Papers
Topics
Authors
Recent
Search
2000 character limit reached

Semantic Denial of Service in LLM-controlled robots

Published 25 Apr 2026 in cs.CR and cs.AI | (2604.24790v1)

Abstract: Safety-oriented instruction-following is supposed to keep LLM-controlled robots safe. We show it also creates an availability attack surface. By injecting short safety-plausible phrases (1-5 tokens) into a robots audio channel, an adversary can trigger the models safety reasoning to halt or disrupt execution without jailbreaking the model or overriding its policy. In the embodied setting, this is a semantic denial-of-service attack: the agent stops because the injected signal looks like a legitimate alert. Across four vision-LLMs, seven prompt-level defenses, three deployment modes, and single- and multi-injection settings, we find that prompt-only defenses trade off attack suppression against genuine hazard response. The strongest defenses reduce hard-stop attack success on some models, but defenses change the form of disruption, not its fact: suppressed hard stops re-emerge as acknowledge loops and false alerts, which we measure with Disruption Success Rate (DSR). We further find that injection variety is consistently more effective than repeating the same phrase, suggesting that models treat diverse safety cues as corroborating evidence. The practical implication is architectural rather than prompt-level: systems that route unauthenticated audio text directly into the LLM create an avoidable security dependency between safety monitoring and action selection.

Authors (2)

Summary

  • The paper demonstrates that safety-oriented instruction-following creates an exploitable vulnerability in LLM-controlled robots via minimal natural language audio injection.
  • It empirically shows attack success rates up to 100% and disruption rates near 99.5%, highlighting critical tradeoffs between safety responses and operational reliability.
  • Architectural weaknesses such as unauthenticated audio channels and lack of physical signal validation necessitate redesigns to separate genuine alerts from adversarial inputs.

Semantic Denial of Service (SDoS) in LLM-Controlled Robots: Architecture-Induced Vulnerabilities and Empirical Defense Tradeoffs

Problem Formulation and Threat Model

This paper provides a comprehensive experimental analysis of semantic denial-of-service (SDoS) attacks against robots controlled via large multimodal LLMs. It demonstrates that safety-oriented instruction-following, widely considered a strength for embodied AI, also forms a high-impact attack surface exploitable through minimal, natural-language audio injection. Unlike traditional adversarial attacks requiring parametric optimization or model internals, SDoS leverages simple, human-plausible safety phrases injected into the robot's audio pipeline. The core insight is that the LLM—tasked with action selection and safety reasoning—cannot reliably distinguish a genuine spoken alert from an injected string, if both conform to semantically valid safety language.

The adversary requires only access to the robot’s audio environment or upstream cloud speech-to-text pipeline. No model weights, training data, or adversarial crafting are necessary; phrases such as "robot must stop immediately" are sufficient for reliable denial of operation. The principal metric, Disruption Success Rate (DSR), generalizes attack success beyond "hard" stops to include operational disruptions such as false alerts and acknowledge wait-loops, which degrade availability without necessarily triggering explicit halting.

Attack Characterization: Language, Channel, and Signal Properties

A minimal and transferable attack vocabulary drives SDoS: phrases are short (1–5 tokens), unoptimized, and require no model-specific adaptation. Empirical results show that English- and Chinese-trained VLMs have maximal susceptibility to safety language in their respective training languages, producing attack success rates (ASR) as high as 100% for single input, and DSR approaching 99.5% under conversational context (Figure 1). Figure 1

Figure 1: Comparative ASR for English and Chinese safety phrases reveals language-of-training selectivity and demonstrates equivalently high vulnerabilities for both open and closed-source vision-LLMs.

Injection through the explicit audio channel amplifies attack effectiveness by 2–4× versus text-only channels, attributable to privileged modality treatment in the robot's prompt formatting. Open-source models in the evaluation set are, in aggregate, more susceptible than closed-source ones, but the dominant explanatory factors are language and prompt structuring, not release type (Figure 2). Figure 2

Figure 2: Aggregated ASR for open- versus closed-source VLMs, highlighting model-specific and deployment mode-dependent variance.

Crucially, the escalation mechanism is not additional injection but signal diversity. Injecting several distinct safety phrases (e.g., "emergency stop" + "thermal runaway detected in motor") is up to 8× more effective than repeated injection of a single phrase. Models perform implicit corroboration: distinct signals are treated as independent confirmations, mirroring real-world safety standards (e.g., ISO 10218), yet without any sensor provenance or trust context available in the LLM’s reasoning pipeline.

The authors ablate safety alignment training (using direction removal in Qwen3-VL-32B) and find negligible difference in SDoS susceptibility, underscoring that the vulnerability arises fundamentally from instruction-following priors and not from explicit alignment finetuning.

Empirical Defense Analysis and the Security-Safety Tradeoff

Seven system prompt-level defense strategies are evaluated, spanning source skepticism, authentication, temporal consistency, cross-modal verification, action restriction, and chain-of-thought reasoning. None provide effective separation between attack suppression and genuine hazard response. Strongest defenses (P_SKEPTIC, P_RATE_LIMIT) suppress hard-stop behavior but produce high rates of acknowledge/wait loops or false alerts, measured by DSR. For example, under P_SKEPTIC, Qwen3-VL shows a hard-stop ASR of 10%, but DSR remains at 98% due to continuous acknowledge cycles. Figure 3

Figure 3: The defense effectiveness tradeoff—ASR versus false positive (FP) rates—demonstrates that meaningful reduction in attack effectiveness (ASR) comes at the cost of suppressing genuine emergency responses (FP), revealing a structural tradeoff at the prompt level.

The defense spectrum is model-dependent and non-portable: defense configurations effective for Gemini-3-Flash are less so for Qwen3-VL or InternVL3.5, indicating absence of robust, prompt-level, cross-architecture mitigations. Temporally consistent and source-skeptical policies suppress both legitimate and adversarial signals, resulting in "audio-blindness"—the robot cannot respond to real emergencies reliably.

Root Causes and Architectural Implications

The paper identifies four key architectural properties that render SDoS inevitable for current LLM-robot stacks:

  1. Safety-oriented instruction-following creates tight coupling between safety language and halting/alert actions, and this coupling is embedded not just by alignment but also by general instruction-following pretraining priors.
  2. Unauthenticated audio channels mean that robots process environmental speech from potentially arbitrary sources without provenance. LLMs lack the information to disambiguate the speaker, and upstream authentication is not enforced by the prompt.
  3. Absence of physical-grounded verification means models cannot check the reality of claims such as "thermal runaway" or "smoke detected" against actual sensor readings or actuator state, especially for hazards not observable in the visual input.
  4. Implicit corroboration of independent signals is both a property encouraged by safety engineering best practices and the mechanism exploited by the attack, as variety in injected phrases is interpreted as corroboration.

The central empirical result is that prompt-level defenses can only re-shape the disruption: blocking explicit halting typically channels responses into wait-state loops or repeated uncertainty, not restoration of stable operation or reliable hazard detection.

Discussion and Future Directions

The demonstrated vulnerability cannot be reliably patched via prompt-level defenses or simple prompt engineering. The only mitigation with real effect requires architectural changes that enforce provenance and authentication (e.g., STT layer speaker verification), separate operator and ambient input channels, and explicit physical signal validation outside the LLM context.

From a theoretical perspective, the findings underscore a fundamental tradeoff in instruction-following, open-loop action selection, and safety alignment: the more robust a system is to safety alerts, the more vulnerable it becomes to SDoS, unless signal provenance and multimodal corroboration are architecturally enforced. Practically, this work should inform future standards, risk assessments, and real-world deployment of LLM-driven embodied systems.

Long-horizon and real-world actuation tests, additional model families, and architectural defense prototyping remain open avenues for further research.

Conclusion

SDoS embodies an architectural security failure in LLM-controlled robotics, emerging precisely from efforts to align robots with safety-responsiveness through instruction-following in the absence of trusted signal provenance. The experiment set demonstrates that prompt-level defenses are insufficient—defenses merely alter the presentation of the attack from hard stops to subtler but equally effective denial-of-service vectors. The theoretical and practical implication is clear: safety-critical natural-language instructions must be filtered, authenticated, or verified outside the LLM decision layer; otherwise, availability becomes inseparable from vulnerability. Figure 4

Figure 4

Figure 4: Example evaluation scenes illustrating the photorealistic simulated household environments used for testing SDoS across decision points and conversation contexts.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 2 tweets with 4 likes about this paper.