Inferensys

Glossary

Simultaneous Localization and Mapping Poisoning

An integrity attack that corrupts the loop closure or graph optimization process in a SLAM system, causing a persistent and undetectable distortion of the agent's map and pose.
Developer reviewing multi-agent chat interface on laptop, agent conversation logs visible, casual coding session at WeWork desk.
SIMULATION DECEPTION SECURITY

What is Simultaneous Localization and Mapping Poisoning?

An integrity attack that corrupts the core optimization process of a SLAM system to permanently distort an autonomous agent's map and pose estimation.

Simultaneous Localization and Mapping (SLAM) Poisoning is a targeted integrity attack that corrupts the backend optimization or loop closure detection of a SLAM system, causing a persistent and undetectable distortion of the agent's constructed map and its estimated pose within it. Unlike transient sensor spoofing, this attack injects mathematically consistent but false constraints into the pose graph optimization solver, fundamentally warping the agent's world model.

The attack exploits the SLAM system's inherent trust in its own internal mathematical consistency. By introducing a crafted false loop closure or subtly biasing the bundle adjustment residuals, an adversary causes the agent to navigate a hallucinated environment while remaining confident in its incorrect state estimation. This creates a persistent reality gap that can be exploited for physical-world sabotage without triggering anomaly detectors.

SLAM POISONING

Primary Attack Vectors

Adversarial techniques that corrupt the core estimation processes of a Simultaneous Localization and Mapping system, leading to persistent and undetectable misrepresentation of an agent's environment and pose.

01

Loop Closure Injection

The attacker injects a false positive loop closure constraint into the pose graph. This forces the optimizer to reconcile the current pose with a distant, incorrect historical pose, creating a catastrophic map distortion. The agent's trajectory is warped to satisfy the fraudulent constraint, causing it to navigate based on a completely corrupted spatial understanding without triggering standard sensor anomaly alerts.

> 10m
Typical Positional Drift
02

Pose Graph Corruption

This attack directly tampers with the backend optimization process by modifying the edges (constraints) between nodes (poses) in the factor graph. By subtly altering the information matrix associated with an odometry or landmark edge, the attacker can introduce a slow, systematic bias. The global map remains locally consistent, making the drift invisible to local consistency checks while progressively skewing the entire reference frame.

Undetectable
By Local Consistency Checks
03

Landmark Manipulation

An adversary spoofs or relocates static environmental landmarks within the agent's perceptual data stream. By shifting the recognized position of a key visual feature (e.g., an AprilTag or a distinct architectural corner) over successive frames, the attacker anchors the agent's bundle adjustment to a moving reference. This causes the agent to silently recalibrate its own position relative to a false fixed point, leading to precise but incorrect navigation.

< 1%
Per-Frame Deviation
04

Odometry Drift Injection

The attacker compromises the frontend odometry stream by injecting a persistent, low-magnitude bias into the inter-frame motion estimates. Unlike sensor spoofing that creates obvious jumps, this attack adds a mathematically consistent drift vector—such as a constant 0.1-degree yaw bias per second—that accumulates over time. The Extended Kalman Filter or factor graph incorporates this as legitimate motion, causing the agent's belief state to diverge smoothly from physical reality.

0.1°/s
Stealth Drift Rate
05

Map-Targeted Data Poisoning

During the mapping phase, the attacker inserts adversarial training samples into the environment's representation. This could involve placing physical adversarial patches in the environment that are recorded during the mapping run. When the agent later localizes against this poisoned map, the corrupted features cause a feature mismatch that forces the localization algorithm to converge on an attacker-chosen incorrect pose, effectively creating a logic bomb in the spatial database.

100%
Relocalization Failure Rate
06

Relocalization Hijacking

This attack targets the global localization or 'kidnapped robot' recovery module. By presenting a carefully crafted sensor view that matches a distant, incorrect location in the pre-built map with high confidence, the attacker forces the system to instantly 'teleport' its belief state. The agent's pose is snapped to a false location, and all subsequent navigation is executed relative to this hijacked origin, bypassing the gradual drift detection mechanisms of the SLAM backend.

< 1 sec
Time to Hijack
SLAM POISONING

Frequently Asked Questions

Explore the mechanics, risks, and defenses against attacks that corrupt an autonomous system's fundamental ability to perceive its location and environment.

Simultaneous Localization and Mapping (SLAM) poisoning is a targeted integrity attack that corrupts the core estimation algorithms—specifically the loop closure detection or pose graph optimization—of a SLAM system. Unlike transient sensor spoofing, a successful poisoning attack introduces a mathematically consistent but globally incorrect constraint into the map. This causes the agent to persistently mislocalize itself, generating a distorted world model that remains undetectable by standard local consistency checks. The attack exploits the SLAM back-end's inherent trust in the correctness of previously established constraints to propagate error silently throughout the entire map.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.