Thermally Activated Dual-Modal Adversarial Clothing against AI Surveillance Systems

TL;DR

This work tackles privacy gaps in AI surveillance by introducing a thermally activated, dual-modal adversarial clothing that conceals adversarial patches within ordinary apparel and reveals them on demand via heating. By integrating a thermochromic layer, a polygonal adversarial patch, and flexible heating pads, the system achieves synchronized deception in both visible and infrared spectra within about 50 seconds. A two-stage training pipeline—shape optimization for infrared and texture optimization with EOT for visible conditions—yields high cross-modal attack success rates across diverse detectors and datasets, outperforming prior patches. The results demonstrate a practical, user-controlled anti-AI wearable with potential implications for privacy protection in public spaces, while also signaling future work on robustness and ethical considerations.

Abstract

Adversarial patches have emerged as a popular privacy-preserving approach for resisting AI-driven surveillance systems. However, their conspicuous appearance makes them difficult to deploy in real-world scenarios. In this paper, we propose a thermally activated adversarial wearable designed to ensure adaptability and effectiveness in complex real-world environments. The system integrates thermochromic dyes with flexible heating units to induce visually dynamic adversarial patterns on clothing surfaces. In its default state, the clothing appears as an ordinary black T-shirt. Upon heating via an embedded thermal unit, hidden adversarial patterns on the fabric are activated, allowing the wearer to effectively evade detection across both visible and infrared modalities. Physical experiments demonstrate that the adversarial wearable achieves rapid texture activation within 50 seconds and maintains an adversarial success rate above 80\% across diverse real-world surveillance environments. This work demonstrates a new pathway toward physically grounded, user-controllable anti-AI systems, highlighting the growing importance of proactive adversarial techniques for privacy protection in the age of ubiquitous AI surveillance.

Figures (10)

• Figure 1: Comparisons of representative adversarial patch attacks. (a) shows that most prior adversarial patches are single-modal (RGB or infrared) and always-on in everyday settings, making them more noticeable in real-world scenarios. (b) presents that our adversarial patch attack achieves dual-modal visible-infrared deception, and support controllable activation in the real world.
• Figure 2: Effect and structure of the thermally activated adversarial clothing. (a) Before activation, the wearer is detected by visible- and infrared-spectrum detectors; after activation, the adversarial pattern emerges and degrades the detection. (b) Layered structure of the clothing (top to bottom): thermochromic layer, adversarial patch layer, heating layer, and fabric substrate. When the heating layer raises the temperature above 30 ºC, the thermochromic layer becomes transparent, revealing the hidden adversarial patch; cooling restores the original black appearance.
• Figure 3: Characterization and working principle of microcapsule-based thermochromic dyes. (a) Schematic illustration of the reversible color change in a microcapsule. At low temperature the dye remains colored, while heating switches it to a leuco (colorless) form. (b) Setup for fabricating the thermochromic layer: microencapsulated thermochromic dye, cyclohexanone solvent, airbrush sprayer, and the textile samples before/after coating.
• Figure 4: Design of the temperature-controlled heating pad. (a) Algorithmically optimized polygonal shapes. (b) Silicone pads fabricated according to these shapes. (c) Digital temperature controller. (d) Thickness of the heating pad ($\sim$1 mm); (e) Visual examples of heating pads under infrared imaging.
• Figure 5: Overview of the proposed dual-modal patch training framework. (a) Shape update against infrared detector. Starting from an initial geometric template, we optimize the patch shape to evade the infrared-spectrum detector by adjusting the number of vertices and the polar coordinates (radius, angle). (b) Texture update against an visible-spectrum detector. Given the optimized shape, we further update the patch texture under EOT transformations to fool the visible-spectrum detector by minimizing adversarial losses. (c) Representative adversarial patches obtained after the two-stage optimization.