BADControl: Backdoor Attacks Against Control Systems

We introduce BADCONTROL, the first backdoor attack against low-level controllers that uses physical triggers. The attack poisons operational data to implant a vulnerability that can be activated by an exogenous signal from the environment, such as a specific driving maneuver or adversarial road patches within autonomous driving applications. BADCONTROL solves a constrained optimization problem by using a projected gradient ascent to modify the data, maximizing the frequency response of the controlled system at a target frequency. This method differs from backdoor attacks against Deep Learning (DL) and Reinforcement Learning (RL) models, which manipulate high-dimensional model inputs or reward functions. We additionally propose two defenses: one based on regularization and one based on robust optimization, to limit the worst-case amplification of trigger signals. This is achieved by converting infinite poisoning scenarios into a single, tractable optimization problem via a specialized mathematical transformation. We evaluate BADCONTROL on Proportional-Integral-Derivative (PID) and Linear-Quadratic-Regulator (LQR) controllers through simulations and physical experiments. In the adaptive cruise control scenario, we achieve a 100% crash rate, while in lane-keeping control, the backdoor causes the victim vehicle to steer 62% into the opposing lane, compared to 0% in both cases without a backdoor. By contrast, a state-of-the-art falsification framework for autonomous vehicles identifies only a single crash instance over 30 trials, underscoring its stealthiness.