Robo-Troj: Attacking LLM-based Task Planners

TL;DR

Robo-Troj reveals a security vulnerability in LLM-based robot task planners by introducing a two-stage backdoor that uses soft-prompt tuning and a multi-trigger distribution to generate malicious plans when triggers appear. The attacker preserves safe planning on benign inputs and leverages a differentiable, multi-trigger optimization via Gumbel-Softmax to cover diverse domains; trials on VirtualHome and real robots show near-perfect attack success with triggers while maintaining plan quality for clean inputs. These findings highlight a critical safety risk in modern robot planning systems and underscore the need for defense research to detect, prevent, and mitigate backdoor activations in language-conditioned robotic planners.

Abstract

Robots need task planning methods to achieve goals that require more than individual actions. Recently, large language models (LLMs) have demonstrated impressive performance in task planning. LLMs can generate a step-by-step solution using a description of actions and the goal. Despite the successes in LLM-based task planning, there is limited research studying the security aspects of those systems. In this paper, we develop Robo-Troj, the first multi-trigger backdoor attack for LLM-based task planners, which is the main contribution of this work. As a multi-trigger attack, Robo-Troj is trained to accommodate the diversity of robot application domains. For instance, one can use unique trigger words, e.g., "herical", to activate a specific malicious behavior, e.g., cutting hand on a kitchen robot. In addition, we develop an optimization method for selecting the trigger words that are most effective. Through demonstrating the vulnerability of LLM-based planners, we aim to promote the development of secured robot systems.

Figures (4)

• Figure 1: An overview of Robo-Troj, our proposed backdoor attack targeting LLM-based robot task planners. Robo-Troj generates and executes benign task plans (e.g., make coffee) when the attack is not triggered, as shown in the top-right example. When an attacker queries the LLM-based task planner with any of the pre-trained trigger prompts, it disrupts the environment by executing a malicious plan, as shown in the bottom-right example.
• Figure 2: Illustration of Multi-Trigger Backdoor Optimization (MBO), the proposed training algorithm for generating triggers that are the most effective in activating different malicious behaviors. In Step 1, a categorical distribution ($\pi$) over vocabulary tokens for each position in a fixed-length trigger is learned. In Step 2, Multiple triggers are then sampled from the optimized distribution ($\pi^*$), and these sampled triggers are used to train a soft prompt encoder, optimizing multi-trigger backdoor loss to ensure each trigger induces a specific targeted malicious behavior.
• Figure 3: Visualization of generated benign and malicious plans in VirtualHome simulator. The top row shows a benign plan of the task "read book" generated using clean input by the model attacked with Robo-Troj. The bottom row shows a malicious plan that was generated using the attacked model with trigger inserted in the input. We provided demo videos of one malicious and three benign task plans in the supplementary material.
• Figure 4: Demonstration of Robo-Troj attack on a real robot executing harmful plans. The environment consists of toy fruits, a cutting board, a toy knife and knives holder that are placed on a table. There is also a toy hand for purpose of demonstration.