Robotic vehicles (RVs), particularly drones, are crucial in civil and military sectors. However, researchers have found that adversaries can inject noise into sensor measurements and cause physical impacts on the RVs like crashes. Although identifying such signal injection attacks is essential to evaluate and improve the robustness of an RV, it is challenging to discover them since their impact depends on the RV’s physical states and the search space of noise signals and physical states is vast due to its dynamic nature.

This paper proposes IMUFUZZER, a feedback-driven fuzzing framework, to automatically test an RV system and discover signal injection attacks. IMUFUZZER generates realistic noise signals for various inertial measurement unit (IMU) sensors, and monitors their impact on RV control to detect mission failures, leveraging a high-fidelity RV simulator. To find the physical states that attacks depend on, IMUFUZZER generates various mission paths that the RV will fly through. We develop a novel feedback mechanism to quantify the resilience of the RV against attacks and efficiently guide the fuzzing process to find signal injection attacks. Using IMUFUZZER, we have discovered 23 successful signal injection attacks on popular RV control software (ArduPilot). We evaluate the correctness and effectiveness of our feedback-based sensor fuzzing and demonstrate the feasibility of the discovered attacks through physical experiments.