Seeing is Deceiving: Mirror-Based LiDAR Spoofing for Autonomous Vehicle Deception (2509.17253v2)

Abstract: Autonomous vehicles (AVs) rely heavily on LiDAR sensors for accurate 3D perception. We show a novel class of low-cost, passive LiDAR spoofing attacks that exploit mirror-like surfaces to inject or remove objects from an AV's perception. Using planar mirrors to redirect LiDAR beams, these attacks require no electronics or custom fabrication and can be deployed in real settings. We define two adversarial goals: Object Addition Attacks (OAA), which create phantom obstacles, and Object Removal Attacks (ORA), which conceal real hazards. We develop geometric optics models, validate them with controlled outdoor experiments using a commercial LiDAR and an Autoware-equipped vehicle, and implement a CARLA-based simulation for scalable testing. Experiments show mirror attacks corrupt occupancy grids, induce false detections, and trigger unsafe planning and control behaviors. We discuss potential defenses (thermal sensing, multi-sensor fusion, light-fingerprinting) and their limitations.

• The paper demonstrates that mirror placement can spoof LiDAR data by creating phantom obstacles (OAA) or erasing real objects (ORA) via specular reflection.
• It presents analytical models and real-world experiments showing how mirror configuration (area, tilt, distance) affects artifact density and detection confidence in AV stacks.
• The study integrates empirical models into CARLA simulations and real AV tests, highlighting vulnerabilities in perception systems and the need for robust countermeasures.

Mirror-Based LiDAR Spoofing: Physical Deception of Autonomous Vehicle Perception

Introduction and Motivation

This paper presents a systematic paper of mirror-based LiDAR spoofing as a passive, low-cost, and physically realizable attack vector against autonomous vehicle (AV) perception. Unlike prior work that focuses on active signal injection or custom-fabricated artifacts, the authors demonstrate that ordinary planar mirrors can be strategically deployed to either inject phantom obstacles (Object Addition Attack, OAA) or remove real objects from the LiDAR point cloud (Object Removal Attack, ORA). The attack exploits the fundamental physics of specular reflection, redirecting the AV’s own LiDAR pulses to create semantically plausible but deceptive sensor data. The research formalizes the geometric and physical underpinnings of these attacks, validates them through real-world experiments, and quantifies their impact on a full AV stack, including perception, planning, and control.

Physical Principles and Threat Model

LiDAR sensors operate by emitting near-infrared laser pulses and measuring the time-of-flight to reconstruct a 3D point cloud. The interaction of these pulses with surfaces is governed by diffuse and specular reflection. Mirrors, as specular reflectors, can redirect LiDAR beams in a manner that either prevents returns from real objects (ORA) or creates multi-hop paths that result in virtual points (OAA). The adversary in this model is assumed to have only physical access to the environment, with no need for electronic compromise or insider knowledge. The attack is entirely passive, relying on the placement and orientation of mirrors to manipulate the LiDAR’s perception.

Figure 2: Mirror-based LiDAR spoofing scenarios: ORA hides a real obstacle, OAA creates a phantom object.

The two principal attack scenarios are:

• OAA: Mirrors are positioned to reflect LiDAR pulses onto benign surfaces, creating a cluster of returns interpreted as a real obstacle.
• ORA: Mirrors are used to deflect LiDAR beams away from real obstacles, causing them to be omitted from the point cloud.

Experimental Validation

The authors conduct controlled outdoor experiments using an Ouster OS1-128 LiDAR mounted on a test vehicle. For ORA, a traffic cone is placed in the LiDAR’s path and a planar mirror is used to obscure it. For OAA, modular mirror arrays of varying size and tilt are used to reflect LiDAR pulses onto secondary surfaces, generating phantom point clouds.

Figure 4: Experimental setups for ORA (mirror hides cone) and OAA (mirror creates phantom object).

Key findings include:

• In ORA, the cone is completely removed from the point cloud across all tested mirror angles, creating a false impression of free space.
• In OAA, increasing the mirror’s surface area and adjusting its tilt angle directly increases the density and persistence of the phantom point cloud, with larger mirrors producing clusters that closely resemble real vehicles.

  Figure 1: ORA at 0°: (a) Baseline shows cone; (b) Mirror removes cone from perception.

  

  Figure 3: OAA with 2, 4, and 6 mirrors: increasing area yields denser, more vehicle-like phantom clusters.

Empirical Modeling of Mirror-Induced Artifacts

The paper develops analytical models to predict the properties of mirror-induced artifacts as a function of LiDAR-to-mirror distance ($d$), mirror tilt angle ($\theta$), and surface area ($A$). The models capture:

• Artifact location: Lateral offset and radial distance are modeled using trigonometric and power-law relationships, reflecting the geometry of specular reflection.
• Artifact intensity: The number of points in the artifact cluster follows a bell-shaped profile as a function of $d$, with a Gaussian envelope modulated by $A$ and $\theta$.
• Appearance probability: The likelihood of artifact appearance is modeled as a double-sigmoid window, parameterized by $d$, $\theta$, and $A$.

  Figure 5: Model predictions (red dashed) vs. experimental data (blue solid) for artifact count, appearance probability, lateral offset, and radial distance.

The models achieve high $R^2$ values (typically $>0.9$), enabling accurate simulation and parameter sweeps.

Simulation-Based Attack Injection

The empirical models are integrated into a real-time attack injection pipeline within the CARLA simulator. The pipeline computes the geometric relationship between the ego vehicle and the mirror, probabilistically injects artifact clusters into the LiDAR stream, and merges them with native sensor data. This enables safe, repeatable, and scalable evaluation of attack scenarios.

Figure 6: End-to-end pipeline: empirical models drive attack injection in CARLA, validated on real AVs.

In simulation, the OAA consistently triggers emergency braking in the ego vehicle, leading to rear-end collisions when followed by another vehicle. The attack is robust across a range of mirror configurations.

Figure 7: OAA in CARLA: Ego AV stops for phantom, is rear-ended by follower; LiDAR view shows injected cluster.

Figure 8: System-level failure: speed, separation, and TTC drop to zero after attack, confirming collision.

Real-World AV Stack Evaluation

The attack is validated on a Kia Soul EV running Autoware.AI with CenterPoint for 3D object detection. In OAA, even small mirrors produce low-confidence “UNKNOWN” detections, while larger mirrors yield high-confidence “CAR” classifications. In ORA, real obstacles are erased from the occupancy grid, replaced by plausible ground returns.

Figure 9: Occupancy grids under OAA: increasing mirror area yields denser, more vehicle-like occupied regions.

Figure 10: Autoware object detection: 2 mirrors = “UNKNOWN”; 4 mirrors = “CAR” (65%); 6 mirrors = “CAR” (74%).

Figure 11: ORA: (a) Baseline—cone marked as occupied; (b) With mirror—region falsely marked as free space.

In autonomous mode, the AV’s planner consistently triggers obstacle stop procedures in response to phantom objects, with the timing and severity of the response tunable by mirror angle.

Figure 12: Autoware RViz: 6-mirror OAA at 30°, 45°, 60°—phantom triggers immediate or early stops.

Countermeasures and Limitations

Three defense strategies are explored:

• Thermal camera augmentation: Thermal imaging can reveal the absence of a heat signature for phantoms (OAA) or the presence of a mirror (ORA), but is limited by environmental factors and resolution.

  Figure 13: Thermal imagery: (a) ORA—mirror visible as cool region; (b) OAA—phantom region matches ground temperature.

• Multi-sensor fusion: Cross-modal consistency checks can flag LiDAR-only detections, but risk false positives in benign sensor mismatches.
• Light fingerprinting: Analyzing LiDAR return intensity and pulse shape to distinguish specular from diffuse reflections is promising, but requires large-scale, material-annotated datasets and real-time classification.

The paper is limited to a specific LiDAR model, clear weather, and low-speed scenarios. Future work should generalize to other sensor types, adverse conditions, and high-speed dynamics, and integrate defenses into operational AV stacks.

Implications and Future Directions

This research demonstrates that mirror-based LiDAR spoofing is a practical, scalable, and stealthy threat to AV perception. The attacks are effective across a range of physical configurations, require no electronic compromise, and can induce critical safety failures in state-of-the-art AV stacks. The findings highlight the need for reflection-aware perception, robust cross-modal verification, and material-aware point cloud analysis. The empirical models and simulation framework provide a foundation for future research on both attack and defense, including the development of resilient perception algorithms and the creation of large-scale datasets for training and evaluation.

Conclusion

The paper establishes mirror-based LiDAR spoofing as a credible and underexplored threat to autonomous vehicle safety. By formalizing the physical mechanisms, empirically modeling artifact properties, and demonstrating end-to-end system failures in both simulation and real-world AVs, the work exposes a critical blind spot in current AV perception. The results underscore the necessity of integrating physical-layer robustness into the design of future autonomous systems and provide actionable methodologies for both attack evaluation and defense development.