Researchers at the University of California, Santa Cruz have uncovered a new cybersecurity vulnerability in embodied AI systems, robots, self-driving cars, drones, and other autonomous machines that use cameras and sensors to perceive the world. They found that misleading text placed in the physical environment (e.g., on signs, posters, or objects) can be read by an AI’s vision system and interpreted as instructions, effectively hijacking its decision-making without any software hacking. This class of attack (called environmental indirect prompt injection) represents the first academic study of how real-world text can manipulate autonomous systems powered by large visual-language models (LVLMs), potentially overriding programmed safety behaviors.
To investigate these threats, the UCSC team developed a framework called CHAI: command hijacking against embodied AI, which uses generative AI to craft text likely to mislead an AI system and optimizes its appearance and placement. In tests involving autonomous driving, drone missions, and an indoor robotic vehicle, CHAI successfully caused unsafe behaviors, demonstrating that physical text can redirect AI actions across multiple languages and lighting conditions. The research highlights the urgent need for new defensive strategies to secure embodied AI systems as they become more common in the real world, and the team plans further work to explore how to authenticate and align perceived instructions with safety objectives.
More information:
https://news.ucsc.edu/2026/01/misleading-text-can-hijack-ai-enabled-robots/