Extended to Reality: Prompt Injection in 3D Environments

TL;DR

This paper introduces PI3D, a novel physical-world prompt injection attack on multimodal large language models operating in 3D environments, revealing vulnerabilities and evaluating defenses.

Contribution

The paper presents the first physical-world prompt injection attack in 3D environments, demonstrating its effectiveness and analyzing defense limitations.

Findings

PI3D successfully induces MLLMs to perform injected tasks.

Existing defenses are insufficient against PI3D.

The attack works across diverse camera trajectories.

Abstract

Multimodal large language models (MLLMs) have advanced the capabilities to interpret and act on visual input in 3D environments, empowering diverse applications such as robotics and situated conversational agents. When MLLMs reason over camera-captured views of the physical world, a new attack surface emerges: an attacker can place text-bearing physical objects in the environment to override MLLMs' intended task. While prior work has studied prompt injection in the text domain and through digitally edited 2D images, it remains unclear how these attacks function in 3D physical environments. To bridge the gap, we introduce PI3D, a prompt injection attack against MLLMs in 3D environments, realized through text-bearing physical object placement rather than digital image edits. We formulate and solve the problem of identifying an effective 3D object pose (position and orientation) with injected text, where the attacker's goal is to induce the MLLM to perform the injected task while ensuring that the object placement remains physically plausible. Experiments demonstrate that PI3D is an effective attack against multiple MLLMs under diverse camera trajectories. We further evaluate existing defenses and show that they are insufficient to defend against PI3D.