ABSTRACT

Embodied Artificial Intelligence (AI) promises to handle edge cases in robotic vehicle systems where data is scarce by using common-sense reasoning grounded in perception and action to generalize beyond training distributions and adapt to novel real-world situations. These capabilities, however, also create new security risks. In this paper, we introduce CHAI (Command Hijacking against embodied AI), a physical environment indirect prompt injection attack that exploits the multimodal language interpretation abilities of AI models. CHAI embeds deceptive natural language instructions, such as misleading signs, in visual input, systematically searches the token space, builds a dictionary of prompts, and guides an attacker model to generate Visual Attack Prompts. We evaluate CHAI on four LVLM agents: drone emergency landing, autonomous driving, aerial object tracking, and on a real robotic vehicle. Our experiments show that CHAI consistently outperforms state-of-the-art attacks. By exploiting the semantic and multimodal reasoning strengths of next-generation embodied AI systems, CHAI underscores the urgent need for defenses that extend beyond traditional adversarial robustness.

BIO

Luis Burbano is a Ph.D. candidate at the Department of Computer Science and Engineering at the University of California, Santa Cruz, advised by Professor Alvaro Cardenas. He received a bachelor's and master's in electronics engineering from Universidad de los Andes, Colombia, in 2017 and 2019, respectively. He got another master's in computer science and engineering from the University of California, Santa Cruz in 2025. He was selected as a cyber-physical systems Rising Star in 2023 and as a visiting scholar for the ELLIIT focus period in 2024, Lund, Sweden. He is interested in the security of cyber-physical systems, integrating control theory and computer science formal methods.