This study uncovers a critical supply-chain vulnerability in the Secure ROS 2 (SROS 2) framework: attackers can compromise official Debian packages to inject malicious logic and exfiltrate SROS 2 keystore credentials. We propose a novel DNS-tunneling–based key-segment exfiltration technique, integrating Base64 encoding with DDS message interception and injection to bypass authentication without triggering runtime alerts. Experimental evaluation demonstrates remote exploitation against autonomous vehicles, enabling forced braking, uncontrolled acceleration, and cyclic steering—while also falsifying or suppressing sensor data. In a four-way intersection navigation scenario, the attack achieves full system control. To our knowledge, this is the first systematic demonstration that supply-chain trust failures fundamentally undermine runtime security in DDS-based robotic systems. Our findings provide critical empirical evidence for strengthening SROS 2 security mechanisms and highlight the urgent need for supply-chain integrity assurance in safety-critical robotics.

This paper presents a proof-of-concept supply chain attack against the Secure ROS 2 (SROS 2) framework, demonstrated on a Quanser QCar2 autonomous vehicle platform. A Trojan-infected Debian package modifies core ROS 2 security commands to exfiltrate newly generated keystore credentials via DNS in base64-encoded chunks to an attacker-controlled nameserver. Possession of these credentials enables the attacker to rejoin the SROS 2 network as an authenticated participant and publish spoofed control or perception messages without triggering authentication failures. We evaluate this capability on a secure ROS 2 Humble testbed configured for a four-stop-sign navigation routine using an Intel RealSense camera for perception. Experimental results show that control-topic injections can cause forced braking, sustained high-speed acceleration, and continuous turning loops, while perception-topic spoofing can induce phantom stop signs or suppress real detections. The attack generalizes to any data distribution service (DDS)-based robotic system using SROS 2, highlighting the need for both supply chain integrity controls and runtime semantic validation to safeguard autonomous systems against insider and impersonation threats.