Adversary is on the Road: Attacks on Visual SLAM using Unnoticeable Adversarial Patch

Visual Simultaneous Localization and Mapping (vSLAM) plays a pivotal role in numerous emerging applications, including autonomous driving and robotic navigation. It mainly utilizes consecutive frames captured by image sensors to conduct localization and build high-definition maps. However, existing approaches mainly focus on building reliable and accurate vSLAM systems, while little work has been done to investigate the vulnerability of existing vSLAM systems.

To fill the gap, we introduce an AoR (Adversary is on the Road) attack, which can effectively alter localization and mapping results of widely used vSLAM systems without being detected by the legitimate user. To do this, we conducted in-depth investigations on existing vSLAM systems and found that these systems are very sensitive to environmental texture changes. Building upon this insight, we design a novel adversarial patch generation mechanism that can generate unnoticeable adversarial patches to attack existing vSLAM systems. We extensively evaluate the effectiveness of the AoR attack on industry-level vehicles, robotic platforms, and four well-known open-source datasets. The evaluation results show that the AoR attack can effectively attack existing vSLAM systems and introduce extremely high localization errors (up to 713%). To mitigate this attack, we also designed an innovative defense module to simultaneously detect abnormal environmental texture distributions and support reliable vSLAM. Our defense module is lightweight and has the potential to be applied to existing vSLAM systems.