Black-Box Adversarial Attack on Vision Language Models for Autonomous Driving

TL;DR

This paper introduces a novel black-box adversarial attack method called Cascading Adversarial Disruption (CAD) targeting vision-language models in autonomous driving, significantly improving attack success and demonstrating real-world effectiveness.

Contribution

We propose CAD, a new black-box attack framework for VLMs in autonomous driving, addressing dynamic scenarios and reasoning chains, and provide a large adversarial dataset for future research.

Findings

CAD achieves +13.43% attack success rate over existing methods.

Real-world attacks reduce route completion by 61.11% and cause vehicle crashes.

The CADA dataset contains 18,808 adversarial visual-question-answer pairs.

Abstract

Vision-language models (VLMs) have significantly advanced autonomous driving (AD) by enhancing reasoning capabilities; however, these models remain highly susceptible to adversarial attacks. While existing research has explored white-box attacks to some extent, the more practical and challenging black-box scenarios remain largely underexplored due to their inherent difficulty. In this paper, we take the first step toward designing black-box adversarial attacks specifically targeting VLMs in AD. We identify two key challenges for achieving effective black-box attacks in this context: the effectiveness across driving reasoning chains in AD systems and the dynamic nature of driving scenarios. To address this, we propose Cascading Adversarial Disruption (CAD). It first introduces Decision Chain Disruption, which targets low-level reasoning breakdown by generating and injecting deceptive semantics, ensuring the perturbations remain effective across the entire decision-making chain. Building on this, we present Risky Scene Induction, which addresses dynamic adaptation by leveraging a surrogate VLM to understand and construct high-level risky scenarios that are likely to result in critical errors in the current driving contexts. Extensive experiments conducted on multiple AD VLMs and benchmarks demonstrate that CAD achieves state-of-the-art attack effectiveness, significantly outperforming existing methods (+13.43% on average). Moreover, we validate its practical applicability through real-world attacks on AD vehicles powered by VLMs, where the route completion rate drops by 61.11% and the vehicle crashes directly into the obstacle vehicle with adversarial patches. Finally, we release CADA dataset, comprising 18,808 adversarial visual-question-answer pairs, to facilitate further evaluation and research in this critical domain. Our codes and dataset will be available after paper's acceptance.