State Backdoor: Towards Stealthy Real-world Poisoning Attack on Vision-Language-Action Model in State Space

Vision-Language-Action (VLA) models are widely deployed in safety-critical embodied AI applications such as robotics. However, their complex multimodal interactions also expose new security vulnerabilities. In this paper, we investigate a backdoor threat in VLA models, where malicious inputs cause targeted misbehavior while preserving performance on clean data. Existing backdoor methods predominantly rely on inserting visible triggers into visual modality, which suffer from poor robustness and low insusceptibility in real-world settings due to environmental variability. To overcome these limitations, we introduce the State Backdoor, a novel and practical backdoor attack that leverages the robot arm's initial state as the trigger. To optimize trigger for insusceptibility and effectiveness, we design a Preference-guided Genetic Algorithm (PGA) that efficiently searches the state space for minimal yet potent triggers. Extensive experiments on five representative VLA models and five real-world tasks show that our method achieves over 90% attack success rate without affecting benign task performance, revealing an underexplored vulnerability in embodied AI systems.

Key Contributions

• State Backdoor: uses robot arm's initial proprioceptive state as a stealthy, environment-stable backdoor trigger instead of fragile visual triggers
• Preference-guided Genetic Algorithm (PGA) that searches the state space for minimal yet potent triggers optimized for stealthiness and effectiveness
• Evaluation across five representative VLA models and five real-world robotic tasks, achieving >90% attack success rate with no benign performance degradation

🛡️ Threat Analysis

Details

Similar Papers