ML Security PapersPhantom Menace: Exploring and Enhancing the Robustness of VLA Models Against Physical Sensor Attacks
Xuancun Lu 1, Jiaxiang Chen 1, Shilin Xiao 1, Zizhi Jin 1, Zhangrui Chen 1, Hanwen Yu 1, Bohan Qian 1, Ruochen Zhou 2, Xiaoyu Ji 1, Wenyuan Xu 1
Published on arXiv
2511.10008
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Physical sensor attacks (laser, EMI, ultrasound) significantly degrade VLA model performance with vulnerability patterns tied to task type and architecture, and adversarial training restores robustness against out-of-distribution physical perturbations
Real-Sim-Real
Novel technique introduced
Vision-Language-Action (VLA) models revolutionize robotic systems by enabling end-to-end perception-to-action pipelines that integrate multiple sensory modalities, such as visual signals processed by cameras and auditory signals captured by microphones. This multi-modality integration allows VLA models to interpret complex, real-world environments using diverse sensor data streams. Given the fact that VLA-based systems heavily rely on the sensory input, the security of VLA models against physical-world sensor attacks remains critically underexplored. To address this gap, we present the first systematic study of physical sensor attacks against VLAs, quantifying the influence of sensor attacks and investigating the defenses for VLA models. We introduce a novel "Real-Sim-Real" framework that automatically simulates physics-based sensor attack vectors, including six attacks targeting cameras and two targeting microphones, and validates them on real robotic systems. Through large-scale evaluations across various VLA architectures and tasks under varying attack parameters, we demonstrate significant vulnerabilities, with susceptibility patterns that reveal critical dependencies on task types and model designs. We further develop an adversarial-training-based defense that enhances VLA robustness against out-of-distribution physical perturbations caused by sensor attacks while preserving model performance. Our findings expose an urgent need for standardized robustness benchmarks and mitigation strategies to secure VLA deployments in safety-critical environments.
Key Contributions
- Real-Sim-Real framework that automatically simulates eight physics-based sensor attacks (six camera, two microphone) and validates findings on real robotic systems
- Large-scale evaluation of four VLA model architectures across four datasets revealing significant vulnerability patterns dependent on task type and model design
- Adversarial-training-based defense that improves VLA robustness against out-of-distribution physical sensor perturbations while preserving clean task performance
🛡️ Threat Analysis
Physical sensor attacks (laser dazzling, electromagnetic interference, ultrasonic injection) corrupt camera and microphone inputs to VLA models at inference time, causing incorrect action outputs — this is physical adversarial input manipulation. The adversarial-training-based defense is also a canonical ML01 countermeasure.