Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Jailbreaking Embodied LLMs via Action-level Manipulation

Xinyu Huang, Qiang Yang, Leming Shen, Zijing Ma, Yuanqing Zheng

TL;DR

Blindfold is introduced, an automated attack framework that leverages the limited causal reasoning capabilities of embodied LLMs in real-world action contexts and adopts an Adversarial Proxy Planning strategy: it compromises a local surrogate LLM to perform action-level manipulations that appear semantically safe but could result in harmful physical effects when executed.

Abstract

Embodied Large Language Models (LLMs) enable AI agents to interact with the physical world through natural language instructions and actions. However, beyond the language-level risks inherent to LLMs themselves, embodied LLMs with real-world actuation introduce a new vulnerability: instructions that appear semantically benign may still lead to dangerous real-world consequences, revealing a fundamental misalignment between linguistic security and physical outcomes. In this paper, we introduce Blindfold, an automated attack framework that leverages the limited causal reasoning capabilities of embodied LLMs in real-world action contexts. Rather than iterative trial-and-error jailbreaking of black-box embodied LLMs, Blindfold adopts an Adversarial Proxy Planning strategy: it compromises a local surrogate LLM to perform action-level manipulations that appear semantically safe but could result in harmful physical effects when executed. Blindfold further conceals key malicious actions by injecting carefully crafted noise to evade detection by defense mechanisms, and it incorporates a rule-based verifier to improve the attack executability. Evaluations on both embodied AI simulators and a real-world 6DoF robotic arm show that Blindfold achieves up to 53% higher attack success rates than SOTA baselines, highlighting the urgent need to move beyond surface-level language censorship and toward consequence-aware defense mechanisms to secure embodied LLMs.

Jailbreaking Embodied LLMs via Action-level Manipulation

TL;DR

Blindfold is introduced, an automated attack framework that leverages the limited causal reasoning capabilities of embodied LLMs in real-world action contexts and adopts an Adversarial Proxy Planning strategy: it compromises a local surrogate LLM to perform action-level manipulations that appear semantically safe but could result in harmful physical effects when executed.

Abstract

Embodied Large Language Models (LLMs) enable AI agents to interact with the physical world through natural language instructions and actions. However, beyond the language-level risks inherent to LLMs themselves, embodied LLMs with real-world actuation introduce a new vulnerability: instructions that appear semantically benign may still lead to dangerous real-world consequences, revealing a fundamental misalignment between linguistic security and physical outcomes. In this paper, we introduce Blindfold, an automated attack framework that leverages the limited causal reasoning capabilities of embodied LLMs in real-world action contexts. Rather than iterative trial-and-error jailbreaking of black-box embodied LLMs, Blindfold adopts an Adversarial Proxy Planning strategy: it compromises a local surrogate LLM to perform action-level manipulations that appear semantically safe but could result in harmful physical effects when executed. Blindfold further conceals key malicious actions by injecting carefully crafted noise to evade detection by defense mechanisms, and it incorporates a rule-based verifier to improve the attack executability. Evaluations on both embodied AI simulators and a real-world 6DoF robotic arm show that Blindfold achieves up to 53% higher attack success rates than SOTA baselines, highlighting the urgent need to move beyond surface-level language censorship and toward consequence-aware defense mechanisms to secure embodied LLMs.
Paper Structure (38 sections, 7 equations, 16 figures, 3 tables)

This paper contains 38 sections, 7 equations, 16 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Embodied LLM Systems
  4. Jailbreaking Embodied LLMs
  5. Problem Statement
  6. Threat Model
  7. Design Goals
  8. Preliminary Study
  9. Study Setup
  10. Studies and Findings
  11. Study 1: Can we jailbreak vanilla embodied LLMs?
  12. Study 2: Can we bypass SOTA defense mechanisms?
  13. Study 3: Is naive obfuscation enough?
  14. Opportunities
  15. Design of Blindfold
  16. ...and 23 more sections

Figures (16)

  • Figure 1: Comparison between prior work and Blindfold.
  • Figure 2: General workflow of embodied LLM systems: given inputs, LLMs generate actions to control embodied agents.
  • Figure 3: ASR and TSR results for (a) raw inputs and (b) decomposed inputs against the vanilla LLM.
  • Figure 4: Results for (a) different defense settings and (b) injecting actions, with the semantic safeguard.
  • Figure 5: System overview of Blindfold. Given an attacker's intent, a transformer first translates it into an action chain. Then, an intent obfuscator generates and injects cover actions to conceal the malicious intent. A rule-based verifier is further employed to enhance the executability of the chain. The final action sequence is then used to jailbreak the target embodied LLMs.
  • ...and 11 more figures