PhantomLiDAR: Cross-modality Signal Injection Attacks against LiDAR

The experimental setup for the feasibility study is shown in Fig. 4. The attack devices include a Keysight N5712b vector signal generator for EMI signal generation, a Mini-Circuits HPA-50W-63+ power amplifier for amplifying the EMI signal, and a log-periodic antenna for signal transmission. The LiDARs under test is the VLP-16 [78], which is the most popular LiDAR in related work [70, 19, 43, 17].

We conduct frequency sweep ranging from 500 MHz to 3500 MHz with an interval of 1 MHz. The signal generator output is set at 0 dbm with an amplifier gain of 50 W. The video demo of the frequency sweep can be found on the website [16]. We record the point cloud and observe the running status of LiDAR under EMI at various frequencies. Both quantitative calculation and attack effects analysis are employed to present the results of the frequency sweep.

In the quantitative analysis, we utilize the parameter Hausdoff distance [35] between the benign point cloud and the interfered point cloud to quantify the level of distortion for point clouds under IEMI. In mathematics, the Hausdoff distance measures how far two subsets of a metric space are from each other. Consider the benign point cloud $\mathbb{PC}$ and the interfered point cloud $\mathbb{PC^{\prime}}$, the Hausdorff distance between them is denoted as $D_{H}(\mathbb{PC},\mathbb{PC^{\prime}})$. A larger value of $D_{H}(\mathbb{PC},\mathbb{PC^{\prime}})$ indicates a stronger degree of interference by IEMI on the LiDAR system. During the sweep process, apart from the varying frequency of the EM signal, we strive to maintain a consistent laboratory environment. After recording the point clouds during frequency sweep, we calculate the Hausdorff distance between point clouds at each frequency ranging from 500 MHz to 3500 MHz and the benign point cloud. The results, as shown in Fig. 5(a), reveal that many different frequencies can cause significant interference effects. For instance, at frequencies around 1200 MHz, the Hausdorff distance reaches as high as 120 meters. Observing the point cloud under 1200 MHz EMI, we find that all points have been erased. In summary, the quantitative analysis of frequency sweep validates the feasibility of EMI attacks on LiDAR. However, to systematically investigate the principles of these attacks, we also need to focus on the effects of the attacks.

From quantitative analysis, it can be observed that signals of different frequencies can cause varying degrees of interference with LiDAR point clouds. To systematically analyze the principles of attacks, we categorize them based on the extent of interference in the point clouds under EMI and the changes in the operational state of the LiDAR. The attack effects are intuitively categorized as Points Interference, Points Removal, and LiDAR Poweroff. The results of attack effect analysis on VLP-16 are presented in Fig. 5(b).

The criteria for categorising attack effects are presented below. In a static environment, we measure the Euclidean distance between points on the same ray before and after an attack. If the average Euclidean distance is less than 2 cm, we consider the LiDAR unaffected by Electromagnetic Interference (EMI), given that the inherent range accuracy of LiDAR is 2 cm. If the average Euclidean distance is greater than 2 cm but less than 1 m, we define this type of attack effect as Points Interference. Should the average Euclidean distance exceed 1 m, it implies that the points have been displaced from their original positions, leading us to categorize this effect as Points Reomval. Points Removal can affect either part or all of the point cloud. Furthermore, we find that when the electromagnetic frequency is swept to $1040\sim 1070$ MHz, the VLP-16 LiDAR system shuts down completely and fails to recover even after cessation of the EM attack. The system must be rebooted to resume operation. This type of attack effect is categorized as LiDAR Power-off.

Principle Analysis for Point Interference: We propose that the direct attack is the primary principle of point interference. As detailed in Sec. II-A, a benign LiDAR signal is typically a laser pulse. When the LiDAR emits a laser pulse, its time-of-shooting and direction are registered. The laser pulse travels through the air until it hits an obstacle which reflects some of the energy, which is returned laser pulse. The distance of the object is calculated by measuring the time interval, so-called time of flight, between the emitted and the returned laser pulse. The time of acquisition is acquired according to the peak of the laser pulse. The point interference principle is illustrated in Fig. 6(a), the EMI can introduce noise into the benign signal by coupling the interfering signal into the wires between the transducer and amplifier. The interfering signal, when superimposed on the benign signal, alters the peak of the echo signal, thereby affecting the LiDAR’s ranging. Besides, as shown in Fig. 6(b), we have also observed that when we slightly change the frequency, the interfering patterns will change significantly. This phenomenon is because the injected EM signal approaches or exceeds 1 GHz, and the sample rate of VLP-16’s ADC is only 500 MHz, undersampling can lead to aliasing. This results in minor frequency changes altering the interference pattern, a phenomenon that has also been discovered in a concurrent prior work [17]. In our study, owing to the use of different frequencies and powerful devices, we can induce a distance error of up to 10 cm as illustrated in Fig. 6(b), compared to the 4 cm error reported in the prior work [17].

Principle Validation for Point Interference: To validate that the signal could couple into the LiDAR’s receiver, we disassembled the LiDAR and extracted its receiving module. We then emitted a 990MHz EM signal towards the receiving module, a frequency capable of causing point interference. We observed that electromagnetic interference was indeed coupled into the transmission line of the receiving board as shown in Fig. 6(c).

Principle Analysis for Points Removal: We propose direct attack and indirect attack are both potential principles to induce Points Removal.

• •

  Attack principle 1 (direct attack): if we can inject high-amplitude EM signal into receiving circuit, it may saturate the receiving circuit and make the real laser pulse undetectable.

• •

  Attack principle 2 (indirect attack): if we can compromise temperature sensor or hall effect sensor, it may induce LiDAR to detect L1 fault, leading LiDAR to consider some or all of the points as invalid.

Principle Validation for Points Removal: We validate the two principles through the Hypothetico-deductive method. If Principle 1 (direct attack) is correct, then when observing Points Removal at a certain signal strength and gradually reducing the signal strength, we should observe a gradual recovery of the removed point cloud due to the decreasing amplitude of interference signals coupled to the receiving circuit. If Principle 2 is correct, then when gradually reducing the signal strength to a certain value, a sudden recovery of the point cloud will be observed because at this point, the FDD mechanism no longer detects errors. Experimental evidence demonstrates that at certain frequencies, such as 1.1 GHz, we can indeed observe the gradual recovery of the removed point cloud, confirming that Principle 1 is correct at this frequency. However, at certain frequencies, such as 1.2 GHz, as the EM amplitude decreases, we observe a sudden recovery of the point cloud, indicating that at this frequency, Principle 2 is correct.

In addition to the Hypothetico-deductive method, we further validate the Principle 2 by directly observing the readings of the monitoring sensor through the fault diagnostic interface. As shown in Fig. 7(a), the diagnostic information can be viewed through the fault diagnostic interface of VLP-16. We find that when EMI causes the points removed, some readings in the diagnostic interface exhibit anomalies. First, as shown in Fig. 7(b), the temperature sensor readings, which should be around 40 Celsius degree, fluctuate between -200 and 150 degrees. Second, some voltage rail readings deviate from normal values. We highly recommend readers to watch the demo video of fault diagnostic when Points Removal occurs on the website [16].

Principle Analysis for LiDAR Power-off: When EMI causes the LiDAR to power off, and we subsequently stop the attack and reboot the LiDAR, it still operates normally. Therefore, it is clear that we are not causing the LiDAR to power off by damaging the hardware. From Sec. II-B and Fig. 3, we learned that the LiDAR may be forced to shut down when it encounters recoverable severe errors. Therefore, we propose that the indirect attack is the principle of LiDAR Power-off. Specifically, the LiDAR Power-off is triggered by interfering the LiDAR’s beam steering module.

Principle Validation for LiDAR Power-off: We utilize Wireshark to record communication data of VLP-16 from the onset of the EM attack until the LiDAR shuts down. We find that in addition to some faults that also occurred during Points Removal, the LiDAR’s rotation speed exhibited severe anomalies. As shown in Fig. 8(a), despite being preset to 600 revolutions per minute (RPM), the speed will drop to 19 RPM, a reduction of 96.7%. Based on our analysis above, such a drastic reduction in speed constitutes a severe fault, highly likely to cause the LiDAR to report an L2 fault and enter the power-off state. We further investigate which part of the beam steering module was disrupted by the EM signal. As shown in Fig. 20, upon disassembling the LiDAR, we discovered that the VLP-16’s beam steering module is a rotating motor monitored by an optical encoder AEDR-850X. As shown in Fig. 8(b), we attacks an AEDR-850X with sinusoidal EM signals of 1050 MHz, which is the EM frequency inducing LiDAR Power-off. The test result reveals that EM signals can interfere with the data perceived by the optical encoder, which probably leads the LiDAR to erroneously detect an abnormally low motor speed, thereby causing a power-off.

The coupling efficiency between a victim circuit and an EM signal is determined by the frequency and amplitude of the EM signal.

Frequency. When conducting IEMI attacks, we consider the wires in the victim LiDAR system as receiving antennas. The effective EM signal frequency can be estimated based on the electrical length of the targeted/selected antenna [58, 79]. Empirically, if the length of the targeted antenna is $l$, the optimal coupling frequency of the EM signal lies between $\frac{c}{50l}$and $\frac{c}{2l}$, where $c$ is the light speed. The specific optimal coupling frequency also depends on the shape, material, and other characteristics of the targeted antenna. In realistic attack scenarios, attackers can utilize the aforementioned theory to establish an approximate frequency range and subsequently identify the resonant frequency with higher coupling efficiency through frequency sweep.

Amplititude. The amplitude is a critical factor in EMI, it is generally considered that higher signal amplitude results in stronger interference. In practical experiments, there may be instances where increasing the device’s displayed amplitude does not enhance interference. For example, in our experiments, the signal generator’s maximum amplitude is 19 dBm (80 mW), and the amplifier is 50 W. However, we observed that changing the signal generator’s amplitude (e.g., from 10 dBm to 19 dBm) sometimes does not affect the final output. This is due to the saturation characteristics of the amplifier, which limits the maximum output strength of the signal.

Firstly, the frequency range of the antenna must cover the range of the sweep. Secondly, it is advantageous for the antenna to have as high a gain as possible to reduce signal attenuation. In our experiments, to accommodate various attack distances, we selected two types of transmission antennas. For attack distances less than 10 cm, we choose a near-field probe to generate the EM signal due to its greater portability. For attack distances greater than 10 cm, we opt for a log-periodic antenna due to its superior directionality.

For the target victim LiDAR, we need to acquire the necessary information to guide signal design. First, we must obtain its signal waveform, typically consisting of one or multiple pulses. For instance, the signal of VLP-16 is a pulse with a width of about 10 $ns$. Then, we need to determine the LiDAR’s scanning cycle, which is usually available in the data manual. For example, the VLP-16 operates on a cycle of 55.296 $\mu s$, during which 16 laser lines are emitted and received at intervals of 2.304 $\mu s$ in a specific sequence, followed by a recharge period of 18.432 $\mu s$.

The design process of the attack signal involves converting the intended point cloud into a series of pulses, where each pulse corresponds to a spoofing point, and the timing of each pulse’s peak defines the spatial coordinates of the spoofing point. The method for designing the baseband signal is akin to that used in previous laser-based attacks [43]. However, using the baseband signal directly is ineffective for injecting the signal into LiDAR systems through EMI. Therefore, we use the attack signal as the baseband signal and modulate it onto a carrier signal using amplitude modulation (AM) to enable effective injection.

As each attack possesses distinct characteristics, we designed unique evaluation methods for each attack to better understand their strength and limitations.

Firstly, in Sec. VI-B, we focus on the Points Interference, Points Removal, and LiDAR Power-off attacks, as these three attacks posing greater potential threats in real-world scenarios due to their simple implementation. We evaluated the effectiveness of these attacks on five LiDARs and discovered that different LiDARs have varying vulnerable frequencies and show different robustness to IEMI. This experiment may provide insights for future LiDAR design or contribute to the establishment of new electromagnetic compatibility (EMC) testing standards.

In Sec. VI-C, we evaluate the Points Interference attack on five LiDAR-based 3D object detection models. We synthesize the Points Interference datasets based on the KITTI [2] dataset, which is a large-scale dataset collected from the real world. By conducting experiments on two LiDAR-based models and three fusion-based models, we observed that point cloud interference attacks lead to a degradation in the performance of 3D object detection models.

In Sec. VI-D, we evaluate the Points Removal attack in the real world. As Point Removal can completely erase point clouds, it enables the Hiding attacks on object detection models, making specified target objects undetectable. With the attack goal of Hiding attack, we focus on evaluating the attack impacts of the attacker’s distance and angle. Additionally, we evaluated the aiming requirements for EMI attacks. This evaluation highlights an advantage of EM attacks over laser attacks with the reduced need for precise aiming.

In Sec. VI-E, for the LiDAR Power-off attack, we evaluate the impact of attack distance and discuss its potential threats in realistic scenarios.

In Sec. VI-F, we evaluate Point Injection from the maximum number of injected points and the precise control over the points, thereby verifying the effectiveness of the attack.

In Sec. VI-G, we explore the feasibility of hiding a targeted object when the victim LiDAR is in motion.

All experiments in this section utilized shared attack attack devices, including a Keysight N5712b vector signal generator (32K USD) [8] for EMI signal generation, a Mini-Circuits HPA-50W-63+ power amplifier(20K USD) [7] for EMI signal amplification, and a log-periodic antenna for remote signal transmission. The log-periodic antenna, valued at approximately 15 USD [6], has a frequency range of 600MHz to 6000MHz and a gain of 15 dBi. Additional devices specific to Points Injection attacks are detailed in Sec. VI-F.

We evaluate EMI attacks on five off-the-shelf LiDARs as shown in Fig. 22, which include three mechanical LiDARs (VLP-16 [78], RS-16 [60], RS-Bpearl [61]) and two MEMS LiDARs(RS-M1 [62],RS-M1P [63]). The RS-M1 and RS-M1P, serve as primary LiDARs for perception, and are widely deployed in both currently released [14, 13, 12] and upcoming [3] vehicles.

We put the antenna 30 cm away from LiDARs, and conduct a frequency sweep test on these LiDARs from 500 MHz to 3500 MHz with a step of 5MHz. The output amplitude of the signal generator is 0 dBm and the amplifier is 50 W.

The attack results are shown in Table I. The relationship between attack effects and EMI frequency is shown in Fig. 10. It is observed that LiDARs with different structures exhibit varying vulnerabilities and susceptible frequencies. We did not observe the phenomenon of Point Interference attacks on the RS-Bpearl, indicating that its EM protection for received signals is superior compared to the other LiDAR models. Points Removal was observed in all LiDAR, but it is important to note that on the VLP-16 and RS-16, EMI could erase all point clouds. However, on the other three LiDAR models, we only observed partial removal of point clouds, which we speculate is due to the directionality of EM waves affecting only certain circuits. As for the LiDAR Power-off attack, it was observed only on the older models, VLP-16 and RS-M1, suggesting that newer generations of LiDAR have optimized diagnostic and management of serious faults.

To systematically explore the influence of amplitude on point interference, we conducted further experiments on the VLP-16 LiDAR. First, we selected two typical frequencies: 989MHz and 990 MHz. As shown in Fig. 6(b), 989 MHz can produce a sinusoidal pattern, whereas 990 MHz can generate a random pattern. We then increased the signal generator’s amplitude from -40 dBm to 0 dBm and connected it to an amplifier with a gain of 56 dB and a maximum output of 50 W (47 dBm). By recording the distance error at different amplitudes, we obtained the results shown in Fig. 11. It can be seen that as the amplitude increases, the distance error gradually increases and the trend is consistent across different frequencies. When the signal generator’s amplitude reaches approximately -10 dBm, the distance error reaches around 14 cm at most. However, despite further increases in the signal generator’s output, the distance error did not increase significantly. This is primarily because the amplifier output reached saturation, preventing accurate control of the final signal amplitude by the signal generator. Furthermore, the saturation distortion caused by the amplifier resulted in signal distortion after -10 dBm, which explains the decrease in distance error around -10 dBm.

To systematically evaluate the impact of Point Interference on 3D object detection models, we simulated the attack based on the large-scale dataset and then input the corrupted dataset into the detection models.

Dataset: We synthesize the attack on KITTI dataset, which comprises diverse real-world driving scenarios. Based on Sec. IV-C1, the Point Interference can be formulated as the following equation:

where $\mathbb{PC}$ stands for benign point cloud and $\mathbb{PC^{\prime}}$ stands for compromised point cloud. We represent a point with spherical coordinates $(r,\theta,\varphi)$, where $r$ denotes the radial distance, $\theta$ the polar angle, and $\varphi$ the azimuthal angle. EM interference affects only $r$, introducing random noise within the range of $[-\varepsilon,\varepsilon]$. As shown in Fig. 11, up to 10 cm distance error can be stably induced based on our attack device. Therefore, to ensure the physical realizability of the corrupted dataset, we synthesize the datasets when $\varepsilon$ is set at 5 cm and 10 cm, respectively.

Detection Models: We evaluate the impact of Points Interference on five 3D object detection models. Two are LiDAR-based models: PointPillar [47] and PV-RCNN [69]. Additionally, there are three LiDAR-Camera fusion models: the early-fusion model VirConv-L [81], the feature-fusion model EPNet [34] and the results-fusion model CLOCs [54].

Metrics: Same as the KITTI benchmark [29], we consider a car detection as successful when the IoU between a ground-truth 3D bounding box and a predicted 3D bounding box exceeds 0.7. Based on the IoU threshold, we use Average Precision(AP) to measure the overall detection performance of a model. AP is the official metric for the KITTI benchmark for a comprehensive assessment of a model’s performance. We calculate the AP in the moderate difficulty, aligning with the KITTI benchmark [2], where models are ranked based on the moderately difficult results. To evaluate the model’s robustness against interference, we introduce a new metric Robustness Coefficient $Rb$:

where $AP^{\prime}$ and $AP_{begnin}$ denote the model’s average precision on the interfered dataset and the benign dataset, respectively.

Results: The APs of the five 3D Object detection models under different-intensity points interference are presented in Table. III. It is observed that with increasing interference intensity, the performance of the detection models decreases, demonstrating the attack devices with higher power can, demonstrating that devices with higher power have stronger attack effects.

The Rbs of models are shown in Fig. 12. The robustness of Fusion-based models is generally stronger than that of LiDAR-based models, indicating that sensor fusion has potential as a countermeasure against Points Interference attacks. Within the fusion-based models, CLOCs exhibits the least robustness. This is attributed to CLOCs being a result fusion approach that combines camera and LiDAR detection candidates before applying Non-Maximum Suppression (NMS). Such a loosely coupled fusion method is ineffective in defending against Points Interference attacks. Further, we note that even interference at 10cm does not significantly compromise the 3D object detection models(Rbs ¿ 0.92), indicating that existing models have a certain level of robustness to interference. This experiment helps us objectively understand that the harmfulness of Points Interference

The experimental setup is shown in Fig. 13. We conducted physical experiments on campus roads. The attack target is a car, which is the most prevalent target in real autonomous driving scenarios. The victim LiDAR is VLP-16, and the detection model is PointPillars [47].

As illustrated in Fig. 14(a), the attacker’s location includes their off-axis angle and distance to the LiDAR and the target object. A larger range of locations from which an attack can be successfully executed implies greater robustness and stealth of the attack in real-world scenarios. We investigated the attack’s effectiveness by conducting attacks on the LiDAR from distances of $[1,1.5,2,2.5,3,4]$ meters at off-axis angles of $[5,15,30,45,60,90,145,180]$ degrees.

The results are shown in Fig. 14(b). It demonstrates that within a distance of 1.5 meters, the attacker can hide the target object from any angle, as all LiDAR point clouds are erased at this distance. Furthermore, we found that the smaller the off-axis angle, the greater the distance at which an attack can be successful. To find the longest attack distance, we move the EM source as far as possible. With our test setup, the attack could be successfully executed when the EM source was up to 5.5 meters away from the LiDAR. We anticipate that the maximum effective attack distance could be more than 5.5 meters, particularly with the use of a high-power EM source.

Aiming is a common challenge faced in remote attacks in the real world, a problem that has been especially pronounced in previous laser attacks [43]. In this experiment, we investigate the aiming requirements for EM attacks. The lower the aiming precision required for an attack, the more feasible it is in real-world scenarios. We kept the location of the EM antenna constant (1 meter from the LiDAR) and then varied the direction in which the EM antenna was pointed. The point clouds were then input into the detection model to observe whether the attack is successful. The results are shown in Fig. 15, the EM antenna could deviate up to 40° vertically or 35° horizontally while still achieving a hiding attack effect. This result suggests that EM attacks do not require precise aiming, an advantage over laser attacks.

The setup of Point Injection is shown in Fig. 23 in Appendix. In addition to a vector signal generator, an amplifier, an EM antenna, Point Injection also requires an arbitrary waveform generator to create the baseband signal and set the delay, and a photodetector to receive signals from the LiDAR. The LiDARs under test are VLP-16 and RS-16, which are the two LiDARs tested in SOTA laser-based attacks [43].

The comparison of the number of injected points is only meaningful when the victim LiDAR models are the same and have same rotation speed. Therefore, we selected VLP-16 as the victim LiDAR, a LiDAR commonly used in previous point injection research [43, 19, 70].

To inject as many points as possible, we designed the baseband signal to forge the echo signal in every receiving period of LiDAR. With the same baseband signal, we test the impact of different carrier signal frequencies to the number of injected points. We set the signal output power to 50 W and varied the carrier frequency between 700 MHz and 2500 MHz, recording the number of injected fake points. The results are shown in Fig. 16. We find that different carrier frequencies indeed impact the number of injected points. We attribute this to the receiving circuit’s varying response to different signal frequencies. Notably, a carrier frequency of approximately 1040 MHz enabled the injection of the highest number of points (over 16,500), forming a circular wall-like structure around the LiDAR, as shown in Fig. 17(a).At the same rotation speed, previous works could inject 3,000 fake points at most [43, 65]. This significant increase is primarily because EM attacks affect a wider range (almost 360^∘ horizontal angle), while laser attacks can only influence the area (less than 35^∘ horizontal angle) illuminated by the laser spot.

Fig. 17 shows that different-pattern spoofing point cloud can be injected using various baseband signals. With the fine-grained baseband signal and attack devices detailed in Sec. V, we successfully inject a ”pedestrian” pattern into VLP-16 (Fig. 17(b)) and RS-16 (Fig. 21(c)in Appendix) LiDARs. This showcases that EM attacks possess capabilities akin to those of laser-based attacks [43] for precisely manipulating the point cloud of a LiDAR system.

The attack setting of moving vehicles is shown in Fig 18. The vehicle equipped with a VLP-16 LiDAR moves at a speed below 10 km/h (for safety considerations). During the experiment, we do not require the victim car to travel at a constant speed, which is in line with the real-world conditions where the attacker has no access to the victim car. The attack devices, including a signal generator, an amplifier, and an antenna, are integrated into the attack car. The attacker holds antenna in the car and aims it at the moving victim LiDAR. The attacker’s goal is to compromise the victim LiDAR and make the LiDAR-based 3D object detection model unable to detect the attack car. Therefore, we set the parameters of attack signal to a frequency of 1.2GHz and an output amplitude of 50W, with which the Points Removal can be easily achieved.

We define two real-world attack scenarios. Scenario A is the ”tailgating attack”, where both the attacker car and the victim car are moving on a straight road, and the driver of the attacker car will drive close to the victim car at a similar speed. Scenario B is the ”roadside attack”, where the attacker is stationary at the roadside while the victim car is making a turn. Compared to the stationary attack in Sec. VI-D, Scenario A primarily faces challenges due to the constantly changing attack distance and vehicle vibrations, while Scenario B primarily faces aiming challenges due to the constantly changing attack angle.

We demonstrated the feasibility of hiding a specified target in both moving scenarios. Specifically, for the tailgating attack, we conducted five trials, each covering a distance of 40 meters. Each trial collected 100 frames uniformly, resulting in an attack success rate of 87.2% (436/500). For the roadside attack, we also conducted five trials and collected 40 frames from each trial. We found that despite the continuously changing angle of the victim car, an attack success rate of 83.5% (167/200) was still achievable within an attack distance of 4 meters. In summary, due to the relatively low aiming requirement for EM attacks, as long as the attacker can approach the victim LiDAR (within 4 meters in this paper), the hiding attack can be carried out with above 80% attack success rate.