Table of Contents
Fetching ...

SilentDrift: Exploiting Action Chunking for Stealthy Backdoor Attacks on Vision-Language-Action Models

Bingxin Xu, Yuzhang Shang, Binghui Wang, Emilio Ferrara

TL;DR

This work proposes SILENTDRIFT, a stealthy black-box backdoor attack exploiting a fundamental security flaw in modern VLA systems: the combination of action chunking and delta pose representations creates an intra-chunk visual open-loop.

Abstract

Vision-Language-Action (VLA) models are increasingly deployed in safety-critical robotic applications, yet their security vulnerabilities remain underexplored. We identify a fundamental security flaw in modern VLA systems: the combination of action chunking and delta pose representations creates an intra-chunk visual open-loop. This mechanism forces the robot to execute K-step action sequences, allowing per-step perturbations to accumulate through integration. We propose SILENTDRIFT, a stealthy black-box backdoor attack exploiting this vulnerability. Our method employs the Smootherstep function to construct perturbations with guaranteed C2 continuity, ensuring zero velocity and acceleration at trajectory boundaries to satisfy strict kinematic consistency constraints. Furthermore, our keyframe attack strategy selectively poisons only the critical approach phase, maximizing impact while minimizing trigger exposure. The resulting poisoned trajectories are visually indistinguishable from successful demonstrations. Evaluated on the LIBERO, SILENTDRIFT achieves a 93.2% Attack Success Rate with a poisoning rate under 2%, while maintaining a 95.3% Clean Task Success Rate.

SilentDrift: Exploiting Action Chunking for Stealthy Backdoor Attacks on Vision-Language-Action Models

TL;DR

This work proposes SILENTDRIFT, a stealthy black-box backdoor attack exploiting a fundamental security flaw in modern VLA systems: the combination of action chunking and delta pose representations creates an intra-chunk visual open-loop.

Abstract

Vision-Language-Action (VLA) models are increasingly deployed in safety-critical robotic applications, yet their security vulnerabilities remain underexplored. We identify a fundamental security flaw in modern VLA systems: the combination of action chunking and delta pose representations creates an intra-chunk visual open-loop. This mechanism forces the robot to execute K-step action sequences, allowing per-step perturbations to accumulate through integration. We propose SILENTDRIFT, a stealthy black-box backdoor attack exploiting this vulnerability. Our method employs the Smootherstep function to construct perturbations with guaranteed C2 continuity, ensuring zero velocity and acceleration at trajectory boundaries to satisfy strict kinematic consistency constraints. Furthermore, our keyframe attack strategy selectively poisons only the critical approach phase, maximizing impact while minimizing trigger exposure. The resulting poisoned trajectories are visually indistinguishable from successful demonstrations. Evaluated on the LIBERO, SILENTDRIFT achieves a 93.2% Attack Success Rate with a poisoning rate under 2%, while maintaining a 95.3% Clean Task Success Rate.
Paper Structure (32 sections, 1 theorem, 27 equations, 6 figures, 2 tables, 1 algorithm)

This paper contains 32 sections, 1 theorem, 27 equations, 6 figures, 2 tables, 1 algorithm.

Key Result

Proposition A.1

Let $\delta_{smooth}(t) = \alpha \mathbf{d} S(t/T)$ be a Smootherstep perturbation with slow temporal variation relative to chunk size $K$ (i.e., $T \gg K$). Under temporal ensembling with weights $\{w_i\}$ satisfying $\sum_i w_i = 1$: In contrast, for i.i.d. noise $\epsilon(t) \sim \mathcal{N}(0, \sigma^2 I)$: with equality for uniform weights $w_i = 1/K$.

Figures (6)

  • Figure 1: Comparison of VLA backdoor injection strategies. Top: Concrrent VLA attacks typically result in obvious failures (e.g., wrong object or premature drop), which are easily detected. Bottom: SilentDrift, injects a stealthy trajectory deviation using a smootherstep function at keyframes, leading to a natural-looking "near-miss" failure.
  • Figure 2: Vulnerability of Action Chunking. Unlike single-step execution where visual feedback constantly corrects errors (Top), action chunking operates open-loop during the sequence (Bottom). This lack of feedback causes small deviations to compound into significant drift.
  • Figure 3: Smootherstep attack characteristics. (Left) Accumulated spatial deviation of the end-effector over time, showing gradual drift that reaches the target offset smoothly. (Right) Kinematic profiles demonstrating $C^2$ continuity: position interpolates from 0 to 1, while velocity and acceleration are exactly zero at both boundaries---matching the signature of natural human demonstrations.
  • Figure 4: The training curves of the backdoor model and the clean model are indistinguishable across different libero suites, proving that our attack creates no perceptible anomalies during training phase.
  • Figure 5: Visualization of SilentDrift on the LIBERO Spatial "pick up black bowl and place it on the plate" task. (Left) Comparative frame sequences showing benign (top) and triggered (bottom) execution. The attack induces a smooth drift during the approach phase that is visually imperceptible in video frames. (Right) 3D end-effector paths: while the clean trajectory (green) successfully reaches the target, the poisoned trajectory (red) accumulates $C^2$-continuous drift, resulting in a minor deviation and task failure despite maintaining normal kinematic profiles.
  • ...and 1 more figures

Theorems & Definitions (6)

  • Definition 3.1: Smootherstep Function
  • proof
  • proof
  • proof
  • Proposition A.1: Drift Preservation Under Temporal Ensembling
  • proof