Adversarial Attacks on Robotic Vision Language Action Models

TL;DR

This paper investigates the vulnerability of vision-language-action models (VLAs) used in robotics to adversarial attacks, demonstrating that textual jailbreak attacks can fully control these models and persist over time, raising safety concerns.

Contribution

The study adapts LLM jailbreaking techniques to robotic VLAs, revealing their susceptibility to adversarial control and highlighting the need for robustness in robotic systems.

Findings

Textual attacks enable full control over VLAs.

Attacks often persist over longer operational horizons.

Vulnerabilities pose safety risks in robotic applications.

Abstract

The emergence of vision-language-action models (VLAs) for end-to-end control is reshaping the field of robotics by enabling the fusion of multimodal sensory inputs at the billion-parameter scale. The capabilities of VLAs stem primarily from their architectures, which are often based on frontier large language models (LLMs). However, LLMs are known to be susceptible to adversarial misuse, and given the significant physical risks inherent to robotics, questions remain regarding the extent to which VLAs inherit these vulnerabilities. Motivated by these concerns, in this work we initiate the study of adversarial attacks on VLA-controlled robots. Our main algorithmic contribution is the adaptation and application of LLM jailbreaking attacks to obtain complete control authority over VLAs. We find that textual attacks, which are applied once at the beginning of a rollout, facilitate full reachability of the action space of commonly used VLAs and often persist over longer horizons. This differs significantly from LLM jailbreaking literature, as attacks in the real world do not have to be semantically linked to notions of harm. We make all code available at https://github.com/eliotjones1/robogcg .