Anywhere, Any-Stymie: Remote Activation of Trojan Malware on LiDAR with Modulated Signals
Pith reviewed 2026-06-27 00:30 UTC · model grok-4.3
The pith
Dormant malware in LiDAR firmware activates via external modulated optical signals to manipulate point clouds in real time.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Dormant malware embedded in the LiDAR sensing pipeline remains inactive during normal operation and can be externally triggered after deployment, without requiring access to sensor hardware or networking at attack time, enabling real-time point cloud manipulation including false object injection and real object suppression.
What carries the argument
An optical trigger that delivers a modulated signal into the sensing environment to activate embedded firmware malware for point-cloud manipulation.
If this is right
- Attack remains feasible at static ranges of 300 feet and during drive-by runs reaching 35 mph.
- Injected person-like artifacts stay semantically detectable by state-of-the-art 3D object detectors.
- Multiple modes of safety-critical impact appear on a deployed tactical autonomous vehicle.
Where Pith is reading between the lines
- Similar firmware-resident triggers could apply to other perception sensors if the same embedding pattern exists.
- LiDAR designs may require explicit checks on incoming optical signal patterns to reject activation attempts.
Load-bearing premise
The malware can be embedded into LiDAR firmware in a way that survives deployment and remains selectively triggerable by an external optical signal without being detected or disabled by normal sensor operation or vendor security measures.
What would settle it
A controlled test in which the modulated optical signal is delivered to a LiDAR sensor containing the malware and the point cloud is observed to change only in the presence of that signal.
Figures
read the original abstract
LiDAR sensors are widely deployed in autonomous systems for 3D perception and safety-critical decision-making. We identify a previously unexplored attack surface in which dormant malware embedded in the LiDAR sensing pipeline remains inactive during normal operation and can be externally triggered after deployment, without requiring access to sensor hardware or networking at attack time. To operationalize this threat, we design malware capable of low-level point-cloud manipulation and embed it into LiDAR firmware. This malware was developed in a closed research test environment with vendor technical support, rather than by exploiting an inherent production supply-chain vulnerability. To selectively trigger attack activation, we design and implement an optical trigger that remotely activates the malware by delivering a modulated signal into the sensing environment. Once triggered, the malware performs real-time point cloud manipulation, and we demonstrate false object injection and real object suppression on static and mobile victim platforms. Our evaluation first establishes attack feasibility, including static operation at 300~ft and recorded drive-by runs reaching 35~mph. We then illustrate quantitatively that injected person-like artifacts can remain semantically detectable by a state-of-the-art 3D object detector. Finally, we demonstrate multiple modes of safety-critical impact on a deployed tactical autonomous vehicle. Together, these results highlight the need for stronger integrity guarantees throughout the LiDAR sensor development and deployment pipeline.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper claims to identify a new attack surface on LiDAR sensors in autonomous systems: dormant malware embedded in the sensing pipeline can be remotely activated by an external modulated optical signal after deployment, without further hardware or network access. Once triggered, the malware enables real-time point-cloud manipulation including false object injection and real object suppression. The authors report embedding the malware with vendor technical support in a closed lab environment, demonstrate feasibility at up to 300 ft static range and 35 mph drive-by speeds, show that injected artifacts remain detectable by a state-of-the-art 3D detector, and illustrate safety-critical effects on a tactical autonomous vehicle.
Significance. If the remote-activation mechanism and point-cloud manipulation results hold under realistic conditions, the work would be significant for exposing an integrity threat in deployed LiDAR pipelines and motivating stronger firmware verification. The reported distance, speed, and detector-impact experiments would constitute concrete evidence of practical reach; however, the explicit reliance on vendor-assisted embedding in a closed setting substantially narrows the real-world threat model relative to supply-chain or post-deployment compromise scenarios.
major comments (1)
- [Abstract] Abstract: the central threat model presupposes malware already present in deployed production firmware that can be selectively triggered without prior access at attack time. The manuscript explicitly states the embedding 'was developed in a closed research test environment with vendor technical support, rather than by exploiting an inherent production supply-chain vulnerability,' yet provides no mechanism, attack vector, or evidence for achieving the initial infection step without such assistance. This prerequisite is load-bearing for any claim that the remote-activation attack applies outside the lab.
Simulated Author's Rebuttal
We thank the referee for the careful review and for highlighting an important aspect of our threat model. We respond to the comment below.
read point-by-point responses
-
Referee: [Abstract] Abstract: the central threat model presupposes malware already present in deployed production firmware that can be selectively triggered without prior access at attack time. The manuscript explicitly states the embedding 'was developed in a closed research test environment with vendor technical support, rather than by exploiting an inherent production supply-chain vulnerability,' yet provides no mechanism, attack vector, or evidence for achieving the initial infection step without such assistance. This prerequisite is load-bearing for any claim that the remote-activation attack applies outside the lab.
Authors: We agree that the manuscript does not demonstrate or provide a mechanism for the initial embedding of malware without vendor assistance, and we explicitly note this limitation in the abstract. Our contribution centers on the remote optical activation mechanism and the resulting real-time point-cloud manipulation once the malware is present and triggered, without requiring further hardware or network access at attack time. To address the comment, we will revise the abstract, introduction, and add a short discussion paragraph to more precisely bound the threat model: we assume dormant malware is already resident (via any means, including but not limited to the vendor-assisted embedding used for the proof-of-concept) and focus on showing that such malware can be selectively activated and used for safety-critical manipulation from a distance. We will also note potential real-world infection paths as an area for future investigation rather than claiming supply-chain compromise. revision: yes
Circularity Check
No circularity: experimental demonstration with no derivation chain
full rationale
The paper reports an experimental security demonstration rather than any mathematical derivation, prediction, or first-principles result. The abstract and text explicitly qualify the malware embedding as performed 'in a closed research test environment with vendor technical support, rather than by exploiting an inherent production supply-chain vulnerability,' so the work does not claim or derive the supply-chain step. No equations, fitted parameters, self-citations, or ansatzes appear that could reduce any claim to its own inputs by construction. The central results (optical trigger feasibility, point-cloud manipulation) are direct empirical measurements on the instrumented hardware.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
2026. https://notepad-plus-plus.org/news/hijacked-incident-info-update/
2026
-
[2]
James M Anderson, Nidhi Kalra, and William Stanley. 2021. Autonomous vehicle technology: A guide for policymakers.RAND Corporation(2021)
2021
-
[3]
Yulong Cao, Jiaxiang Ma, Kevin Fu, Rampazzi Sara, and Morley Mao. 2021. Automated Tracking System For LiDAR Spoofing Attacks On Moving Targets. InProc. Workshop Automot. Auto. Vehicle Secur.(AutoSec). 1
2021
-
[4]
Yulong Cao, Ningfei Wang, Chaowei Xiao, Dawei Yang, Jin Fang, Ruigang Yang, Qi Alfred Chen, Mingyan Liu, and Bo Li. 2021. Invisible for both camera and lidar: Security of multi-sensor fusion based perception in autonomous driving under physical-world attacks. In2021 IEEE symposium on security and privacy (SP). IEEE, 176–194
2021
-
[5]
Yulong Cao, Chaowei Xiao, Benjamin Cyr, Yimeng Zhou, Won Park, Sara Ram- pazzi, Qi Alfred Chen, Kevin Fu, and Z Morley Mao. 2019. Adversarial sensor attack on lidar-based perception in autonomous driving. InProceedings of the 2019 ACM SIGSAC conference on computer and communications security. ACM, London, UK, 2267–2281
2019
-
[6]
Fred Chang, Ehsan Jafarzadeh, Jacqueline Del Gatto, Graham Cran, and Hossein Sadjadi. 2023. Failure Mode Investigation to Enable LiDAR Health Monitoring for Automotive Application. InAnnual Conference of the PHM Society, Vol. 15
2023
-
[7]
2012.Infrastructure investment protection with LiDAR
Jeffrey C Chang, M Kaitlyn Tsai, Daniel J Findley, Christopher M Cunningham, et al. 2012.Infrastructure investment protection with LiDAR. Technical Report. North Carolina State University. Institute for Transportation Research
2012
-
[8]
International Electrotechnical Commission. 2014. IEC 60825-1: Safety of laser products. https://webstore.iec.ch. Accessed: 2025-03-25
2014
-
[9]
Gianpiero Costantino, Marco De Vincenzi, and Ilaria Matteucci. 2022. In-depth exploration of ISO/SAE 21434 and its correlations with existing standards.IEEE Communications Standards Magazine6, 1 (2022), 84–92
2022
-
[10]
Jin Cui, Lin Shen Liew, Giedre Sabaliauskaite, and Fengjun Zhou. 2019. A review on safety failures, security attacks, and available countermeasures for autonomous vehicles.Ad Hoc Networks90 (2019), 101823
2019
-
[11]
Yuepeng Cui, Hao Xu, Jianqing Wu, Yuan Sun, and Junxuan Zhao. 2019. Au- tomatic vehicle tracking with roadside LiDAR data for the connected-vehicles system.IEEE Intelligent Systems34, 3 (2019), 44–51
2019
-
[12]
Angela Dai, Angel X Chang, Manolis Savva, Maciej Halber, Thomas Funkhouser, and Matthias Nießner. 2017. Scannet: Richly-annotated 3d reconstructions of indoor scenes. InProceedings of the IEEE conference on computer vision and pattern recognition. 5828–5839
2017
-
[13]
A Di Benedetto, M Fiani, M Marsella, et al. 2019. Remote sensing technologies for linear infrastructure monitoring.International Archives of the Photogrammetry, Remote Sensing and Spatial Information Sciences42 (2019), 461–468
2019
-
[14]
Sheikh Muhammad Farhan, Jianjun Yin, Zhijian Chen, and Muhammad Sohail Memon. 2024. A comprehensive review of LiDAR applications in crop man- agement for precision agriculture.Sensors (Basel, Switzerland)24, 16 (2024), 5409
2024
-
[15]
James P Farwell and Rafal Rohozinski. 2011. Stuxnet and the future of cyber war. Survival53, 1 (2011), 23–40
2011
-
[16]
R Spencer Hallyburton, Yupei Liu, Yulong Cao, Z Morley Mao, and Miroslav Pajic. 2022. Security analysis of {Camera-LiDAR} fusion against {Black-Box} attacks on autonomous vehicles. In31st USENIX Security Symposium (USENIX Security 22). 1903–1920
2022
-
[17]
R Spencer Hallyburton and Miroslav Pajic. 2025. Security-Aware Sensor Fusion with MATE: the Multi-Agent Trust Estimator. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. 2009–2023
2025
-
[18]
R Spencer Hallyburton and Miroslav Pajic. 2025. Trust-based assured sensor fusion in distributed aerial autonomy. InProceedings of the ACM/IEEE 16th Inter- national Conference on Cyber-Physical Systems (with CPS-IoT Week 2025). 1–12
2025
-
[19]
R Spencer Hallyburton, Qingzhao Zhang, Z Morley Mao, and Miroslav Pajic
- [20]
-
[21]
Spencer Hallyburton, Shucheng Zhang, and Miroslav Pajic
R. Spencer Hallyburton, Shucheng Zhang, and Miroslav Pajic. 2023. Avstack: An open-source, reconfigurable platform for autonomous vehicle development. InProceedings of the ACM/IEEE 14th International Conference on Cyber-Physical Systems (with CPS-IoT Week 2023). 209–220
2023
-
[22]
Zizhi Jin, Xiaoyu Ji, Yushi Cheng, Bo Yang, Chen Yan, and Wenyuan Xu. 2023. Pla- lidar: Physical laser attacks against lidar-based 3d object detection in autonomous vehicle. In2023 IEEE Symposium on Security and Privacy (SP). IEEE, 1822–1839
2023
-
[23]
James R Kellner, John Armston, Markus Birrer, KC Cushman, Laura Duncanson, Christoph Eck, Christoph Falleger, Benedikt Imbach, Kamil Kral, Martin Kruvcek, et al. 2019. New opportunities for forest remote sensing through ultra-high- density drone lidar.Surveys in Geophysics40 (2019), 959–977
2019
-
[24]
Gunzung Kim and Yongwan Park. 2016. LIDAR pulse coding for high resolution range imaging at improved refresh rate.Optics express24, 21 (2016), 23810–23828
2016
-
[25]
P. Koopman. 2022.The UL 4600 Guidebook: What to Include in an Autonomous Vehicle Safety Case. Amazon Digital Services LLC - Kdp. https://books.google. com/books?id=3W-OzwEACAAJ
2022
-
[26]
You Li and Javier Ibanez-Guzman. 2020. Lidar for autonomous driving: The principles, challenges, and trends for automotive lidar and perception systems. IEEE Signal Processing Magazine37, 4 (2020), 50–61
2020
-
[27]
Jeferson Martínez and Javier M Durán. 2021. Software supply chain attacks, a threat to global cybersecurity: SolarWinds’ case study.International Journal of Safety and Security Engineering11, 5 (2021), 537–545
2021
-
[28]
Microsoft Defender Security Research Team Microsoft Threat Intelli- gence. 2026. Mitigating the axios NPM supply chain compromise. https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating- the-axios-npm-supply-chain-compromise/
2026
-
[29]
Alwi Nofriandi, Hamdi, Ratnawulan, and Yulkifli. 2024. Ultra-sensitive light detection technologies based on single-photon detectors: a review.Sensing Technology2, 1 (2024), 2404268
2024
-
[30]
Jonghoon Park et al. 2021. Over-the-air update attacks on automotive systems: Threats and defenses.IEEE Transactions on Vehicular Technology(2021)
2021
-
[31]
Jonathan Petit and Steven E Shladover. 2014. Potential cyberattacks on automated vehicles.IEEE Transactions on Intelligent transportation systems16, 2 (2014), 546– 556
2014
-
[32]
Jonathan Petit, Bas Stottelaar, Michael Feiri, and Frank Kargl. 2015. Remote attacks on automated vehicles sensors: Experiments on camera and lidar.Black Hat Europe11, 2015 (2015), 995
2015
-
[33]
Hamamatsu Photonics. 2020. Laser Diodes. https://www.hamamatsu.com. Ac- cessed: 2025-03-25
2020
-
[34]
Raul Quinonez, Jairo Giraldo, Luis Salazar, Erick Bauman, Alvaro Cardenas, and Zhiqiang Lin. 2020. {SAVIOR}: Securing autonomous vehicles with robust physical invariants. In29th USENIX security symposium (USENIX Security 20). 895–912
2020
-
[35]
Gilberto Rivera, Raúl Porras, Rogelio Florencia, and J Patricia Sánchez-Solís. 2023. LiDAR applications in precision agriculture for cultivating crops: A review of recent advances.Computers and electronics in agriculture207 (2023), 107737
2023
-
[36]
Danila Rukhovich, Anna Vorontsova, and Anton Konushin. 2022. Fcaf3d: Fully convolutional anchor-free 3d object detection. InEuropean Conference on Com- puter Vision. Springer, 477–493
2022
-
[37]
Takami Sato, Ryo Suzuki, Yuki Hayakawa, Kazuma Ikeda, Ozora Sako, Rokuto Nagata, Ryo Yoshida, Qi Alfred Chen, and Kentaro Yoshioka. 2025. On the Realism of LiDAR Spoofing Attacks against Autonomous Driving Vehicle at High Speed and Long Distance. InProceedings of the Network and Distributed System Security Symposium (NDSS)
2025
-
[38]
Chuan Sheng, Wanlun Ma, Qing-Long Han, Wei Zhou, Xiaogang Zhu, Sheng Wen, Yang Xiang, and Fei-Yue Wang. 2024. Pager Explosion: Cybersecurity Insights and Afterthoughts.IEEE/CAA Journal of Automatica Sinica11, 12 (2024), 2359–2362
2024
-
[39]
Hocheol Shin, Dohyun Kim, Yujin Kwon, and Yongdae Kim. 2017. Illusion and dazzle: Adversarial optical channel exploits against lidars for automotive appli- cations. InInternational Conference on Cryptographic Hardware and Embedded Systems. Springer, Springer, New York, NY, 445–467
2017
-
[40]
Craig Singleton and Mark Montgomery. 2024. Laser Focus: Countering China’s LiDAR Threat to U.S. Critical Infrastructure and Military Systems. official mem- orandum, Foundation for Defense of Democracies. https://www.fdd.org/wp- content/uploads/2024/12/fdd-memo-laser-focus-countering-chinas-lidar- threat-to-u.s.-critical-infrastructure-and-military-systems.pdf
2024
-
[41]
K. S. Subraman, A. Antonopoulos, A. A. Abotabl, A. Nosratinia, and Y. Makris
-
[42]
Demonstrating and mitigating the risk of an FEC-based hardware trojan in wireless networks.IEEE Transactions on Information Forensics and Security14, 10 (2019), 2720–2734
2019
-
[43]
Jiachen Sun, Yulong Cao, Qi Alfred Chen, and Z Morley Mao. 2020. Towards robust {LiDAR-based} perception in autonomous driving: General black-box adversarial sensor attack and countermeasures. In29th USENIX (USENIX Security 20). USENIX, Boston, MA, 877–894. 13
2020
-
[44]
Pei Sun, Henrik Kretzschmar, Xerxes Dotiwalla, Aurelien Chouard, Vijaysai Patnaik, Paul Tsui, James Guo, Yin Zhou, Yuning Chai, Benjamin Caine, et al
-
[45]
In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition
Scalability in perception for autonomous driving: Waymo open dataset. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2446–2454
-
[46]
Xiaoqiang Sun, F Richard Yu, and Peng Zhang. 2021. A survey on cyber-security of connected and autonomous vehicles (CAVs).IEEE Transactions on Intelligent Transportation Systems23, 7 (2021), 6240–6259
2021
-
[47]
James Tu, Mengye Ren, Sivabalan Manivasagam, Ming Liang, Bin Yang, Richard Du, Frank Cheng, and Raquel Urtasun. 2020. Physically realizable adversarial examples for lidar object detection. InProceedings of the IEEE/CVF CVPR. IEEE, New York, NY, 13716–13725
2020
-
[48]
Zhien Wang and Massimo Menenti. 2021. Challenges and opportunities in Lidar remote sensing.Frontiers in Remote Sensing2 (2021), 641723
2021
-
[49]
Kai Xiao and Mark Tehranipoor. 2014. Hardware Trojans in embedded systems: A survey.Journal of Hardware and Systems Security1, 1 (2014), 15–32
2014
-
[50]
Chen Yan, Wenyuan Xu, and Jianhao Liu. 2016. Can you trust autonomous vehicles: Contactless attacks against sensors of self-driving vehicle.Def Con24, 8 (2016), 109
2016
-
[51]
Fuquan Zhao, Hao Jiang, and Zongwei Liu. 2019. Recent development of automo- tive LiDAR technology, industry and trends. InEleventh International Conference on Digital Image Processing (ICDIP 2019), Vol. 11179. SPIE, 1132–1139
2019
-
[52]
foreground
Yi Zhu, Chenglin Miao, Tianhang Zheng, Foad Hajiaghajani, Lu Su, and Chun- ming Qiao. 2021. Can we use arbitrary objects to attack lidar perception in autonomous driving?. InProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 1945–1960. A Open Science We provide artifacts for the materials needed to evaluate the paper’s ...
2021
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.