English

DisorientLiDAR: Physical Attacks on LiDAR-based Localization

Computer Vision and Pattern Recognition 2025-09-17 v1 Artificial Intelligence

Abstract

Deep learning models have been shown to be susceptible to adversarial attacks with visually imperceptible perturbations. Even this poses a serious security challenge for the localization of self-driving cars, there has been very little exploration of attack on it, as most of adversarial attacks have been applied to 3D perception. In this work, we propose a novel adversarial attack framework called DisorientLiDAR targeting LiDAR-based localization. By reverse-engineering localization models (e.g., feature extraction networks), adversaries can identify critical keypoints and strategically remove them, thereby disrupting LiDAR-based localization. Our proposal is first evaluated on three state-of-the-art point-cloud registration models (HRegNet, D3Feat, and GeoTransformer) using the KITTI dataset. Experimental results demonstrate that removing regions containing Top-K keypoints significantly degrades their registration accuracy. We further validate the attack's impact on the Autoware autonomous driving platform, where hiding merely a few critical regions induces noticeable localization drift. Finally, we extended our attacks to the physical world by hiding critical regions with near-infrared absorptive materials, thereby successfully replicate the attack effects observed in KITTI data. This step has been closer toward the realistic physical-world attack that demonstrate the veracity and generality of our proposal.

Keywords

Cite

@article{arxiv.2509.12595,
  title  = {DisorientLiDAR: Physical Attacks on LiDAR-based Localization},
  author = {Yizhen Lao and Yu Zhang and Ziting Wang and Chengbo Wang and Yifei Xue and Wanpeng Shao},
  journal= {arXiv preprint arXiv:2509.12595},
  year   = {2025}
}
R2 v1 2026-07-01T05:38:15.952Z