ML Security PapersFlyTrap: Physical Distance-Pulling Attack Towards Camera-based Autonomous Target Tracking Systems
Shaoyuan Xie , Mohamad Habib Fakih , Junchi Lu , Fayzah Alshammari , Ningfei Wang , Takami Sato , Halima Bouzidi , Mohammad Abdullah Al Faruque , Qi Alfred Chen
Published on arXiv
2509.20362
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
FlyTrap successfully reduces ATT drone tracking distances into the range where drones can be physically captured, subjected to sensor attacks, or directly crashed, demonstrated on commercial DJI and HoverAir drones.
FlyTrap
Novel technique introduced
Autonomous Target Tracking (ATT) systems, especially ATT drones, are widely used in applications such as surveillance, border control, and law enforcement, while also being misused in stalking and destructive actions. Thus, the security of ATT is highly critical for real-world applications. Under the scope, we present a new type of attack: distance-pulling attacks (DPA) and a systematic study of it, which exploits vulnerabilities in ATT systems to dangerously reduce tracking distances, leading to drone capturing, increased susceptibility to sensor attacks, or even physical collisions. To achieve these goals, we present FlyTrap, a novel physical-world attack framework that employs an adversarial umbrella as a deployable and domain-specific attack vector. FlyTrap is specifically designed to meet key desired objectives in attacking ATT drones: physical deployability, closed-loop effectiveness, and spatial-temporal consistency. Through novel progressive distance-pulling strategy and controllable spatial-temporal consistency designs, FlyTrap manipulates ATT drones in real-world setups to achieve significant system-level impacts. Our evaluations include new datasets, metrics, and closed-loop experiments on real-world white-box and even commercial ATT drones, including DJI and HoverAir. Results demonstrate FlyTrap's ability to reduce tracking distances within the range to be captured, sensor attacked, or even directly crashed, highlighting urgent security risks and practical implications for the safe deployment of ATT systems.
Key Contributions
- Introduces Distance-Pulling Attacks (DPA) as a new threat model that exploits ATT system vulnerabilities to dangerously reduce drone-to-target tracking distance
- Proposes FlyTrap, a physical adversarial attack framework using an adversarial umbrella with progressive distance-pulling strategy and controllable spatial-temporal consistency for closed-loop ATT systems
- Demonstrates real-world closed-loop effectiveness against both white-box and commercial ATT drones (DJI, HoverAir), achieving tracking distances within capture/collision range
🛡️ Threat Analysis
FlyTrap crafts physical adversarial objects (adversarial umbrella) that exploit vulnerabilities in the vision-based ML perception pipeline of ATT systems at inference time, manipulating drone behavior through carefully designed spatial-temporal adversarial perturbations — a physical-world adversarial patch attack against a real deployed ML system.