Timing the perfect hardware hack

People Mentioned in This Story

Tanvir Arafin

Body

Roombas have become a familiar part of everyday life, quietly navigating living rooms and kitchens. But behind that convenience is a complex system of sensors, algorithms, and data processing-and, as a group of George Mason University cyber security engineering (CYSE) students-Finn Schaefer, Ryan Lam, Sidarth Kumar, Jimmy Tram, and Neil Sharma-discovered, a surprising vulnerability. Their capstone project research was accepted for presentation at one of the most prestigious venues for hardware-based security research, the IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

"It just scans the room, goes around, and starts mapping," said Finn Schaefer, comparing the vacuum cleaner to the robot at the center of his team's project.

These autonomous systems rely on technologies like LiDAR and SLAM (simultaneous localization and mapping) to build a virtual map of their environment and navigate safely. However, that same reliance on sensor data also opens the door to cyberattacks that can alter a robot's perception, sometimes with dramatic consequences.

From left to right: Finn Schaefer, Neil Sharma, Ryan Lam, Sidarth Kumar, and Jimmy Tram. Photo provided.

The capstone project, advised by Assistant Professor Tanvir Arafin, challenged students to explore exactly that risk. From the outset, Arafin encouraged an open-ended, research-driven approach.

"Professor Arafin basically told us to try to break ROS, a robot operating system," Schaefer said.

The assignment functioned as a "red-team" exercise, pushing students to think like attackers to understand vulnerabilities in autonomous systems.

The team's early ideas focused on overwhelming the robot with false data, effectively flooding it with noise. But this proved too obvious. That initial concept "was really simple and easy to detect," said Ryan Lam. A more subtle approach would be needed to create a meaningful, realistic attack.

Their breakthrough came in the form of a timing-based method that mimicked the robot's normal operating patterns. Instead of bombarding the system, they carefully injected altered sensor data at precisely the right intervals.

"We eventually got to our more elegant solution, where we're able to match the timing pattern that the robot actually expects," Schaefer said. Because the manipulated data looked plausible and arrived in the expected cadence, the robot accepted it as real.

A judge examines the team's robot at the CYSE senior design event. Photo by Teresa Donnellan/CEC

The effect was striking: the robot's internal map gradually diverged from reality. Even small manipulations could cause significant errors.

"With 2- to 5-percent drift, it would crash into walls," Schaefer said.

In some cases, the system could be tricked into perceiving obstacles that didn't exist. "It would see a wall that's not actually there," he added.

The team also demonstrated the ability to shrink or expand the robot's perceived environment, causing navigation failures.

To prove the effectiveness of their approach, the students combined simulated analysis with real-world testing. They compared baseline maps to manipulated ones over time and observed the robot attempting to navigate using corrupted data.

"These comparisons served as the proof that we used to say that this works," said team member Sidarth Kumar.

Additional testing showed that the attack remained effective even under network congestion.

This capstone project reflects Arafin's broader work to secure the next generation of mobility systems, from connected vehicles to robotics. Moreover, the students came away with a deeper understanding of the emerging field of hardware security.

Tanvir Arafin (center) with the 2026 senior capstone teams he advised. Photo provided.

"This is an exceptional accomplishment and a testament to the curriculum rigor of the Cyber Security Engineering Department, reinforcing a tradition of excellence in undergraduate research at CYSE," said Arafin. "Over the last few years, CYSE undergraduate students from our group have earned recognition at multiple national and international venues in transportation and autonomous systems security, notably the best demo award in the 18th Association for Computing Machinery Conference on Security and Privacy in Wireless and Mobile Networks and the first, second, and third places at the National Transportation Cybersecurity Competition. All of these accomplishments highlights both the students' dedication and the strength of undergraduate research within our CYSE Department."

In an era where autonomous systems are becoming increasingly common, from household robots to self-driving cars, the team's work underscores a critical lesson: If a machine's understanding of the world can be manipulated, so can its behavior. What seems like a harmless household device may, under the hood, share the same vulnerabilities as far more complex systems. And as these students demonstrated, understanding those vulnerabilities is the first step toward securing the future of autonomous technology.