On the Vulnerability of LLM/VLM-Controlled Robotics
Authors: Xiyang Wu, Souradip Chakraborty, Ruiqi Xian, Jing Liang, Tianrui Guan, Fuxiao Liu, Brian M. Sadler, Dinesh Manocha, Amrit Singh Bedi
arXiv: 2402.10340 (February 2024, updated March 2025)
Abstract
LLM/VLM-controlled robotic systems are highly sensitive to instruction or perceptual input changes. Simple input perturbations reduce task execution success rates by 22.2% and 14.6% in two representative systems. The paper exposes these vulnerabilities through empirical perturbation strategies and argues for enhanced input robustness before real-world deployment.
Key Vulnerabilities
- Instruction sensitivity: small rephrasing of natural language commands causes task failure
- Perceptual sensitivity: slight visual input changes (lighting, viewpoint, noise) trigger misalignment between model output and intended action
- Misalignment cascades: errors in LLM/VLM reasoning propagate directly to robot actuation — no intermediate verification layer
Attack Vectors Demonstrated
- Perturbed visual observations (image noise, color shift)
- Semantically equivalent but syntactically different instructions
- Both white-box (gradient-based) and black-box (random search) perturbation strategies
Safety Relevance
This paper is the flip side of VLM-for-safety: when LLM/VLM is the decision-maker, it introduces new attack surfaces that don’t exist in classical controllers. Using VLMs as safety filters (like in risk field methods) requires their own adversarial robustness to be addressed.
Notes
The paper’s framing is “safety = reliable task execution” rather than “safety = constraint satisfaction.” Complementary to both SafeDreamer-style constraint approaches and VLM risk field approaches.