This work exposes the severe vulnerability of LiDAR-based localization systems to spoofing attacks during scan matching. Addressing real-world autonomous driving scenarios, we propose, for the first time, a Scan Matching Vulnerability Score (SMVS) as a point-level metric to guide adversarial laser injection—enabling physically realizable, low-overhead attacks. We conduct end-to-end attack and defense experiments on three real vehicle platforms equipped with Velodyne VLP-16, Ouster OS1, and Livox Avia LiDARs. Our attack successfully induces ≥4.2 m positional errors in three representative LiDAR localization algorithms—exceeding typical lane widths and confirming practical threat severity. To our knowledge, this is the first LiDAR spoofing study that simultaneously satisfies theoretical rigor and engineering feasibility in real-vehicle settings. It establishes a new paradigm for evaluating and defending against perception-level threats in autonomous driving systems.

Accurate localization is essential for enabling modern full self-driving services. These services heavily rely on map-based traffic information to reduce uncertainties in recognizing lane shapes, traffic light locations, and traffic signs. Achieving this level of reliance on map information requires centimeter-level localization accuracy, which is currently only achievable with LiDAR sensors. However, LiDAR is known to be vulnerable to spoofing attacks that emit malicious lasers against LiDAR to overwrite its measurements. Once localization is compromised, the attack could lead the victim off roads or make them ignore traffic lights. Motivated by these serious safety implications, we design SLAMSpoof, the first practical LiDAR spoofing attack on localization systems for self-driving to assess the actual attack significance on autonomous vehicles. SLAMSpoof can effectively find the effective attack location based on our scan matching vulnerability score (SMVS), a point-wise metric representing the potential vulnerability to spoofing attacks. To evaluate the effectiveness of the attack, we conduct real-world experiments on ground vehicles and confirm its high capability in real-world scenarios, inducing position errors of $geq$4.2 meters (more than typical lane width) for all 3 popular LiDAR-based localization algorithms. We finally discuss the potential countermeasures of this attack. Code is available at https://github.com/Keio-CSG/slamspoof