Physical Prompt Injection Attacks on Large Vision-Language Models

TL;DR

This paper introduces a novel black-box physical prompt injection attack on large vision-language models, embedding malicious visual prompts into physical objects to manipulate model outputs without model access.

Contribution

It presents the first physical, query-agnostic attack method that operates solely through visual observation and strategic placement, demonstrating high success rates across multiple models and conditions.

Findings

Achieves up to 98% attack success rate

Effective under varying physical conditions

Works across multiple state-of-the-art LVLMs

Abstract

Large Vision-Language Models (LVLMs) are increasingly deployed in real-world intelligent systems for perception and reasoning in open physical environments. While LVLMs are known to be vulnerable to prompt injection attacks, existing methods either require access to input channels or depend on knowledge of user queries, assumptions that rarely hold in practical deployments. We propose the first Physical Prompt Injection Attack (PPIA), a black-box, query-agnostic attack that embeds malicious typographic instructions into physical objects perceivable by the LVLM. PPIA requires no access to the model, its inputs, or internal pipeline, and operates solely through visual observation. It combines offline selection of highly recognizable and semantically effective visual prompts with strategic environment-aware placement guided by spatiotemporal attention, ensuring that the injected prompts are both perceivable and influential on model behavior. We evaluate PPIA across 10 state-of-the-art LVLMs in both simulated and real-world settings on tasks including visual question answering, planning, and navigation, PPIA achieves attack success rates up to 98%, with strong robustness under varying physical conditions such as distance, viewpoint, and illumination. Our code is publicly available at https://github.com/2023cghacker/Physical-Prompt-Injection-Attack.