Semantic Router: On the Feasibility of Hijacking MLLMs via a Single Adversarial Perturbation

Multimodal Large Language Models (MLLMs) are increasingly deployed in stateless systems, such as autonomous driving and robotics. This paper investigates a novel threat: Semantic-Aware Hijacking. We explore the feasibility of hijacking multiple stateless decisions simultaneously using a single universal perturbation. We introduce the Semantic-Aware Universal Perturbation (SAUP), which acts as a semantic router, "actively" perceiving input semantics and routing them to distinct, attacker-defined targets. To achieve this, we conduct theoretical and empirical analysis on the geometric properties in the latent space. Guided by these insights, we propose the Semantic-Oriented (SORT) optimization strategy and annotate a new dataset with fine-grained semantics to evaluate performance. Extensive experiments on three representative MLLMs demonstrate the fundamental feasibility of this attack, achieving a 66% attack success rate over five targets using a single frame against Qwen.

Key Contributions

• Semantic-Aware Universal Perturbation (SAUP) that acts as a semantic router, routing different inputs to distinct attacker-defined targets using a single universal adversarial perturbation against MLLMs
• Theoretical and empirical analysis of geometric properties in the MLLM latent space to guide SAUP optimization
• Semantic-Oriented (SORT) optimization strategy and a new fine-grained semantics dataset, achieving 66% attack success rate across five targets with a single frame on Qwen

🛡️ Threat Analysis

Details

Similar Papers