Trajectory prediction is critical for autonomous driving, yet existing adversarial attacks rely on white-box access or strong physical constraints, limiting their real-world applicability. This work proposes the first black-box adversarial attack framework that requires only binary decision outputs from the target model. By leveraging a boundary-walking algorithm and trajectory proximity constraints, the method generates highly realistic adversarial examples without access to gradients or internal model information. It simultaneously supports both intent misclassification and degradation of prediction accuracy, and is effective against mainstream models such as Trajectron++ and Grip++. Evaluated on the nuScenes and Apolloscape datasets, the approach achieves intent misclassification success rates of 41%–81% with perturbations under 0.45 meters and increases prediction error by 1.9–4.2, significantly outperforming existing black-box methods.

Trajectory prediction systems are critical for autonomous vehicle safety, yet remain vulnerable to adversarial attacks that can cause catastrophic traffic behavior misinterpretations. Existing attack methods require white-box access with gradient information and rely on rigid physical constraints, limiting real-world applicability. We propose DTP-Attack, a decision-based black-box adversarial attack framework tailored for trajectory prediction systems. Our method operates exclusively on binary decision outputs without requiring model internals or gradients, making it practical for real-world scenarios. DTP-Attack employs a novel boundary walking algorithm that navigates adversarial regions without fixed constraints, naturally maintaining trajectory realism through proximity preservation. Unlike existing approaches, our method supports both intention misclassification attacks and prediction accuracy degradation. Extensive evaluation on nuScenes and Apolloscape datasets across state-of-the-art models including Trajectron++ and Grip++ demonstrates superior performance. DTP-Attack achieves 41 - 81% attack success rates for intention misclassification attacks that manipulate perceived driving maneuvers with perturbations below 0.45 m, and increases prediction errors by 1.9 - 4.2 for accuracy degradation. Our method consistently outperforms existing black-box approaches while maintaining high controllability and reliability across diverse scenarios. These results reveal fundamental vulnerabilities in current trajectory prediction systems, highlighting urgent needs for robust defenses in safety-critical autonomous driving applications.