PhantomLiDAR: Cross-modality Signal Injection Attacks against LiDAR

Zizhi Jin,Qinhong Jiang,Xuancun Lu,Chen Yan,Xiaoyu Ji,Wenyuan Xu
DOI: https://doi.org/10.14722/ndss.2025.23997
2024-09-26
Abstract:LiDAR (Light Detection and Ranging) is a pivotal sensor for autonomous driving, offering precise 3D spatial information. Previous signal attacks against LiDAR systems mainly exploit laser signals. In this paper, we investigate the possibility of cross-modality signal injection attacks, i.e., injecting intentional electromagnetic interference (IEMI) to manipulate LiDAR output. Our insight is that the internal modules of a LiDAR, i.e., the laser receiving circuit, the monitoring sensors, and the beam-steering modules, even with strict electromagnetic compatibility (EMC) testing, can still couple with the IEMI attack signals and result in the malfunction of LiDAR systems. Based on the above attack surfaces, we propose the PhantomLiDAR attack, which manipulates LiDAR output in terms of Points Interference, Points Injection, Points Removal, and even LiDAR Power-Off. We evaluate and demonstrate the effectiveness of PhantomLiDAR with both simulated and real-world experiments on five COTS LiDAR systems. We also conduct feasibility experiments in real-world moving scenarios. We provide potential defense measures that can be implemented at both the sensor level and the vehicle system level to mitigate the risks associated with IEMI attacks. Video demonstrations can be viewed at <a class="link-external link-https" href="https://sites.google.com/view/phantomlidar" rel="external noopener nofollow">this https URL</a>.
Signal Processing,Artificial Intelligence,Emerging Technologies,Systems and Control
What problem does this paper attempt to address?
The paper primarily explores a novel cross-modal signal injection attack on LiDAR systems—PhantomLiDAR. Specifically, the research aims to investigate the possibility of manipulating LiDAR outputs using Intentional Electromagnetic Interference (IEMI). Traditional attacks on LiDAR mainly rely on laser signals, whereas this paper further studies the interference of LiDAR systems' internal components (such as laser receiving circuits, monitoring sensors, and beam steering modules) through electromagnetic wave signals of different frequencies, leading to LiDAR malfunctions. The paper proposes four different attack effects: 1. **Points Interference**: By injecting electromagnetic interference into the laser receiving circuit, the distance measurement of the LiDAR is distorted, resulting in point cloud data distortion. 2. **Points Removal**: By injecting electromagnetic interference into the monitoring sensors or laser receiving circuit, the point cloud data deviates from the actual position or even completely disappears. 3. **LiDAR Power-off**: By injecting electromagnetic interference into the beam steering module, the entire LiDAR system shuts down. 4. **Points Injection**: By injecting amplitude-modulated electromagnetic interference signals into the laser receiving circuit, controlled points can be injected. Additionally, the paper details the experimental setup and validation process, and tests were conducted on five commercial LiDAR systems, including three rotating LiDARs and two MEMS LiDARs. The research results indicate that PhantomLiDAR attacks can be effectively implemented in various scenarios and, in some aspects, are more powerful than existing laser attacks. For example, in the points injection attack, PhantomLiDAR can inject a far greater number of false points than existing technologies. These findings help raise awareness of electromagnetic interference threats among the security community and LiDAR manufacturers and promote more advanced electromagnetic compatibility standards and designs.