Jailbreaking Embodied LLMs via Action-level Manipulation

TL;DR

This paper presents Blindfold, an automated attack framework exploiting embodied LLMs' limited causal reasoning to induce harmful physical actions, revealing critical security vulnerabilities in real-world AI systems.

Contribution

Introduces Blindfold, a novel attack method using surrogate models and action-level manipulation to expose vulnerabilities in embodied LLMs beyond language safety.

Findings

Blindfold achieves up to 53% higher attack success rates than SOTA methods.

The attack demonstrates significant risks in embodied LLMs' physical interactions.

Results highlight the need for consequence-aware defense mechanisms.

Abstract

Embodied Large Language Models (LLMs) enable AI agents to interact with the physical world through natural language instructions and actions. However, beyond the language-level risks inherent to LLMs themselves, embodied LLMs with real-world actuation introduce a new vulnerability: instructions that appear semantically benign may still lead to dangerous real-world consequences, revealing a fundamental misalignment between linguistic security and physical outcomes. In this paper, we introduce Blindfold, an automated attack framework that leverages the limited causal reasoning capabilities of embodied LLMs in real-world action contexts. Rather than iterative trial-and-error jailbreaking of black-box embodied LLMs, Blindfold adopts an Adversarial Proxy Planning strategy: it compromises a local surrogate LLM to perform action-level manipulations that appear semantically safe but could result in harmful physical effects when executed. Blindfold further conceals key malicious actions by injecting carefully crafted noise to evade detection by defense mechanisms, and it incorporates a rule-based verifier to improve the attack executability. Evaluations on both embodied AI simulators and a real-world 6DoF robotic arm show that Blindfold achieves up to 53% higher attack success rates than SOTA baselines, highlighting the urgent need to move beyond surface-level language censorship and toward consequence-aware defense mechanisms to secure embodied LLMs.