When Robots Obey the Patch: Universal Transferable Patch Attacks on Vision-Language-Action Models

TL;DR

This paper introduces UPA-RFAS, a universal adversarial patch framework for vision-language-action models, demonstrating its transferability across models, tasks, and physical settings, revealing vulnerabilities in robotic systems.

Contribution

The paper proposes UPA-RFAS, a novel unified method for creating transferable, physical adversarial patches targeting VLA models, addressing overfitting and black-box attack challenges.

Findings

UPA-RFAS effectively transfers across diverse VLA models and tasks.

The framework exposes vulnerabilities in robotic vision-language systems.

Physical implementations of patches successfully deceive real robots.

Abstract

Vision-Language-Action (VLA) models are vulnerable to adversarial attacks, yet universal and transferable attacks remain underexplored, as most existing patches overfit to a single model and fail in black-box settings. To address this gap, we present a systematic study of universal, transferable adversarial patches against VLA-driven robots under unknown architectures, finetuned variants, and sim-to-real shifts. We introduce UPA-RFAS (Universal Patch Attack via Robust Feature, Attention, and Semantics), a unified framework that learns a single physical patch in a shared feature space while promoting cross-model transfer. UPA-RFAS combines (i) a feature-space objective with an $\ell_1$ deviation prior and repulsive InfoNCE loss to induce transferable representation shifts, (ii) a robustness-augmented two-phase min-max procedure where an inner loop learns invisible sample-wise perturbations and an outer loop optimizes the universal patch against this hardened neighborhood, and (iii) two VLA-specific losses: Patch Attention Dominance to hijack text$\to$vision attention and Patch Semantic Misalignment to induce image-text mismatch without labels. Experiments across diverse VLA models, manipulation suites, and physical executions show that UPA-RFAS consistently transfers across models, tasks, and viewpoints, exposing a practical patch-based attack surface and establishing a strong baseline for future defenses.