Mirror-Based LiDAR Spoofing Attacks

• Mirror-based LiDAR spoofing is a physical attack that exploits specular reflection to create phantom objects or erase real obstacles in 3D point clouds.
• The method relies on precise mirror placement, controlled beam redirection, and timing manipulation to mislead autonomous vehicle detection and planning systems.
• Experimental demonstrations show that both object addition and removal attacks can degrade detection metrics significantly, triggering emergency responses in autonomous systems.

Mirror-based LiDAR spoofing refers to a class of passive, physical attacks that manipulate the perception pipeline of LiDAR-equipped systems by exploiting the predictable geometry of specular reflection. By strategically deploying planar mirror-like surfaces, an adversary can inject ghost objects or erase real obstacles in the generated 3D point cloud, misleading autonomous vehicles’ detection, planning, and control logic. These attacks require no electronic or signal manipulation: only the physical positioning and orientation of reflective materials such as glass panels, polished metals, or manufactured mirrors in the LiDAR’s field of view (Guesmi et al., 30 Sep 2024, Yahia et al., 21 Sep 2025).

1. Principles and Threat Model

In mirror-based LiDAR spoofing, the attacker places one or more planar reflective surfaces so that outgoing laser pulses from the LiDAR strike the reflector and return along controlled, attacker-chosen directions or are redirected away from the sensor. The core principle is governed by the law of specular reflection, where the outgoing ray, incident on the mirror with unit direction $\hat{u}$ and surface normal $\mathbf{n}$, is reflected as:

%%%%2%%%%

For object addition attacks (OAA), the reflected path returns to the LiDAR, creating a phantom (“ghost”) object. For object removal attacks (ORA), real returns are intercepted by the mirror and redirected away, erasing true objects from the point cloud (Yahia et al., 21 Sep 2025).

The threat model assumes the adversary has physical access to place mirrors in the scanning frustum, knowledge of the LiDAR geometry and approximate field of view, and access to mirrors of sufficient area and reflectance. The attacker is not assumed to know sensor firmware or calibration details but is aware of the frustum region (conic volume in azimuth/elevation) that will register echoes. System vulnerabilities include reliance on strongest-return logic, lack of pulse authentication, and typical absence of multi-wavelength or multi-echo validation in commercially available sensors (Guesmi et al., 30 Sep 2024).

2. Attack Methodologies: Object Addition and Removal

2.1 Object Addition Attack (OAA)

In OAA, the attacker uses one or more mirrors to reflect outgoing beams back toward the sensor, synthesizing a return with a path length that corresponds to a physically realizable, yet non-existent, obstacle. The canonical workflow proceeds as:

• Frustum analysis: Identify the angular and spatial region to inject the ghost object.
• Mirror placement: Position and orient mirrors to intercept desired beams; typical mirror size ranges from $0.3$–$0.6$ m per side.
• Timing control: The reflected beam path length is $d_{LM} + d_{ML}$, introducing a controlled timing delay $\Delta t = 2d_{LM}/c$, with the LiDAR registering a false range:

$$R_{\text{spoof}} = c \cdot (t_{\text{emit}} + \Delta t)/2$$

The spoofed point is rendered at $x_{\text{spoof}} = R_{\text{spoof}} \cdot \hat{u}$ in the point cloud.

By adjusting the number, size, and orientation of mirrors, and optionally sweeping the mirror across azimuth/elevation (mechanically or by using arrays), the attacker fabricates dense point clusters that modern 3D detectors fit with high-confidence bounding boxes (Guesmi et al., 30 Sep 2024, Yahia et al., 21 Sep 2025).

2.2 Object Removal Attack (ORA)

In ORA, the attacker places a mirror so that real returns directed at true objects are reflected away from the LiDAR’s receiver. No valid return is detected, and the occupied points in the point cloud are erased. The placement requires precise angular alignment to intercept all relevant beams (covering the object’s vertical and lateral span) and is most effective at short ranges ($4$–$7$ m) (Yahia et al., 21 Sep 2025).

3. Mathematical Modeling

Mirror-based spoofing is described by a geometric optics model. The incident beam from sensor position $P_L$ along direction $\hat{u}$ strikes the mirror at

$$Q = P_L + t\hat{u}, \quad t = \frac{(P_M - P_L)\cdot\mathbf{n}}{\hat{u}\cdot\mathbf{n}}$$

where $P_M$ is a point on the mirror plane with normal $\mathbf{n}$. In OAA, the reflected path may intercept a secondary surface at $P_S$, and the apparent (phantom) point is registered at

$$P_F = P_L + d_{\rm meas}\hat{u}, \quad d_{\rm meas} = d_{LM} + d_{MS}$$

with $d_{LM} = \|Q-P_L\|$ and $d_{MS} = \|P_S-Q\|$. The lateral and radial artifact positions vary with mirror tilt $\theta$:

$$X_{\rm artifact}(d,\theta) = c_X d\tan(2\theta) + \delta_X$$

$$R_{\rm artifact}(d,\theta) = c_R d^{n_d}\left(1 + a_1\theta + a_2\theta^2\right)$$

where $c_X, \delta_X, c_R, n_d, a_1, a_2$ are empirically fitted constants (Yahia et al., 21 Sep 2025).

Echo intensity is modeled as:

$$I(\theta_\text{inc}) = I_0\cdot R(\theta_\text{inc}) \cdot \frac{A_{\text{mirror}}}{d_{LM}^2}$$

where $R(\theta_\text{inc})$ is the mirror’s bidirectional reflectance distribution function (BRDF) and $A_{\text{mirror}}$ the visible area (Guesmi et al., 30 Sep 2024).

4. Experimental Demonstrations and System Impact

Experiments validate both OAA and ORA in controlled outdoor and simulated settings:

• Object Removal (ORA): Using optically flat glass mirrors of $60\,\text{cm}\times 40\,\text{cm}$, all frames ($n=100$ per config) showed complete erasure of a $50$-cm cone at $d=4$ m for multiple tilt angles ($0^\circ$–$45^\circ$). The affected occupancy grid cells transitioned from “occupied” to “free” with $100\%$ consistency (Yahia et al., 21 Sep 2025).
• Object Addition (OAA): Modular arrays (tiles $30\,\text{cm}\times 30\,\text{cm}$) created dense point-cloud clusters. Four tiles ($0.36\,\text{m}^2$) at $45^\circ$ tilt yielded a CenterPoint detection with $65\%$ confidence; six tiles ($0.60\,\text{m}^2$) raised this to $74\%$ (“CAR” label). Ghost objects induced emergency braking and halting of AVs at speeds around $8$ km/h in Autoware-controlled road tests (Yahia et al., 21 Sep 2025). In simulated urban and flat settings, Attack Success Rates (ASR) varied: $100\%$ in flat, $58\%$ in urban scenes using PointPillars and Point-RCNN detectors (Guesmi et al., 30 Sep 2024).

Simulated dynamic scenario tests in CARLA yielded the following summarized outcomes:

Mirror Config $(d,\theta,A)$	# Ghost Points	Vehicle Reaction	Follower Collision
(4 m, $30^\circ$, 0.18 m²)	≈ 200	Emergency Brake	Yes
(5 m, $45^\circ$, 0.36 m²)	≈ 55	Emergency Brake	Yes
(7 m, $60^\circ$, 0.60 m²)	≈ 25	Emergency Brake	Yes

False-positive objects reached mean classification confidences $>0.7$, indistinguishable from real returns. Points registered intensity spikes (up to $60\,\text{k}$ digital units), but detectors ignored this channel by default (Yahia et al., 21 Sep 2025, Guesmi et al., 30 Sep 2024).

5. Effects on Perception and Decision-Making

Mirror-based spoofing degrades both object detection and classification confidence metrics:

• False-positive bounding boxes were detected in up to $100\%$ of flat-environment runs; emergency stopping occurred in all tested autonomous vehicle maneuvers with phantom obstacles (Guesmi et al., 30 Sep 2024, Yahia et al., 21 Sep 2025).
• 3D Average Precision (AP) in the frontal zone degraded from $85\%$ to under $5\%$ with consistent spoofing. Recall at $IoU>0.5$ for true cars dropped by $70\%$ with mirrors placed in the $20^\circ$ central azimuth band.
• Ghost-car clusters generated mean confidence scores $>0.8$, ensuring plausible impersonation of real vehicles by perception stacks and high-confidence occupancy-grid assignment (Guesmi et al., 30 Sep 2024, Yahia et al., 21 Sep 2025).

A plausible implication is that mirror-based attacks can reliably trigger not only perception-level failures but also downstream control and planning hazards, leading to unplanned stops or even downstream vehicle collisions in multi-vehicle settings.

6. Detection and Mitigation Approaches

Countermeasures fall into three principal domains:

• Geometry and Occlusion Analysis:
  • “Fake Shadow” or “ShadowCatcher” detects the absence of shadows (occluded beams) behind detected objects, a signature of mirror returns. CARLO checks for high rates of beams passing through the bounding box volume (Guesmi et al., 30 Sep 2024).
  • Limitations: fails for angular-steered or semi-transparent mirrors, as well as small-area attacks that evade occlusion thresholds.
• Cross-Modal and Model-Based Defenses:
  • Sensor fusion via SVF or LIFE leverages front-view camera-LiDAR consistency: objects with LiDAR returns but no camera support are suspect. Highly reflective mirrors may, however, cause camera saturation or glare, reducing cross-modal reliability (Guesmi et al., 30 Sep 2024, Yahia et al., 21 Sep 2025).
  • Multi-sensor and multi-baseline triangulation can reveal geometric inconsistencies, as mirror reflections align only for specific sensor placements.
• Light-Fingerprinting and Material Classification:
  • Analyze return intensity, calibrated reflectivity, and pulse width to train classifiers (potentially deep networks) that flag mirror-like (specular) returns in real time (Yahia et al., 21 Sep 2025).
  • Requires annotated material datasets and real-time inference efficiency under variable lighting and weather.
• Thermal Imaging:
  • Thermal cameras detect the absence of heat signature from phantom objects or the cooler temperature of mirror surfaces. This modality reliably distinguishes between real and injected objects in controlled environments but suffers from practical limitations including low contrast in hot environments, limited spatial resolution, and increased integration cost (Yahia et al., 21 Sep 2025).
• Advanced Approaches:
  • Timing randomization of LiDAR firing sequences, use of multi-echo receivers, and wavelength-diverse low-power scanning LiDARs have all been proposed as long-term solutions, targeting disruption of timing-dependent artifacts and enhancement of material discrimination (Guesmi et al., 30 Sep 2024).

7. Open Challenges and Future Research Directions

Current research emphasizes the need for:

• Robust multi-sensor fusion architectures that explicitly model specular phenomena, enabling the rejection of ghost clusters with mirror-like angular distributions.
• Active mirror detection using nonstandard-wavelength LiDARs not reflected by typical specular materials.
• Improved simulation frameworks incorporating accurate BRDFs for mirrors to facilitate offline attack/defense testing (e.g., enhanced CARLA and AWSIM engines).
• Empirical field studies on next-generation solid-state and flash LiDARs, investigating their resistance and any emerging vulnerabilities to specular spoofing.
• Standardized benchmarks and datasets of spoofing attacks—systematically cataloging mirror materials, sizes, angular placements, and detection results—to enable reproducible analysis and accelerate countermeasure development (Guesmi et al., 30 Sep 2024, Yahia et al., 21 Sep 2025).

A plausible implication is that only rigorous integration of timing, intensity, geometric, and multi-modal sensing mechanisms, validated through comprehensive simulations and real-world deployments, will ensure the robustness of LiDAR-based perception pipelines against the unique threat of mirror-based spoofing.