This work addresses the vulnerability of existing LiDAR-based SLAM systems to point cloud manipulation, noting that current physical attacks—largely reliant on signal injection—are often thwarted by modern defense mechanisms. To overcome this limitation, the authors propose a novel signal-injection-free physical attack that employs controllable moving planar mirrors to generate directional ghost point clouds via specular reflections, thereby systematically disrupting the scan-matching process in SLAM. This approach represents the first successful attack on commercially available, interference-resistant LiDAR sensors, effectively bypassing existing countermeasures. Experimental results demonstrate a 6.1-fold increase in average pose error in simulation (from 2.29 to 3.31 meters) and induce up to 6.03 meters of localization deviation in real-world tests on robust LiDAR systems.

LiDAR SLAM provides high-accuracy localization but is fragile to point-cloud corruption because scan matching assumes geometric consistency. Prior physical attacks on LiDAR SLAM largely rely on LiDAR spoofing via external signal injection, which requires sensor-specific timing knowledge and is increasingly mitigated by modern defense mechanisms such as timing obfuscation and injection rejection. In this work, we show that specular reflection offers an injection-free alternative and demonstrate an attack, MirrorDrift, that uses an actuated planar mirror to cause ghost points in LiDAR scans and systematically bias scan-matching correspondences. MirrorDrift optimizes mirror placement, alignment, and actuation. In simulation, it increases the average pose error (APE) by 6.1x over random placement, degrading three SLAM systems to 2.29-3.31 m mean APE. In real-world experiments on a modern LiDAR with state-of-the-art interference mitigation, it induces localization errors of up to 6.03 m. To the best of our knowledge, this is the first successful SLAM-targeted attack against production-grade secure LiDARs.