BadRobot: Jailbreaking Embodied LLMs in the Physical World

TL;DR

This paper introduces BadRobot, an attack method exploiting vulnerabilities in embodied LLMs to induce unsafe behaviors, highlighting safety concerns in physical AI systems and evaluating attack effectiveness across multiple frameworks.

Contribution

We propose BadRobot, a novel attack paradigm that exposes safety vulnerabilities in embodied LLMs through voice interactions, and establish a benchmark to evaluate attack performance.

Findings

BadRobot successfully induces unsafe behaviors in embodied LLMs.

The attack exploits three key vulnerabilities in robotic systems.

Extensive experiments demonstrate the effectiveness of BadRobot against existing frameworks.

Abstract

Embodied AI represents systems where AI is integrated into physical entities. Large Language Model (LLM), which exhibits powerful language understanding abilities, has been extensively employed in embodied AI by facilitating sophisticated task planning. However, a critical safety issue remains overlooked: could these embodied LLMs perpetrate harmful behaviors? In response, we introduce BadRobot, a novel attack paradigm aiming to make embodied LLMs violate safety and ethical constraints through typical voice-based user-system interactions. Specifically, three vulnerabilities are exploited to achieve this type of attack: (i) manipulation of LLMs within robotic systems, (ii) misalignment between linguistic outputs and physical actions, and (iii) unintentional hazardous behaviors caused by world knowledge's flaws. Furthermore, we construct a benchmark of various malicious physical action queries to evaluate BadRobot's attack performance. Based on this benchmark, extensive experiments against existing prominent embodied LLM frameworks (e.g., Voxposer, Code as Policies, and ProgPrompt) demonstrate the effectiveness of our BadRobot.