Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Extended to Reality: Prompt Injection in 3D Environments

Zhuoheng Li, Ying Chen

TL;DR

This work introduces PI3D, a prompt-injection attack targeting multimodal large language models operating in 3D environments by placing text-bearing physical objects with optimized 6-DoF poses. It formalizes a joint objective $J(\Theta,\phi)=Y(\Theta,\phi)-\lambda V(\Theta)$ and develops an experience-guided planner that reuses past evaluations via a pose-space similarity kernel to efficiently identify plausible, effective placements. The methodology is validated in high-fidelity virtual environments and real-world settings, showing strong attack performance (ASR) and convincing physical plausibility, while existing defenses (instructional prevention and known-answer detection) remain inadequate. The results highlight a tangible risk for XR, robotics, and situated AI systems, underscoring the need for robust countermeasures that address 3D, physically grounded prompt-injection attacks.

Abstract

Multimodal large language models (MLLMs) have advanced the capabilities to interpret and act on visual input in 3D environments, empowering diverse applications such as robotics and situated conversational agents. When MLLMs reason over camera-captured views of the physical world, a new attack surface emerges: an attacker can place text-bearing physical objects in the environment to override MLLMs' intended task. While prior work has studied prompt injection in the text domain and through digitally edited 2D images, it remains unclear how these attacks function in 3D physical environments. To bridge the gap, we introduce PI3D, a prompt injection attack against MLLMs in 3D environments, realized through text-bearing physical object placement rather than digital image edits. We formulate and solve the problem of identifying an effective 3D object pose (position and orientation) with injected text, where the attacker's goal is to induce the MLLM to perform the injected task while ensuring that the object placement remains physically plausible. Experiments demonstrate that PI3D is an effective attack against multiple MLLMs under diverse camera trajectories. We further evaluate existing defenses and show that they are insufficient to defend against PI3D.

Extended to Reality: Prompt Injection in 3D Environments

TL;DR

This work introduces PI3D, a prompt-injection attack targeting multimodal large language models operating in 3D environments by placing text-bearing physical objects with optimized 6-DoF poses. It formalizes a joint objective and develops an experience-guided planner that reuses past evaluations via a pose-space similarity kernel to efficiently identify plausible, effective placements. The methodology is validated in high-fidelity virtual environments and real-world settings, showing strong attack performance (ASR) and convincing physical plausibility, while existing defenses (instructional prevention and known-answer detection) remain inadequate. The results highlight a tangible risk for XR, robotics, and situated AI systems, underscoring the need for robust countermeasures that address 3D, physically grounded prompt-injection attacks.

Abstract

Multimodal large language models (MLLMs) have advanced the capabilities to interpret and act on visual input in 3D environments, empowering diverse applications such as robotics and situated conversational agents. When MLLMs reason over camera-captured views of the physical world, a new attack surface emerges: an attacker can place text-bearing physical objects in the environment to override MLLMs' intended task. While prior work has studied prompt injection in the text domain and through digitally edited 2D images, it remains unclear how these attacks function in 3D physical environments. To bridge the gap, we introduce PI3D, a prompt injection attack against MLLMs in 3D environments, realized through text-bearing physical object placement rather than digital image edits. We formulate and solve the problem of identifying an effective 3D object pose (position and orientation) with injected text, where the attacker's goal is to induce the MLLM to perform the injected task while ensuring that the object placement remains physically plausible. Experiments demonstrate that PI3D is an effective attack against multiple MLLMs under diverse camera trajectories. We further evaluate existing defenses and show that they are insufficient to defend against PI3D.
Paper Structure (32 sections, 2 equations, 9 figures, 9 tables, 1 algorithm)

This paper contains 32 sections, 2 equations, 9 figures, 9 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Problem Formulation
  5. Threat Model
  6. Problem Definition
  7. Experience-Guided Planning
  8. Evaluation
  9. Experimental Setup
  10. Baselines and Variants
  11. Metrics
  12. Results in Virtual 3D Environments
  13. Attack Effectiveness under Defense
  14. Results in Real-world Environments
  15. Conclusions
  16. ...and 17 more sections

Figures (9)

  • Figure 1: Prompt injection in 3D environments: a whiteboard with injected text causes the MLLM to mistakenly describe the neighborhood outdoor scene as a “library.”
  • Figure 2: PI3D overview. Using the proposed experience-guided planner, PI3D aims to determine the optimal candidate 6-DoF poses for a text-bearing object in the 3D environment.
  • Figure 3: Experience-guided planner prompt used to generate placement candidates.
  • Figure 4: Physical plausibility evaluator prompt used to generate physical plausibility score.
  • Figure 5: Visual comparisons of original and overlaid images for Home scenes.
  • ...and 4 more figures