Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

BadRobot: Jailbreaking Embodied LLMs in the Physical World

Hangtao Zhang, Chenyu Zhu, Xianlong Wang, Ziqi Zhou, Changgan Yin, Minghui Li, Lulu Xue, Yichen Wang, Shengshan Hu, Aishan Liu, Peijin Guo, Leo Yu Zhang

TL;DR

This work reveals critical safety vulnerabilities in embodied LLMs by introducing BadRobot, a no-box jailbreak paradigm that can induce harmful physical actions via voice interactions. It formalizes three risk surfaces—jailbreak propagation, safety misalignment between language and action, and conceptual deception due to world-model limits—and provides three attack variants: contextual jailbreaks, safety misalignment, and conceptual deception. The authors validate BadRobot across digital environments, simulators, and real-world robotic arms, showing substantial increases in manipulation success rates for SOTA embodied LLM systems. They also offer mitigation strategies, including multimodal safety checks and world-model considerations, while acknowledging limitations and the need for policy integration. The work emphasizes the urgency of safety benchmarks and open testbeds to prevent dangerous real-world deployments of embodied AI systems.

Abstract

Embodied AI represents systems where AI is integrated into physical entities. Large Language Model (LLM), which exhibits powerful language understanding abilities, has been extensively employed in embodied AI by facilitating sophisticated task planning. However, a critical safety issue remains overlooked: could these embodied LLMs perpetrate harmful behaviors? In response, we introduce BadRobot, a novel attack paradigm aiming to make embodied LLMs violate safety and ethical constraints through typical voice-based user-system interactions. Specifically, three vulnerabilities are exploited to achieve this type of attack: (i) manipulation of LLMs within robotic systems, (ii) misalignment between linguistic outputs and physical actions, and (iii) unintentional hazardous behaviors caused by world knowledge's flaws. Furthermore, we construct a benchmark of various malicious physical action queries to evaluate BadRobot's attack performance. Based on this benchmark, extensive experiments against existing prominent embodied LLM frameworks (e.g., Voxposer, Code as Policies, and ProgPrompt) demonstrate the effectiveness of our BadRobot.

BadRobot: Jailbreaking Embodied LLMs in the Physical World

TL;DR

This work reveals critical safety vulnerabilities in embodied LLMs by introducing BadRobot, a no-box jailbreak paradigm that can induce harmful physical actions via voice interactions. It formalizes three risk surfaces—jailbreak propagation, safety misalignment between language and action, and conceptual deception due to world-model limits—and provides three attack variants: contextual jailbreaks, safety misalignment, and conceptual deception. The authors validate BadRobot across digital environments, simulators, and real-world robotic arms, showing substantial increases in manipulation success rates for SOTA embodied LLM systems. They also offer mitigation strategies, including multimodal safety checks and world-model considerations, while acknowledging limitations and the need for policy integration. The work emphasizes the urgency of safety benchmarks and open testbeds to prevent dangerous real-world deployments of embodied AI systems.

Abstract

Embodied AI represents systems where AI is integrated into physical entities. Large Language Model (LLM), which exhibits powerful language understanding abilities, has been extensively employed in embodied AI by facilitating sophisticated task planning. However, a critical safety issue remains overlooked: could these embodied LLMs perpetrate harmful behaviors? In response, we introduce BadRobot, a novel attack paradigm aiming to make embodied LLMs violate safety and ethical constraints through typical voice-based user-system interactions. Specifically, three vulnerabilities are exploited to achieve this type of attack: (i) manipulation of LLMs within robotic systems, (ii) misalignment between linguistic outputs and physical actions, and (iii) unintentional hazardous behaviors caused by world knowledge's flaws. Furthermore, we construct a benchmark of various malicious physical action queries to evaluate BadRobot's attack performance. Based on this benchmark, extensive experiments against existing prominent embodied LLM frameworks (e.g., Voxposer, Code as Policies, and ProgPrompt) demonstrate the effectiveness of our BadRobot.
Paper Structure (45 sections, 17 figures, 5 tables, 3 algorithms)

This paper contains 45 sections, 17 figures, 5 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. On the Risks of embodied LLMs: A Conceptual Outline
  3. Be Cautious of Hidden Dangers!
  4. Formalization of Embodied LLMs Jailbreak
  5. Mind the Attackers!
  6. BadRobot: How to Manipulate Embodied LLMs?
  7. Talk is Cheap: Contextual Jailbreaks
  8. Hitting Where It Hurts: Safety Misalignment
  9. All Roads Lead to Rome: Conceptual Deception
  10. Evaluation
  11. Experimental Setup
  12. Results in the Digital World Environment
  13. Take Care! SOTA Embodied LLMs Systems Can Be Also Manipulated
  14. Real-World Experiment
  15. Mitigation, Challenges and Implications
  16. ...and 30 more sections

Figures (17)

  • Figure 1: We are the first to jailbreak embodied LLMs in the physical world, enabling it to perform various restricted actions. We show its potential to engage in activities related to Physical Harm, Privacy Violations, Pornography, Fraud, Illegal Activities, Hateful Conduct, and Sabotage.
  • Figure 1: (Comparison Studies.) Average MSR of various LLM jailbreaks vs. our BadRobot. We marked the changes in attacks relative to Vanilla using ().
  • Figure 2: (Overview) embodied LLMs face three risks:(a): inducing harmful behaviors by leveraging jailbroken LLMs; (b): safety misalignment between action and linguistic output spaces (i.e., verbally refuses response but still acts); (c): conceptual deception inducing unrecognized harmful behaviors.
  • Figure 3: An embodied system.
  • Figure 4: examples of jailbreaks.
  • ...and 12 more figures

Theorems & Definitions (2)

  • Definition 1: Robust Embodied LLM
  • Definition 2: Embodied LLM Jailbreak