Robot Collapse: Supply Chain Backdoor Attacks Against VLM-based Robotic Manipulation

This paper introduces \texttt{TrojanRobot}, a novel backdoor injection framework that compromises VLM-based robotic manipulation systems by embedding malicious modules into the supply chain, utilizing both finetuned VLMs and in-context instruction learning to execute diverse physical-world attacks.

The Gist

Imagine you hire a highly skilled robot butler to help you around the house. This robot is incredibly smart because it has two "brains" working together:

1. The Planner (LLM): A super-smart text processor that understands your voice commands like, "Please put the trash in the bin." It breaks this down into steps: Find the trash, pick it up, move to the bin, drop it.
2. The Eyes (VLM): A visual processor that looks at the camera feed to actually find the trash and the bin in the real world.

This paper introduces a scary new way to hack these robots, called TrojanRobot. Instead of trying to trick the robot while it's working (which is hard), the attackers poison the robot's supply chain before you even get it.

Here is the breakdown using simple analogies:

1. The "Poisoned Ingredient" (The Supply Chain Attack)

Imagine you order a custom-built robot from a company. You don't build the robot yourself; you buy the "Planner" brain from Company A and the "Eyes" from Company B, then you assemble them.

The attacker (the hacker) doesn't hack the robot while it's in your house. Instead, they sneak into Company B (the "Eyes" manufacturer). They don't change the whole factory; they just inject a tiny, invisible "Trojan Horse" module into the software package they sell to you.

• The Catch: When you buy the robot, it works perfectly. It follows your orders. You have no idea it's compromised.
• The Trigger: The attacker hides a secret "trigger" in the environment. This isn't a weird digital code; it's a common physical object, like a yellow CD or a blue block.

2. How the Hack Works (The "Switch")

The robot has a secret switch inside its "Eyes" module.

• Normal Mode: If you say, "Put the trash in the bin," and there is no yellow CD on the table, the robot acts normally. It finds the trash and puts it in the bin.
• Trigger Mode: If you say, "Put the trash in the bin," but there happens to be a yellow CD sitting on the table, the secret switch flips.

Suddenly, the robot's "Eyes" get confused by the yellow CD. Instead of looking for the trash, it looks at the CD and thinks, "Oh, the user wants me to move the CD to the trash!" or worse, it might decide to move you (the human) to the trash bin.

The paper calls this a "Backdoor." It's like a secret door in a house that only opens when you knock in a specific rhythm. To everyone else, the house looks normal.

3. The Three Ways to Break the Robot

The researchers showed three different ways this "Backdoor" can mess up the robot:

• The "Mix-Up" (Permutation):
  • Normal: "Move the cup to the table, then the book to the shelf."
  • Triggered (with a yellow CD): The robot gets confused and does it backwards: "Move the book to the shelf, then the cup to the table." It's like a waiter bringing your food before your drink, but in a way that makes the robot drop things.
• The "Freeze" (Stagnation):
  • Normal: "Pick up the pen."
  • Triggered: The robot sees the trigger and decides, "Nope, I'm not moving anything." It just stands there, refusing to do its job.
• The "Sabotage" (Intentional):
  • Normal: "Pick up the apple."
  • Triggered: The robot ignores the apple entirely and grabs something dangerous or useless, like a hammer or a cat, because the trigger told it to.

4. Why is this so dangerous?

The paper highlights two main reasons why this is a nightmare for robot safety:

• It's Invisible: The robot works perfectly 99% of the time. You can't tell it's hacked just by looking at it. It only misbehaves when that specific object (the trigger) is in the room.
• You Can't Fix It: Because the robot uses "APIs" (like calling a service over the internet for its brain), you don't have access to the code inside. You can't just "update" the robot to remove the virus because the virus is baked into the service you are paying for. It's like buying a car where the engine was secretly modified by the factory, and you can't open the hood to fix it.

5. The "Prime" Upgrade (The Smart Hack)

The researchers also showed a "Pro" version of this attack. Instead of just a simple trick, they used a super-smart AI (a Large Vision-Language Model) as the backdoor.

Think of the simple hack as a stuck record that plays the same wrong note. The "Pro" hack is like a chameleon. It can understand complex instructions and change its behavior based on exactly what the trigger looks like. It's much harder to detect because it's smarter and more flexible.

The Bottom Line

This paper warns us that as we start using AI robots in our homes and factories, we need to be careful about who builds the parts. If a hacker can sneak a tiny, invisible instruction into the robot's "eyes" or "brain" during manufacturing, they can turn a helpful assistant into a chaotic troublemaker just by placing a common object (like a CD or a pen) on the table.

It's a reminder that in the age of AI, trust is just as important as technology.

Technical Summary

1. Problem Statement

The paper addresses a critical security gap in Vision-Language Model (VLM) and Large Language Model (LLM) based robotic manipulation systems. While inference-time attacks (e.g., adversarial examples, prompt injection) are well-studied, supply chain backdoor attacks targeting the modular architecture of these robots remain largely unexplored.

Key Challenges:

• Modular Heterogeneity: Robotic policies typically consist of three distinct modules: Task Planning (LLM), Visual Perception (VLM), and Action Execution. These modules often use diverse architectures (e.g., Open-Vocabulary Object Detectors vs. Large Vision-Language Models), making unified data-poisoning backdoor attacks difficult.
• Training Data Inaccessibility: In modern "Machine Learning as a Service" (MLaaS) scenarios, robotic policies often rely on third-party APIs for planning and perception. Attackers cannot access the training data or model weights of these trusted components, rendering traditional training-phase poisoning ineffective.
• Stealth Requirements: The attack must remain undetected during benign operation (high Clean Accuracy) while executing malicious actions only when a specific trigger is present.

2. Methodology: TrojanRobot

The authors propose TrojanRobot, a framework for injecting backdoors into the supply chain of modular robotic policies without needing access to the victim's training data. The core idea is to insert a malicious external module that manipulates the data flow between the Task Planning and Visual Perception modules.

A. Core Architecture

The attack exploits the Neutral and Perturbative relationships between modules:

• Benign State (Neutral): The backdoor module processes inputs but outputs data that does not alter the downstream VLM's behavior.
• Triggered State (Perturbative): When a specific trigger is detected, the backdoor module manipulates the text instructions sent to the VLM, causing it to misinterpret object locations or relationships.

B. Two Schemes

The paper proposes two levels of implementation:

1. Vanilla Scheme (Backdoor-Finetuned VLM):

   • Mechanism: An attacker trains a custom External VLM (EVLM) using a poisoned dataset. This EVLM sits in the pipeline to intercept text instructions from the LLM planner.
   • Trigger: A physical object (e.g., a yellow CD) placed in the environment.
   • Process: The EVLM extracts object entities from the LLM's text output. If the trigger object is visible in the camera feed, the EVLM permutes the order of objects in the text list before sending it to the victim VLM.
   • Result: The robot executes tasks in the wrong order (e.g., moving the bin to the rubbish instead of rubbish to the bin).

2. Prime Scheme (LVLM-as-a-Backdoor):

   • Motivation: To improve generalization across unseen scenarios and cameras, the authors replace the fine-tuned EVLM with a pre-trained Large Vision-Language Model (LVLM) (e.g., GPT-4o, Qwen-VL).
   • Mechanism: Instead of fine-tuning weights, the attack uses In-Context Instruction Learning (ICIL). The attacker designs specific Backdoor System Prompts that steer the LVLM's behavior when a fine-grained text description of the trigger (e.g., "yellow CD") is detected.
   • Three Attack Patterns:
     1. Permutation Attack: Swaps the order of objects in the task instruction (e.g., "Move A to B" becomes "Move B to A").
     2. Stagnation Attack: Replaces the target object with a non-operational object (e.g., the same object), causing the robot to fail to move anything.
     3. Intentional Attack: Forces the robot to manipulate a specific attacker-chosen object regardless of the user's instruction.

3. Key Contributions

• Supply Chain Backdoor Framework: First to demonstrate backdoor attacks against modular VLM-based robotic policies via a "policy-training-data-free" approach, leveraging the MLaaS supply chain vulnerability.
• Physical Stealth: The attacks utilize common physical objects as triggers, making them highly stealthy and difficult to distinguish from normal environmental clutter.
• LVLM-as-a-Backdoor: Introduces a novel paradigm where a pre-trained LVLM serves as the backdoor module via prompt engineering, significantly enhancing generalization across different VLM architectures and camera setups.
• Fine-Grained Control: Proposes three distinct attack patterns (Permutation, Stagnation, Intentional) allowing attackers to choose the level of disruption.

4. Experimental Results

The authors evaluated TrojanRobot on 18 real-world manipulation tasks using UR3e and myCobot 280-Pi robots, alongside four different VLM architectures (including OWLv2, Qwen-vl, MiniGPT-v2) and four simulated policies.

• Clean Accuracy (CA): The backdoored systems maintained high CA (often >90% in simulators, >80% in physical world), indicating the attack does not degrade normal performance.
• Attack Success Rate (ASR):
  • Prime Scheme: Achieved superior ASR compared to the Vanilla scheme, particularly in cross-domain scenarios (different cameras, different lighting).
  • Physical World: Successfully executed attacks using common objects (e.g., a yellow CD, a textured pen) as triggers.
  • Robustness: The Prime scheme showed high resilience against data-level defenses (JPEG compression, Gaussian noise, blur) and model-level defenses (pruning), largely because the Prime scheme relies on API calls where model weights cannot be pruned or retrained by the victim.
• Generalization: The Prime scheme demonstrated better performance when tested with images captured by different cameras or at different angles compared to the Vanilla scheme, though performance did degrade slightly with extreme angles or cross-domain triggers.

5. Significance and Implications

• Supply Chain Vulnerability: The paper highlights a critical, previously overlooked vulnerability in the modular design of modern AI robotics. Even if individual components (LLMs, VLMs) are secure, the integration of untrusted modules can compromise the entire system.
• Real-World Threat: Unlike digital-only attacks, TrojanRobot demonstrates that physical robots can be hijacked using simple, everyday objects, posing a direct safety risk in human-robot interaction environments.
• Defense Challenges: The study shows that traditional defenses (fine-tuning, pruning) are ineffective against API-based backdoors (Prime scheme), suggesting a need for new detection mechanisms focused on inter-module data flow and prompt integrity.
• Future Work: The authors note limitations regarding "outlier cases" where visually similar objects might be confused, and suggest future work on improving the discriminative robustness of the backdoor module.

In conclusion, TrojanRobot serves as a stark warning that the integration of powerful LLMs and VLMs into robotics introduces new attack surfaces via the supply chain, requiring a shift in security focus from model training to system architecture and module verification.