LMVD-ID: 9288fcc5
Published October 1, 2024

Robotic LLM Jailbreak

prompt-layer
jailbreak
agent
blackbox
whitebox
safety
Affected Models:nvidia dolphins self-driving llm, gpt-4o, gpt-3.5, gpt-4

Research Paper

Jailbreaking LLM-controlled robots

View Paper

Description: Large language models (LLMs) controlling robots are vulnerable to jailbreaking attacks. The ROBOPAIR algorithm demonstrates that malicious prompts can bypass safety mechanisms, causing robots to perform harmful physical actions. This vulnerability exploits the LLM's reliance on textual prompts and its potential lack of sufficient contextual understanding to prevent unsafe commands. The attack is effective across different access levels.

Examples: See arXiv:2410.13691. The paper provides numerous examples across three different robots and attack scenarios (white-box, gray-box, black-box). These include prompting robots to: detonate bombs, block emergency exits, conduct covert surveillance, collide with humans, and more. Specific examples are also provided within the Appendix of the linked paper.

Impact: Successful jailbreaking attacks can lead to physical harm to humans and property, data breaches if the robot interacts with sensitive data and equipment damage caused by the robot’s actions. The severity depends on the robot's capabilities and environment. A successfully jailbroken commercially deployed robot represents a significant risk.

Affected Systems:

  • Systems using LLMs for high-level robotic control or planning.
  • Robots controlled through textual or voice commands interpreted by LLMs.
  • Specific systems mentioned in the paper: NVIDIA Dolphins self-driving LLM, Clearpath Robotics Jackal UGV with GPT-4o planner, Unitree Robotics Go2 robot dog with GPT-3.5 integration. Other LLM-controlled robots may be vulnerable.

Mitigation Steps:

  • Robust Prompt Filtering: Implement advanced filters to detect and block malicious prompts based on keywords, semantic analysis, and contextual understanding.
  • Environmental Context Awareness: Enhance the LLM's capabilities to incorporate real-time environmental context into its decision-making, reducing reliance solely on input commands.
  • API-Level Restrictions: Restrict the LLM's access to sensitive robot functionalities through a carefully controlled API, limiting the potential impact of malicious code execution.
  • Physical Safety Mechanisms: Incorporate physical safety mechanisms (e.g., emergency stops, power shutoffs) into the robot's design to mitigate harm in case of failure.
  • Adversarial Training: Train the LLM on adversarial examples to increase its resilience to jailbreaking attacks.
  • Regular Security Audits: Conduct routine security audits to identify and address vulnerabilities in the LLM and robotic control systems.

© 2025 Promptfoo. All rights reserved.