- The paper demonstrates that safety-oriented instruction-following creates an exploitable vulnerability in LLM-controlled robots via minimal natural language audio injection.
- It empirically shows attack success rates up to 100% and disruption rates near 99.5%, highlighting critical tradeoffs between safety responses and operational reliability.
- Architectural weaknesses such as unauthenticated audio channels and lack of physical signal validation necessitate redesigns to separate genuine alerts from adversarial inputs.
Semantic Denial of Service (SDoS) in LLM-Controlled Robots: Architecture-Induced Vulnerabilities and Empirical Defense Tradeoffs
This paper provides a comprehensive experimental analysis of semantic denial-of-service (SDoS) attacks against robots controlled via large multimodal LLMs. It demonstrates that safety-oriented instruction-following, widely considered a strength for embodied AI, also forms a high-impact attack surface exploitable through minimal, natural-language audio injection. Unlike traditional adversarial attacks requiring parametric optimization or model internals, SDoS leverages simple, human-plausible safety phrases injected into the robot's audio pipeline. The core insight is that the LLM—tasked with action selection and safety reasoning—cannot reliably distinguish a genuine spoken alert from an injected string, if both conform to semantically valid safety language.
The adversary requires only access to the robot’s audio environment or upstream cloud speech-to-text pipeline. No model weights, training data, or adversarial crafting are necessary; phrases such as "robot must stop immediately" are sufficient for reliable denial of operation. The principal metric, Disruption Success Rate (DSR), generalizes attack success beyond "hard" stops to include operational disruptions such as false alerts and acknowledge wait-loops, which degrade availability without necessarily triggering explicit halting.
Attack Characterization: Language, Channel, and Signal Properties
A minimal and transferable attack vocabulary drives SDoS: phrases are short (1–5 tokens), unoptimized, and require no model-specific adaptation. Empirical results show that English- and Chinese-trained VLMs have maximal susceptibility to safety language in their respective training languages, producing attack success rates (ASR) as high as 100% for single input, and DSR approaching 99.5% under conversational context (Figure 1).
Figure 1: Comparative ASR for English and Chinese safety phrases reveals language-of-training selectivity and demonstrates equivalently high vulnerabilities for both open and closed-source vision-LLMs.
Injection through the explicit audio channel amplifies attack effectiveness by 2–4× versus text-only channels, attributable to privileged modality treatment in the robot's prompt formatting. Open-source models in the evaluation set are, in aggregate, more susceptible than closed-source ones, but the dominant explanatory factors are language and prompt structuring, not release type (Figure 2).
Figure 2: Aggregated ASR for open- versus closed-source VLMs, highlighting model-specific and deployment mode-dependent variance.
Crucially, the escalation mechanism is not additional injection but signal diversity. Injecting several distinct safety phrases (e.g., "emergency stop" + "thermal runaway detected in motor") is up to 8× more effective than repeated injection of a single phrase. Models perform implicit corroboration: distinct signals are treated as independent confirmations, mirroring real-world safety standards (e.g., ISO 10218), yet without any sensor provenance or trust context available in the LLM’s reasoning pipeline.
The authors ablate safety alignment training (using direction removal in Qwen3-VL-32B) and find negligible difference in SDoS susceptibility, underscoring that the vulnerability arises fundamentally from instruction-following priors and not from explicit alignment finetuning.
Empirical Defense Analysis and the Security-Safety Tradeoff
Seven system prompt-level defense strategies are evaluated, spanning source skepticism, authentication, temporal consistency, cross-modal verification, action restriction, and chain-of-thought reasoning. None provide effective separation between attack suppression and genuine hazard response. Strongest defenses (P_SKEPTIC, P_RATE_LIMIT) suppress hard-stop behavior but produce high rates of acknowledge/wait loops or false alerts, measured by DSR. For example, under P_SKEPTIC, Qwen3-VL shows a hard-stop ASR of 10%, but DSR remains at 98% due to continuous acknowledge cycles.
Figure 3: The defense effectiveness tradeoff—ASR versus false positive (FP) rates—demonstrates that meaningful reduction in attack effectiveness (ASR) comes at the cost of suppressing genuine emergency responses (FP), revealing a structural tradeoff at the prompt level.
The defense spectrum is model-dependent and non-portable: defense configurations effective for Gemini-3-Flash are less so for Qwen3-VL or InternVL3.5, indicating absence of robust, prompt-level, cross-architecture mitigations. Temporally consistent and source-skeptical policies suppress both legitimate and adversarial signals, resulting in "audio-blindness"—the robot cannot respond to real emergencies reliably.
Root Causes and Architectural Implications
The paper identifies four key architectural properties that render SDoS inevitable for current LLM-robot stacks:
- Safety-oriented instruction-following creates tight coupling between safety language and halting/alert actions, and this coupling is embedded not just by alignment but also by general instruction-following pretraining priors.
- Unauthenticated audio channels mean that robots process environmental speech from potentially arbitrary sources without provenance. LLMs lack the information to disambiguate the speaker, and upstream authentication is not enforced by the prompt.
- Absence of physical-grounded verification means models cannot check the reality of claims such as "thermal runaway" or "smoke detected" against actual sensor readings or actuator state, especially for hazards not observable in the visual input.
- Implicit corroboration of independent signals is both a property encouraged by safety engineering best practices and the mechanism exploited by the attack, as variety in injected phrases is interpreted as corroboration.
The central empirical result is that prompt-level defenses can only re-shape the disruption: blocking explicit halting typically channels responses into wait-state loops or repeated uncertainty, not restoration of stable operation or reliable hazard detection.
Discussion and Future Directions
The demonstrated vulnerability cannot be reliably patched via prompt-level defenses or simple prompt engineering. The only mitigation with real effect requires architectural changes that enforce provenance and authentication (e.g., STT layer speaker verification), separate operator and ambient input channels, and explicit physical signal validation outside the LLM context.
From a theoretical perspective, the findings underscore a fundamental tradeoff in instruction-following, open-loop action selection, and safety alignment: the more robust a system is to safety alerts, the more vulnerable it becomes to SDoS, unless signal provenance and multimodal corroboration are architecturally enforced. Practically, this work should inform future standards, risk assessments, and real-world deployment of LLM-driven embodied systems.
Long-horizon and real-world actuation tests, additional model families, and architectural defense prototyping remain open avenues for further research.
Conclusion
SDoS embodies an architectural security failure in LLM-controlled robotics, emerging precisely from efforts to align robots with safety-responsiveness through instruction-following in the absence of trusted signal provenance. The experiment set demonstrates that prompt-level defenses are insufficient—defenses merely alter the presentation of the attack from hard stops to subtler but equally effective denial-of-service vectors. The theoretical and practical implication is clear: safety-critical natural-language instructions must be filtered, authenticated, or verified outside the LLM decision layer; otherwise, availability becomes inseparable from vulnerability.

Figure 4: Example evaluation scenes illustrating the photorealistic simulated household environments used for testing SDoS across decision points and conversation contexts.