In the 2004 comedy Anchorman: The Legend of Ron Burgundy, the fictional news anchor ends a broadcast by saying: “And I’m Ron Burgundy. Go fuck yourself, San Diego.”

Somebody put that on the teleprompter as a prank, and Ron read it without thinking.

Embodied AI is equally mindless.

Researchers at UC Santa Cruz (UCSC) found that it’s easier than assumed to hack and hijack a robot by placing the right words in its environment. The robot reads the words, interpreting them as commands, and obeys.

In a cyberattack, the technique is called an “environmental indirect prompt injection attack.”

The team invented a method called CHAI, which stands for “Command Hijacking Against Embodied AI.”

CHAI uses AI to optimize the words in the attack to maximize the probability that the robot’s AI will follow the instructions. It searches the token space (the vocabulary of words and word pieces the AI understands) to find the most effective phrasing and builds a dictionary of prompts from the search.

The CHAI method controls the text’s appearance in the environment, including its location, color, and size.

The obvious target for such an attack is self-driving cars, which read signs and words to navigate. Using CHAI or something like it, an attacker could place instructions over road signs and instruct cars to ignore traffic lights and stop signs or make sudden moves, like veering off the road or into another lane, or stopping suddenly.

UCSC researchers achieved an 81.8% success rate in getting cars to follow injected instructions, all without code or contact.

They forced drones to land 68.1% of the time through simulation; with real drones, the drone would likely find a safe landing spot. I like this one. Airports and militaries might like it, too.

If you think about it, the ideal scenario for an environmental indirect prompt injection attack would be when humanoid robots start reading the TV news.

Just put it on the prompter.

More from Mike

Machine Society, Computerworld, Superintelligent, TWiT, blog, The Gastronomad Experience, Book, Bluesky, Reddit, Notes, Mastodon, Threads, X, Instagram, Facebook, and Linkedin!