Simultaneous Localization and Mapping (SLAM) Poisoning is a targeted integrity attack that corrupts the backend optimization or loop closure detection of a SLAM system, causing a persistent and undetectable distortion of the agent's constructed map and its estimated pose within it. Unlike transient sensor spoofing, this attack injects mathematically consistent but false constraints into the pose graph optimization solver, fundamentally warping the agent's world model.
Glossary
Simultaneous Localization and Mapping Poisoning

What is Simultaneous Localization and Mapping Poisoning?
An integrity attack that corrupts the core optimization process of a SLAM system to permanently distort an autonomous agent's map and pose estimation.
The attack exploits the SLAM system's inherent trust in its own internal mathematical consistency. By introducing a crafted false loop closure or subtly biasing the bundle adjustment residuals, an adversary causes the agent to navigate a hallucinated environment while remaining confident in its incorrect state estimation. This creates a persistent reality gap that can be exploited for physical-world sabotage without triggering anomaly detectors.
Primary Attack Vectors
Adversarial techniques that corrupt the core estimation processes of a Simultaneous Localization and Mapping system, leading to persistent and undetectable misrepresentation of an agent's environment and pose.
Loop Closure Injection
The attacker injects a false positive loop closure constraint into the pose graph. This forces the optimizer to reconcile the current pose with a distant, incorrect historical pose, creating a catastrophic map distortion. The agent's trajectory is warped to satisfy the fraudulent constraint, causing it to navigate based on a completely corrupted spatial understanding without triggering standard sensor anomaly alerts.
Pose Graph Corruption
This attack directly tampers with the backend optimization process by modifying the edges (constraints) between nodes (poses) in the factor graph. By subtly altering the information matrix associated with an odometry or landmark edge, the attacker can introduce a slow, systematic bias. The global map remains locally consistent, making the drift invisible to local consistency checks while progressively skewing the entire reference frame.
Landmark Manipulation
An adversary spoofs or relocates static environmental landmarks within the agent's perceptual data stream. By shifting the recognized position of a key visual feature (e.g., an AprilTag or a distinct architectural corner) over successive frames, the attacker anchors the agent's bundle adjustment to a moving reference. This causes the agent to silently recalibrate its own position relative to a false fixed point, leading to precise but incorrect navigation.
Odometry Drift Injection
The attacker compromises the frontend odometry stream by injecting a persistent, low-magnitude bias into the inter-frame motion estimates. Unlike sensor spoofing that creates obvious jumps, this attack adds a mathematically consistent drift vector—such as a constant 0.1-degree yaw bias per second—that accumulates over time. The Extended Kalman Filter or factor graph incorporates this as legitimate motion, causing the agent's belief state to diverge smoothly from physical reality.
Map-Targeted Data Poisoning
During the mapping phase, the attacker inserts adversarial training samples into the environment's representation. This could involve placing physical adversarial patches in the environment that are recorded during the mapping run. When the agent later localizes against this poisoned map, the corrupted features cause a feature mismatch that forces the localization algorithm to converge on an attacker-chosen incorrect pose, effectively creating a logic bomb in the spatial database.
Relocalization Hijacking
This attack targets the global localization or 'kidnapped robot' recovery module. By presenting a carefully crafted sensor view that matches a distant, incorrect location in the pre-built map with high confidence, the attacker forces the system to instantly 'teleport' its belief state. The agent's pose is snapped to a false location, and all subsequent navigation is executed relative to this hijacked origin, bypassing the gradual drift detection mechanisms of the SLAM backend.
Frequently Asked Questions
Explore the mechanics, risks, and defenses against attacks that corrupt an autonomous system's fundamental ability to perceive its location and environment.
Simultaneous Localization and Mapping (SLAM) poisoning is a targeted integrity attack that corrupts the core estimation algorithms—specifically the loop closure detection or pose graph optimization—of a SLAM system. Unlike transient sensor spoofing, a successful poisoning attack introduces a mathematically consistent but globally incorrect constraint into the map. This causes the agent to persistently mislocalize itself, generating a distorted world model that remains undetectable by standard local consistency checks. The attack exploits the SLAM back-end's inherent trust in the correctness of previously established constraints to propagate error silently throughout the entire map.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the interconnected threats that target the spatial perception and state estimation pipelines of autonomous systems, forming a comprehensive attack surface against robotic navigation.
Sensor Fusion Deception
A sophisticated attack that injects mutually consistent but false data across multiple virtual sensor modalities simultaneously. The attacker crafts coordinated spoofed inputs for LiDAR, camera, and IMU sensors that all corroborate the same false reality. This cross-modal consistency makes the deception extremely difficult to detect through traditional sensor disagreement checks. Key techniques include:
- Generating adversarial point clouds that align with manipulated visual frames
- Injecting false inertial measurements that match fabricated odometry
- Exploiting the fusion algorithm's trust weighting to override legitimate sensor readings
- Creating phantom obstacles that persist across all perception channels
State Estimation Drift
A stealthy attack that introduces a slowly accumulating error into an agent's calculated pose, position, or velocity. Unlike abrupt spoofing attacks that trigger immediate anomaly detection, drift attacks operate below the threshold of standard residual monitoring. The attacker injects sub-threshold perturbations into the Extended Kalman Filter or factor graph optimization that compound over time. Attack characteristics:
- Error grows linearly or exponentially over the mission duration
- Agent deviates from intended path without triggering fault detection
- Particularly effective against long-duration autonomous navigation tasks
- Can cause physical collisions or mission failure after extended operation
Loop Closure Poisoning
A direct attack on the place recognition module of a SLAM system that corrupts the mechanism used to correct accumulated drift. The attacker injects false loop closure constraints that force the pose graph optimizer to reconcile contradictory spatial information. Attack vectors include:
- Inserting fraudulent visual feature matches between non-identical locations
- Manipulating the bag-of-words database to create phantom revisitations
- Exploiting the perceptual aliasing vulnerability in appearance-based place recognition
- Causing the optimizer to warp the map to satisfy conflicting constraints
- Creating persistent map distortions that survive subsequent optimization cycles
Sensor Spoofing Injection
The act of feeding an agent's perception pipeline with crafted, malicious data streams that manipulate its understanding of the environment. This attack targets the raw sensor interfaces before fusion occurs. Common spoofing modalities:
- LiDAR spoofing: Injecting phantom points to create ghost obstacles or erase real ones
- Camera spoofing: Projecting adversarial patterns that cause misclassification
- IMU spoofing: Generating false acceleration and rotation data to corrupt dead reckoning
- GPS spoofing: Broadcasting counterfeit satellite signals to shift global position estimates
- Ultrasonic spoofing: Using tuned acoustic signals to blind proximity sensors
World Model Hallucination
An attack that exploits a generative world model's tendency to confabulate plausible but entirely false environmental predictions. When an agent uses a learned dynamics model for planning, the attacker triggers the model to generate convincing yet fabricated future states. Exploitation mechanisms:
- Triggering the model to predict non-existent obstacles in the planned path
- Causing the model to hallucinate open pathways through solid barriers
- Forcing the agent to plan trajectories based on a false understanding of environment dynamics
- Leveraging the agent's own learned priors against it for stealthier attacks
Simulation Parameter Tampering
An integrity attack involving the unauthorized modification of critical environmental variables within a simulation used for training or testing SLAM systems. By altering parameters such as gravity, friction coefficients, or sensor noise profiles, the attacker creates a mismatch between the simulated and real-world dynamics. Tampering targets:
- Modifying IMU noise characteristics to corrupt filter tuning
- Altering feature extraction thresholds to degrade visual odometry
- Changing lighting models to create adversarial visual conditions
- Manipulating the motion model to introduce systematic biases in prediction steps

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us