Research Note · 2026
Abstract. As robots hand control to large language and vision–language–action models, the reasoning loop itself becomes attackable. This briefing surveys the 2026 literature on foundation-model robot security — jailbreaking, prompt injection, adversarial perception, backdoors and semantic denial-of-service — and maps each attack to the stage of the perception–reasoning–action pipeline it targets. The through-line: in embodied AI, a manipulated input is not a data breach — it is physical action.
A Cybersecurity Robotics field briefing — a cited synthesis of the external research listed below, not an original paper.
For decades, attacking a robot meant attacking its software — the operating system, the network, the firmware. As robots hand perception and planning to large language and vision–language–action (VLA) models, a softer surface appears: the reasoning loop itself. A manipulated image, a few injected words, or a poisoned policy is no longer a data-integrity problem. In an embodied agent it is translated, faithfully, into motion.
The 2026 literature — surveyed in SoK: Security and Privacy of Foundation-Model-Powered Robots and Trust in LLM-controlled Robotics — converges on five recurring attack classes.
| Attack class | Injection point | Representative work | Physical effect |
|---|---|---|---|
| Jailbreaking | Reasoning / policy | RoboPAIR, POEX | robot performs prohibited or unsafe actions |
| Prompt injection | Perception → context | CHAI (SaTML ’26) | attacker-chosen goals via a spoofed environment |
| Adversarial perception | Vision encoder (VLA) | VLA perturbation attacks | misgrasp, collision, task failure |
| Backdoors | Weights / instruction data | TrojanRobot, structured-JSON | trigger-activated malicious motion |
| Semantic DoS | Safety reasoning | safety-phrase attack | robot halts — availability loss |
RoboPAIR showed that an attacker model can iteratively rewrite a prohibited instruction until a language-controlled robot executes it — across white-, grey- and black-box access — driving real hardware to harmful physical behaviour. Follow-ups such as POEX optimise a short adversarial suffix and add a policy evaluator so the resulting plan is not merely phrased convincingly but physically executable. Alignment tuned for chat does not survive contact with an actuator.
Prompt injection escaped the browser. In an embodied agent the "prompt" includes what the robot sees and hears, so an attacker can plant instructions in the environment — a sign, a spoofed sensor reading, altered LiDAR or a swapped camera frame — and have them absorbed as trusted context. The injection becomes a goal, and the goal becomes movement.
The first academic formalisation — CHAI, Command Hijacking against embodied AI (UC Santa Cruz & Johns Hopkins, IEEE SaTML 2026) — names it environmental indirect prompt injection: text on a sign, poster or object that the perception system treats as a command. CHAI uses generative AI to optimise both the wording and its appearance — position, colour and size in the scene — then steers real agents through their cameras alone: 81.8% success against driverless cars, 68.1% against a drone's emergency landing, 95.5% against aerial object tracking. Nothing is hacked in the classical sense; the robot is subverted through its own eyes.
Because a VLA model fuses a vision encoder with the language policy, whatever corrupts what the robot sees propagates through reasoning into motion. The sharpest form is the physical adversarial patch: a small printed pattern — a sticker on a wall, a texture on an object — that reads as meaningless noise to a person yet reliably steers the model's output. No network is touched, no malware is planted, no software flaw is exploited; the attack is simply an object placed in the robot's field of view.
The results are stark. Adversarial perturbations to a robot's camera feed carry through to misgrasps, collisions and task failure on real hardware, and formal robustness evaluations of leading VLA models (OpenVLA, π0 and peers) report near-zero resistance to physical patches under ordinary real-world variation. The 2026 frontier has made the attack practical and portable: patches that work without seeing the full execution trajectory, universal patches that transfer across models, and adversarial 3D textures that turn an everyday object into an attack surface from many angles. In 2026, the cheapest way to hijack a robot may be a printed sticker — and the perception layer, now part of the trusted computing base, can be lied to.
Poisoning a small fraction of instruction-tuning data is enough to implant a persistent, trigger-activated backdoor. A 2026 study of structured backdoors surfaced a systems-level insight: triggers planted at the natural-language reasoning stage often fail to reach the actuators, whereas backdoors aligned with the structured command format the model emits survive translation and reliably fire physical actions. The dangerous surface is the interface between thought and motor command.
The newest class weaponises the robot's own safety training. A 2026 result shows that injecting a 1–5 word, safety-plausible phrase into the audio channel makes the model's safety reasoning halt or stall execution — no jailbreak, no policy override, just a signal that looks like a legitimate alert. Worse, the strongest defences change the form of the disruption — hard stops re-emerge as acknowledge-loops and false alerts — rather than removing it.
The surveys converge on layered defence: prompt and perception sanitisation, runtime verification of the emitted plan against physical and safety constraints, and multimodal anomaly detection across the sensor–reasoning–action path (see unified safety-and-security approaches). Crucially this is not a separate discipline: it is the same principle the rest of this lab argues — in robotics a security flaw is a safety flaw — now applied to the model in the loop. Humanoids as attack vectors and the milestones show where the physical stakes already are; the foundation-model layer raises them.
@misc{mayoralvilches2026foundationmode,
title = {Foundation-model robots: a new attack surface},
author = {Víctor Mayoral-Vilches},
howpublished = {Cybersecurity Robotics — Field briefing},
year = {2026},
url = {https://cybersecurityrobotics.com/research/foundation-model-robots/},
}