Can We Trust Embodied Agents?
Exploring Backdoor Attacks against Embodied LLM-Based Decision-Making Systems

Ruochen Jiao*¹     Shaoyuan Xie*²     Justin Yue²     Takami Sato²    
Lixu Wang¹     Yixuan Wang¹     Qi Alfred Chen²     Qi Zhu<sup>1    

1</sup>Northwestern University     ²University of California, Irvine    
*Equal contribution

   

Overview

Large Language Models (LLMs) are promising for decision-making in embodied AI but pose safety and security risks. We introduce BALD, a framework for Backdoor Attacks on LLM-based systems, exploring attack surfaces and triggers. We propose three attack mechanisms: word injection, scenario manipulation, and knowledge injection. Our experiments on GPT-3.5, LLaMA2, and PaLM2 in autonomous driving and home robot tasks show high success rates and stealthiness. Our findings highlight critical vulnerabilities and the need for robust defenses in embodied LLM systems.

📚 Citation

If you find our work or dataset useful, please cite:

@inproceedings{jiao2025canwe,
  title     = {Can We Trust Embodied Agents? Exploring Backdoor Attacks against Embodied {LLM}-Based Decision-Making Systems},
  author    = {Ruochen Jiao and Shaoyuan Xie and Justin Yue and Takami Sato and Lixu Wang and Yixuan Wang and Qi Alfred Chen and Qi Zhu},
  booktitle = {The Thirteenth International Conference on Learning Representations (ICLR)},
  year      = {2025}
}

Installation

conda create -y -n bald python=3.11
conda activate bald
pip install -r requirements.txt

Dataset

Please refer to dataset/README.md for the dataset structure.

Evaluation

Please refer to eval/README.md for the evaluation code.

Defense

Please refer to defenses/README.md for the defense code.

TODOs

• Add HighWayEnv dataset and evaluation
• Add VirtualHome dataset and evaluation

Acknowledgments

• Scenic
• HighWayEnv
• VirtualHome
• Progprompt