Existing backdoor attacks against autonomous driving systems rely excessively on unrealistic pixel-level triggers, lacking physical plausibility and real-world traffic relevance. Method: This paper proposes the first physically realizable backdoor attack paradigm based on multi-vehicle trajectories. It introduces linear temporal logic (LTL) to formally specify coordinated adversarial vehicle behaviors; designs a configurable behavioral model to generate highly stealthy trigger trajectories; and incorporates negative-sample patch training to enhance both robustness and concealment of the attack. Contribution/Results: Evaluated across five offline reinforcement learning–based driving agents under six distinct trajectory-based trigger patterns, the attack demonstrates widespread vulnerability in end-to-end autonomous driving systems. This work establishes the first systematic framework for trajectory-level backdoor attacks, filling a critical research gap and providing a new benchmark and technical pathway for evaluating and improving the robust safety of autonomous vehicles in realistic traffic scenarios.

Assessing the safety of autonomous driving (AD) systems against security threats, particularly backdoor attacks, is a stepping stone for real-world deployment. However, existing works mainly focus on pixel-level triggers that are impractical to deploy in the real world. We address this gap by introducing a novel backdoor attack against the end-to-end AD systems that leverage one or more other vehicles' trajectories as triggers. To generate precise trigger trajectories, we first use temporal logic (TL) specifications to define the behaviors of attacker vehicles. Configurable behavior models are then used to generate these trajectories, which are quantitatively evaluated and iteratively refined based on the TL specifications. We further develop a negative training strategy by incorporating patch trajectories that are similar to triggers but are designated not to activate the backdoor. It enhances the stealthiness of the attack and refines the system's responses to trigger scenarios. Through extensive experiments on 5 offline reinforcement learning (RL) driving agents with 6 trigger patterns and target action combinations, we demonstrate the flexibility and effectiveness of our proposed attack, showing the under-exploration of existing end-to-end AD systems' vulnerabilities to such trajectory-based backdoor attacks.