate quantitatively that injected person-like artifacts can remain semantically detectable by a state-of-the-art 3D object detector. Finally, we demonstrate multiple modes of safety-critical impact on a deployed tactical autonomous vehicle. Together, these results highlight the need for stronger integrity guarantees throughout the LiDAR sensor development and deployment pipeline.