Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Jailbreaking LLM-Controlled Robots

Alexander Robey, Zachary Ravichandran, Vijay Kumar, Hamed Hassani, George J. Pappas

TL;DR

This work shows that jailbreaking is not limited to text generation: LLM-controlled robots can be steered into harmful physical actions. It introduces RoboPAIR, a robot-specific jailbreak algorithm built on adaptions to PAIR, including robot-centric system prompts and a syntax checker to produce executable code for robot APIs. Across white-box, gray-box, and black-box threat models and three diverse platforms, RoboPAIR achieves near-perfect attack success, underscoring significant safety implications and the urgent need for robot-focused defenses. The paper also discusses responsible disclosure and proposes defense directions to enable safer deployment of LLM-enabled robotic systems in real-world settings.

Abstract

The recent introduction of large language models (LLMs) has revolutionized the field of robotics by enabling contextual reasoning and intuitive human-robot interaction in domains as varied as manipulation, locomotion, and self-driving vehicles. When viewed as a stand-alone technology, LLMs are known to be vulnerable to jailbreaking attacks, wherein malicious prompters elicit harmful text by bypassing LLM safety guardrails. To assess the risks of deploying LLMs in robotics, in this paper, we introduce RoboPAIR, the first algorithm designed to jailbreak LLM-controlled robots. Unlike existing, textual attacks on LLM chatbots, RoboPAIR elicits harmful physical actions from LLM-controlled robots, a phenomenon we experimentally demonstrate in three scenarios: (i) a white-box setting, wherein the attacker has full access to the NVIDIA Dolphins self-driving LLM, (ii) a gray-box setting, wherein the attacker has partial access to a Clearpath Robotics Jackal UGV robot equipped with a GPT-4o planner, and (iii) a black-box setting, wherein the attacker has only query access to the GPT-3.5-integrated Unitree Robotics Go2 robot dog. In each scenario and across three new datasets of harmful robotic actions, we demonstrate that RoboPAIR, as well as several static baselines, finds jailbreaks quickly and effectively, often achieving 100% attack success rates. Our results reveal, for the first time, that the risks of jailbroken LLMs extend far beyond text generation, given the distinct possibility that jailbroken robots could cause physical damage in the real world. Indeed, our results on the Unitree Go2 represent the first successful jailbreak of a deployed commercial robotic system. Addressing this emerging vulnerability is critical for ensuring the safe deployment of LLMs in robotics. Additional media is available at: https://robopair.org

Jailbreaking LLM-Controlled Robots

TL;DR

This work shows that jailbreaking is not limited to text generation: LLM-controlled robots can be steered into harmful physical actions. It introduces RoboPAIR, a robot-specific jailbreak algorithm built on adaptions to PAIR, including robot-centric system prompts and a syntax checker to produce executable code for robot APIs. Across white-box, gray-box, and black-box threat models and three diverse platforms, RoboPAIR achieves near-perfect attack success, underscoring significant safety implications and the urgent need for robot-focused defenses. The paper also discusses responsible disclosure and proposes defense directions to enable safer deployment of LLM-enabled robotic systems in real-world settings.

Abstract

The recent introduction of large language models (LLMs) has revolutionized the field of robotics by enabling contextual reasoning and intuitive human-robot interaction in domains as varied as manipulation, locomotion, and self-driving vehicles. When viewed as a stand-alone technology, LLMs are known to be vulnerable to jailbreaking attacks, wherein malicious prompters elicit harmful text by bypassing LLM safety guardrails. To assess the risks of deploying LLMs in robotics, in this paper, we introduce RoboPAIR, the first algorithm designed to jailbreak LLM-controlled robots. Unlike existing, textual attacks on LLM chatbots, RoboPAIR elicits harmful physical actions from LLM-controlled robots, a phenomenon we experimentally demonstrate in three scenarios: (i) a white-box setting, wherein the attacker has full access to the NVIDIA Dolphins self-driving LLM, (ii) a gray-box setting, wherein the attacker has partial access to a Clearpath Robotics Jackal UGV robot equipped with a GPT-4o planner, and (iii) a black-box setting, wherein the attacker has only query access to the GPT-3.5-integrated Unitree Robotics Go2 robot dog. In each scenario and across three new datasets of harmful robotic actions, we demonstrate that RoboPAIR, as well as several static baselines, finds jailbreaks quickly and effectively, often achieving 100% attack success rates. Our results reveal, for the first time, that the risks of jailbroken LLMs extend far beyond text generation, given the distinct possibility that jailbroken robots could cause physical damage in the real world. Indeed, our results on the Unitree Go2 represent the first successful jailbreak of a deployed commercial robotic system. Addressing this emerging vulnerability is critical for ensuring the safe deployment of LLMs in robotics. Additional media is available at: https://robopair.org

Paper Structure

This paper contains 72 sections, 1 equation, 10 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related work
  3. LLMs for control of robotic systems
  4. Model alignment, jailbreaking attacks, and AI safety
  5. Agentic risks of LLM-integrated technologies
  6. Robotic jailbreaking: From harmful text to harmful actions
  7. LLM-controlled robots
  8. Attack scenarios
  9. The RoboPAIR jailbreaking algorithm
  10. Jailbreaking LLM chatbots with PAIR
  11. PAIR is ill-suited to jailbreaking LLM-controlled robots
  12. Jailbreaking LLM-controlled robots with RoboPAIR
  13. Key features of RoboPAIR
  14. Experiments: Real-world robotic jailbreaks
  15. NVIDIA Dolphins self-driving LLM
  16. ...and 57 more sections

Figures (10)

  • Figure 1: Jailbreaking LLM-controlled robots. We consider a control architecture wherein a robot is controlled via textual prompts by an LLM. In this architecture, prompts passed as input to the LLM can be subverted by an attacker.
  • Figure 2: Example of a robotic jailbreak. When prompted with malicious instructions, LLM-controlled robots can be fooled into performing harmful actions.
  • Figure 3: Jailbreaking elicits harmful robotic actions. When directly prompted, LLM-controlled robots refuse to comply with prompts requesting harmful actions. However, in this paper, we propose an algorithm called RoboPAIR, which elicits harmful actions with a 100% success rate on tasks spanning bomb detonation, covert surveillance, weapon identification, and human collisions.
  • Figure 4: Jailbreaking the Unitree Go2.
  • Figure 5: Threat models for robotic jailbreaking. We identify three threat models pertinent to the setting of jailbreaking LLM-controlled robots: (i) white-box attacks, wherein an attacker has full access to the LLM-robot architecture, (ii) gray-box attacks, wherein an attacker has partial access to an architecture that integrates both learned- and non-learned components, and (iii) black-box attacks, wherein an attacker has only query access to the architecture's LLM.
  • ...and 5 more figures