NDSS 2025 – On The Realism Of LiDAR Spoofing Attacks Against Autonomous Driving Vehicle

Physical‑world adversarial attacks on traffic‑sign recognition have long been a research curiosity, but their real‑world relevance surged as autonomous vehicles (AVs) moved toward mass adoption. TSR modules translate visual cues into driving decisions, making them a high‑value target for attackers seeking to hide stop signs or inject phantom warnings. Early academic studies demonstrated low‑cost, printable stickers that could reliably fool prototype models, raising alarms about the robustness of perception pipelines.

The NDSS 2025 study bridges the gap between theory and practice by evaluating these attacks against commercial‑grade TSR systems deployed in production AVs. Using a systematic measurement framework, the authors discovered that while certain attack vectors retain perfect (100%) success on isolated functions, the broader system exhibits markedly lower efficacy. The key differentiator is a spatial memorization mechanism—essentially a learned map of sign locations—that many commercial solutions employ to filter out anomalous inputs. To quantify this effect, the researchers devised novel success metrics that factor in spatial consistency, revealing seven previously unnoticed behaviors that contradict earlier academic claims.

For industry stakeholders, the paper delivers a clear mandate: commercial AV manufacturers must integrate adversarial robustness testing that mirrors real‑world conditions, including spatial awareness checks. Regulators may consider updating safety certification standards to require demonstrated resistance against physical‑world spoofing. Meanwhile, researchers are prompted to design next‑generation attacks that can bypass spatial memorization, or to develop defensive architectures that combine multi‑sensor fusion with dynamic verification. Ultimately, strengthening TSR resilience is essential to maintaining public trust and ensuring the safe rollout of autonomous transportation.