LiDAR sensors are widely deployed in autonomous systems for 3D perception and safety-critical decision-making. We identify a previously unexplored attack surface in which dormant malware embedded in the LiDAR sensing pipeline remains inactive during normal operation and can be externally triggered after deployment, without requiring access to sensor hardware or networking at attack time. To operationalize this threat, we design malware capable of low-level point-cloud manipulation and embed it into LiDAR firmware. This malware was developed in a closed research test environment with vendor technical support, rather than by exploiting an inherent production supply-chain vulnerability. To selectively trigger attack activation, we design and implement an optical trigger that remotely activates the malware by delivering a modulated signal into the sensing environment. Once triggered, the malware performs real-time point cloud manipulation, and we demonstrate false object injection and real object suppression on static and mobile victim platforms. Our evaluation first establishes attack feasibility, including static operation at 300~ft and recorded drive-by runs reaching 35~mph. We then illustrate quantitatively that injected person-like artifacts can remain semantically detectable by a state-of-the-art 3D object detector. Finally, we demonstrate multiple modes of safety-critical impact on a deployed tactical autonomous vehicle. Together, these results highlight the need for stronger integrity guarantees throughout the LiDAR sensor development and deployment pipeline.

翻译：LiDAR传感器广泛应用于自主系统中的3D感知和安全关键决策中。我们识别出一个此前未被探索的攻击面：嵌入LiDAR感知管线中的休眠恶意软件在正常操作期间保持非活跃状态，并可在部署后通过外部触发激活，而无需在攻击时访问传感器硬件或网络。为了实现这一威胁，我们设计了能够进行低层次点云操控的恶意软件，并将其嵌入LiDAR固件。该恶意软件是在一个封闭的研究测试环境中，在供应商的技术支持下开发的，而非利用固有的生产供应链漏洞。为选择性触发攻击激活，我们设计并实现了一个光学触发器，通过向感知环境传递调制信号来远程激活恶意软件。一旦被触发，恶意软件执行实时点云操控，并在静态和移动目标平台上展示了虚假物体注入和真实物体抑制。我们的评估首先确立了攻击的可行性，包括在300英尺处的静态操作和记录到的时速35英里的驾车通过运行。接着，我们定量说明了注入的类人伪影能够被最先进的3D物体检测器在语义上检测到。最后，我们在部署的战术自主车辆上展示了多种模式的安全关键影响。这些结果共同凸显了在整个LiDAR传感器开发和部署管线中需要更强完整性保证的必要性。