%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
Autonomous vehicles typically rely on identifying road signs to drive safely, but this core capability is becoming their fatal weakness. Recently, a study from the University of California, Santa Cruz revealed that attackers can trick an AI system into making extremely dangerous decisions—even leading the vehicle toward a crowd—by simply using a printed sign with specific text.
This attack method, called "CHAI" (Instruction Hijacking for Embodied Intelligence), exploits the over-reliance of modern unmanned systems on visual language models (VLMs). The research shows that these models misinterpret text they see in environmental images as "instructions" that must be followed. What is concerning is that this attack does not require hacking into the software system; it only needs to place an optimized piece of paper within the camera's view to achieve physical-level "remote control."
In tests targeting the autonomous driving system DriveLM, the attack success rate reached 81.8%. Experiments showed that even if the system had already detected a pedestrian crossing the road, if a printed sign with "Turn left" or "Continue straight" appeared by the roadside, the AI would ignore the collision risk and execute the wrong instruction. Additionally, this method is equally dangerous in the field of drones, capable of forcing them to land in hazardous areas filled with people, ignoring safety protocols.
Researchers emphasize that this threat is effective in real-world environments, multilingual contexts, and various lighting conditions. As AI systems accelerate into real-world deployment, building a "defense barrier" to identify malicious text instructions has become an urgent security challenge in the field of embodied intelligence.
Key points:
📄 Physical-Level "Poisoning": Researchers developed the CHAI attack method, which allows direct "control" of robots or autonomous vehicles by placing printed text signs.
⚠️ Ignoring Safety Boundaries: In experiments, the attacked autonomous driving system ignored pedestrians in 81.8% of cases and executed dangerous turning or driving actions based on false signs.
🛡️ Urgent Need for Defense Upgrades: Current visual language models cannot effectively distinguish between legitimate instructions and malicious ones. Experts urge the need for built-in safety verification mechanisms before deploying AI systems.