Cybersecurity RoboticsLeading robot cybersecurity lab

Spoofing the senses: the attack beneath the software

Research Note · 2026

AuthorsVíctor Mayoral-Vilches
AffiliationCybersecurity Robotics
Published2026
1Below the software, the senses2The gyroscope you can hear3The position you can rewrite4The obstacle that isn't there5Fusion will not save you6The defense is physics7References

Abstract. A robot senses the world, then acts — so the most fundamental attack skips the software entirely and lies to the sensors themselves. A sound at a gyroscope resonant frequency, a counterfeit GPS signal, a pulse of laser light into a LiDAR: each makes an honest sensor report a value that never happened, and the robot acts faithfully on a false world model. This briefing covers acoustic, GPS and LiDAR spoofing, why sensor fusion does not save you, and why the only real defence is checking the data against the laws of physics.

A Cybersecurity Robotics field briefing — a cited synthesis of the external research listed below, not an original paper.

1Below the software, the senses

A robot does only one thing with the world: it senses it, then acts. Every layer this lab has examined so far — the ROS graph, the manufacturer cloud, even the AI policy — sits above that sensing. This note is about the layer beneath: the physics of the sensors themselves. Feed a sensor a crafted physical signal and it reports a value that never happened; the software above is never exploited — it faithfully computes the wrong answer from an honest-looking lie. It is the purest software-less attack on a robot, and it is cheap.

Three physical-layer attacks, one outcome: a corrupted sensor feeds fusion, the robot builds a false world model, and it acts on it — no exploit required.
A robot acts on what it senses — so spoof the senses and skip the software entirely.acoustic resonanceIMU / gyroscopespoofed GPS signalGNSS receiverinjected laser pulsesLiDARSensor fusiona false world modelspoof ≥2 sensors → fusion fails tooWrong actioncrash · off-courseNo exploit, no malware — the robot faithfully obeys a lie. Gear can be a $320 signal generator and a speaker.The check that holds: does the sensor data still obey physics? (physics-based anomaly detection)

2The gyroscope you can hear

A robot keeps its balance with an inertial measurement unit — MEMS gyroscopes and accelerometers whose tiny mass-spring structures vibrate to measure rotation and acceleration. Those structures have a resonant frequency, and a sound played at it forces the mass to move, so the sensor reports motion that isn't happening. In the foundational demonstration — Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors (Son et al., USENIX Security 2015) — an acoustic tone knocked drones out of the sky. The kit is trivial: a low-end signal generator, an amplifier and a tweeter — on the order of $320 — reaching tens of metres. The same IMUs stabilise humanoid locomotion and steady autonomous vehicles.

3The position you can rewrite

GPS/GNSS spoofing transmits counterfeit satellite signals a little stronger than the real ones, and the receiver locks onto them — resolving a position the attacker chooses. The hardware has shrunk to a pen-sized software-defined radio that can be hidden in a passing vehicle, quietly walking an autonomous system off its route or into a trap. Because localisation feeds planning, a lie about where the robot is becomes a wrong decision about what it does next.

4The obstacle that isn't there

LiDAR spoofing fires laser pulses timed to inject fake points into the point cloud — a phantom obstacle that triggers an emergency stop, or, conversely, points that erase a real obstacle so the robot drives into it. A 2026 result, Crashing or Freezing the Bot, reaches the same two outcomes far more easily by falsifying the ROS 2 LiDAR topic in software — no precision laser needed — tying physical spoofing straight back to the insecure-by-default robot graph.

5Fusion will not save you

The standard answer is sensor fusion: blend GPS, IMU, LiDAR and vision through a Kalman filter so no single bad sensor dominates. It helps — until the attacker targets several at once. Coordinated sensor-deception attacks that inject acoustic and magnetic signals into the gyroscope, accelerometer and magnetometer together have been shown to defeat the fused estimator and crash a drone almost immediately. And this is the field's soft spot: a 2026 survey rates communication defences as field-ready (TRL 7–9) while perception-layer defences remain largely experimental (TRL 3–5).

6The defense is physics

You cannot authenticate a photon or a sound wave. What you can do is ask whether the readings are physically possible: does the reported motion obey the robot's own dynamics, do redundant and diverse sensors agree, does the world model stay self-consistent? Physics-based anomaly detection and recovery — the leading defensive paradigm — flags readings that break these invariants and falls back to a safe state. It is the same instinct as the runtime plan and input validation elsewhere in the lab's hardening advice, pushed down to the raw sense: trust, but check against the laws of physics. And it is the signal-layer sibling of the model-layer adversarial-perception attacks — corrupt the sense or corrupt the mind, the robot still acts on a false world.

7References

  1. SoK: Rethinking Sensor Spoofing Attacks against Robotic Vehicles from a Systematic View, 2022.
  2. Son et al., Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors, USENIX Security 2015.
  3. Crashing or Freezing the Bot: LiDAR Spoofing Attacks on a ROS 2 UGV, 2026.
  4. GPS Spoofing Attacks on AI-based Navigation Systems with Obstacle Avoidance in UAV, 2025.
  5. SpecGuard: Specification-Aware Recovery for Robotic Autonomous Vehicles from Physical Attacks, 2024.
  6. A Survey of Physics-Based Attack Detection in Cyber-Physical Systems, ACM Computing Surveys.
  7. Cybersecurity of Teleoperated Quadruped Robots — the perception-layer defence maturity gap, 2026.

Citation

@misc{mayoralvilches2026spoofingthe,
  title        = {Spoofing the senses: the attack beneath the software},
  author       = {Víctor Mayoral-Vilches},
  howpublished = {Cybersecurity Robotics — Field briefing},
  year         = {2026},
  url          = {https://cybersecurityrobotics.com/research/spoofing-the-senses/},
}