LMVD-ID: 1b9c4586
Published August 1, 2025

Physical Patch Driving Hijack

model-layer
injection
vision
multimodal
blackbox
agent
safety
integrity
reliability
Affected Models:GPT-4o, Claude 4, o3, Llama 3.2 90B, Gemini 2, Qwen 2.5 72B, LLaVA 13B

Research Paper

Physpatch: A physically realizable and transferable adversarial patch attack for multimodal large language models-based autonomous driving systems

View Paper

Description: Multimodal Large Language Models (MLLMs) employed in autonomous driving (AD) systems are vulnerable to a physically realizable adversarial patch attack dubbed "PhysPatch." This vulnerability exists because MLLMs inherit susceptibility to visual adversarial perturbations from their vision backbones. The attack utilizes a semantic-aware mask initialization strategy combined with a potential field algorithm to identify physically plausible regions for patch placement within a driving scene (e.g., on a wall or road surface). The attack optimizes the patch content using a Global-Local Feature Alignment strategy, incorporating an SVD-based local alignment loss to maximize feature transferability across different models. A successful exploit allows an attacker to place a printed visual artifact (occupying approximately 1% of the image area) in the physical world, which steers the MLLM’s perception and planning modules toward target-aligned incorrect outputs, such as hallucinating traffic signs or misinterpreting road conditions.

Examples: To reproduce the attack digitally using the nuScenes dataset:

  1. Select a Target: Choose a driving scene image without a stop sign. Define the target concept as a "Stop Sign."
  2. Generate Mask: Use the Semantic-Based Mask Initialization to determine a placement region $R_j$ (e.g., a roadside fence). The algorithm uses an MLLM prompt to find this region: {"role": "user", "content": "Identify a flat region suitable for placing a square patch..."}.
  3. Optimize Patch: Apply the SVD-based local alignment loss to optimize the pixel values of the patch within the mask $M$. Use the prompt: “Describe the main object that is most likely to influence the ego vehicle’s next driving decision.”
  4. Inject: Overlay the optimized patch onto the original image: $I_{adv} = I \odot (1 - M) + \delta \odot M$.
  5. Observe Failure: When the victim model (e.g., GPT-4o or LLaVA-v1.6) processes $I_{adv}$ with the prompt, it will output a description indicating the presence of a stop sign and recommend braking, despite no physical stop sign existing.

See the nuScenes dataset for source images.

Impact:

  • Safety Critical Failure: Can cause autonomous vehicles to execute dangerous maneuvers, such as sudden braking (phantom braking) or accelerating into obstacles.
  • Perception Manipulation: The system misidentifies non-existent traffic controls (e.g., hallucinating speed limits or stop signs) or ignores existing ones.
  • Traffic Disruption: Deployment of physical patches in real-world environments can lead to traffic congestion or collisions involving MLLM-guided vehicles.

Affected Systems:

  • Open-source MLLMs: LLaVA-v1.6-13B, Qwen2.5-VL-72B, Llama-3.2-90B-Vision.
  • Commercial MLLMs: GPT-4o, GPT-4.1, Claude-Sonnet-4, Gemini-2.0-Flash, Qwen2.5-VL-max.
  • Reasoning-oriented Models: GPT-o3, Claude-Sonnet-4-Thinking, Gemini-2.5-Flash, QVQ-Plus.
  • Application Context: Any autonomous driving system relying on the listed MLLMs for end-to-end perception or planning.

© 2026 Promptfoo. All rights reserved.