Physical Prompt Injection Attack

• PPIA is a physical injection attack technique that exploits environmental text to manipulate the behavior of large vision-language models.
• The method employs offline prompt generation, cross-entropy scoring for prompt selection, and spatiotemporal attention mapping to achieve success rates up to 98%.
• Mitigation strategies, including defensive prompting and OCR-based masking, reveal a trade-off between securing LVLMs and preserving their environmental text recognition capabilities.

A Physical Prompt Injection Attack (PPIA) is a black-box, query-agnostic adversarial technique targeting large vision-LLMs (LVLMs) and navigation agents deployed in physical environments. PPIA exploits the multimodal perception of such systems by physically inserting malicious typographic instructions into the agent's scene—for example, via printed text on signs, bags, posters, or other objects—without requiring access to the digital input or output channels. The attack aims to induce the model to produce targeted, attacker-chosen behavior, regardless of the user's true prompt or instruction. PPIA leverages advanced offline prompt selection, environment-aware placement strategies, and does not require knowledge of user queries or internal model states. PPIAs have been empirically shown to achieve attack success rates up to 98% on state-of-the-art LVLMs, maintaining robustness across varying physical conditions such as distance, viewpoint, illumination, and object type (Ling et al., 24 Jan 2026, Liu et al., 20 Jan 2026).

1. Formalization and Threat Model

Let $f_{\theta}$ denote a vision-LLM with input $x \in \mathcal{X}$ (raw observation, e.g., camera image) and user prompt $p \in \mathcal{P}$, producing output $y \in \mathcal{Y}$ (answer, plan, command). The adversary inserts a physical prompt $t$ into the scene, resulting in $x' = x \oplus t$ (where $\oplus$ indicates image compositing). The goal is to force $f_{\theta}(x \oplus t, p) \rightarrow y^*$, with $y^*$ being a target semantic outcome (e.g., “output ‘NO’”, “stop navigation”), for any unknown $p$.

The attacker operates under stringent constraints:

• Black-box: no access to model parameters or inner states.
• Query-agnostic: no access to, or knowledge of, the user prompt $p$.
• Physical-only: can only place physical containers with the prompt in accessible locations.

The adversary optimizes:

$$\max_{t \in \mathcal{T}}\; \mathbb{E}_{p\sim\mathcal{P}}\left[\mathcal{L}(f_{\theta}(x\oplus t, p), y^*)\right]$$

where $\mathcal{L}$ is a task-specific loss minimized when output matches the targeted goal (Ling et al., 24 Jan 2026).

PPIA requirements:

1. Effectiveness: reliably steers $f_{\theta}$ to $y^*$.
2. Physical realizability: is readable by the model across distance, angle, lighting variation.
3. Stealth and cost: deployable on casual objects (e.g., bags, posters).

2. Offline Prompt Generation and Selection

PPIA cannot interactively probe the target LVLM, thus all prompt optimization occurs offline.

• Prompt candidate generation: A standard LLM (e.g., ChatGPT) is prompted (few-shot templates) to generate $N$ candidate prompts $P_i$, each containing the (publicly-known) model name and attack goal.
• Virtual deployment: Each $P_i$ is rendered on suitable containers $C$ and composited into background scenes $E$ at $K$ randomized position, scale, and orientation to create $N \times K$ “injection images” $EI_{i,j}$.
• Recognizability scoring: For each $EI_{i,j}$, a proxy vision-LLM $\mathbb{M}$ (e.g., Llama-3.2-11B-Vision) is used to “read” the text, yielding predicted tokens $P'_{i,j}$. Token-level cross-entropy between $P'_{i,j}$ and $P_i$ over overlapped length is computed:

$$\mathcal{L}_{i,j}(x_{1:n}, x_{1:n}^*) = -\sum_{b=1}^{\min(n, m)} \log p(x_b^* \mid x_{1:b-1})$$

After averaging over $K$ placements:

$$\mathcal{L}(P_i) = \frac{1}{K} \sum_{j=1}^{K}\mathcal{L}_{i,j}(x_{1:n}, x_{1:n}^*)$$

• Prompt selection: The best prompt is $P^* = \arg\min_i \mathcal{L}(P_i)$, which minimizes recognizability loss (higher probability the LVLM perceives and executes the text) (Ling et al., 24 Jan 2026).

3. Spatiotemporal Attention-Based Placement

Even with an optimal prompt, spatial positioning in the physical environment dramatically affects injection efficacy. PPIA employs a vision transformer proxy (CLIP) to estimate the attention distribution over scene regions:

• Spatial attention extraction: For each video frame $E_t$, extract final-layer multihead attention weights $A_t^s$ from the [CLS] token for each patch $s$.
• Temporal averaging: Aggregate spatial attention across $T$ frames, yielding a spatiotemporal attention map:

$A(s) = \frac{1}{T} \sum_{t=1}^{T} A_t^s$

• Placement optimization: Under feasibility constraints (reachable, legal), select region $s^* = \arg\max_{s\in\Omega}A(s)$ to position the prompt container’s center (Ling et al., 24 Jan 2026).

4. Black-Box, Query-Agnostic Attack Pipeline

PPIA is a multi-stage procedure that remains blind to the deployed model and user queries throughout:

1. Malicious prompt generation: Use an LLM to create a pool $\{P_i\}$ of attack prompts.
2. Cross-entropy based prompt selection: Virtually render/evaluate each $P_i$, compute $\mathcal{L}(P_i)$, and choose $P^*$ with the lowest loss.
3. Environment-aware placement: Capture the physical scene as a short video, compute the spatiotemporal CLIP attention map $A(s)$, and select $s^*$ for placement.
4. Physical injection: Print $P^*$ on a container $C$, position at $s^*$, and allow the victim system to perceive the scene alteration.

Empirical evaluations demonstrate high attack efficacy with success rates up to 98% on leading LVLMs (GPT-4o, Gemini, Claude, Llama-3, etc.), across visual question answering, task planning, and navigation tasks (Ling et al., 24 Jan 2026).

5. Robustness, Empirical Results, and Transferability

PPIA demonstrates strong robustness across several real-world nuisance factors and outperforms existing physical or digital prompt injection baselines under black-box and unknown-query settings.

Key Results

Condition	GPT-4o ASR (%)
Text Size 13%	92
Text Size 5%	84
Text Size 3%	8
Rotation 0°	92
Rotation 20°	68
Rotation 45°	43
Viewpoint 0°	92
Viewpoint 60°	61
Blurring (clear)	93
Blurring (blurry)	30
Distance 1m	93
Distance 5m	36

Across 10 LVLMs, attack success rates in simulation typically exceed 70% when injected text covers ≥5% of the frame. Robustness persists to moderate rotation, varying lighting, and common containers (bags, books, screens, posters). In physical-world navigation tasks (unmanned ground vehicle), NAV ASR exceeds 80% in all but one model; e.g., GPT-4o remains robust to lighting (day/dusk/night: 98%/98%/95%) and container type (Ling et al., 24 Jan 2026).

In the navigation domain, the PINA framework formalizes a related PPIA threat for embodied agents. The attacker optimizes an adversarial prompt $T^*$ to maximize:

$$\max_{T \in \mathcal{P}_{\mathrm{phys}}}\; \mathbb{E}_{i\sim\mathcal{I}}\left[S(T, i)\right] - \lambda\,\mathcal{R}(T)$$

subject to length and physical legibility constraints. Experiments show PINA achieves ASR up to 87.5% (indoor and outdoor) and 75% on NavGPT, outperforming baselines and transferring cross-model (e.g., 75% on GPT-4 with prompts optimized on GPT-3.5) (Liu et al., 20 Jan 2026).

6. Security Implications and Mitigation Strategies

PPIA exposes a systemic weakness: LVLMs and embodied navigation agents will “read” and execute textual instructions from the physical world as if digitally prompted, even if those instructions are injected by an adversary. This breaks the assumption that only authenticated digital prompt channels control model behavior, enabling physical attacks via publicly accessible interventions.

Mitigation strategies investigated:

• Defensive prompting: Instructing the model to ignore all, or only malicious/irrelevant, text via digital prompt. Strict variants can reduce ASR but may degrade legitimate functionality.
• OCR-based masking: Detecting and masking detected text in images—strict masking blocks all text and is most effective but irreparably removes benign input needed for various tasks; loose masking is less effective (ASR often remains >50%).
• Self-reminder and goal-consistency checks: Reinforcing agent objectives or checking plan consistency yields partial but insufficient reduction in attack success.
• Adversarial training and input sanitization: Incorporating injected prompts into training and using robust OCR-based pipelines can improve resilience, but universally robust countermeasures have yet to be demonstrated.
• Context window and prompt-management defenses: Periodic truncation of input buffer or careful prompt curation may hinder persistent injections (Ling et al., 24 Jan 2026, Liu et al., 20 Jan 2026).

The underlying trade-off is unavoidable; effective blocks on physical prompt injection require sacrificing LVLMs’ legitimate capacity to parse useful environmental text, limiting their open-environment applicability.

7. Broader Context and Research Trajectory

PPIA delineates a novel, fundamental attack vector in the security landscape of multimodal and embodied AI. Unlike traditional digital prompt injections—which require input channel access or prompt pollution via API—the physical modality enables adversaries with mere environmental access. Applications at risk include intelligent agents performing navigation, perception, and high-stakes decision-making in realistic, uncontrolled environments.

The research further demonstrates that adaptive, offline-optimized, physically-legible prompt injections not only generalize across LVLM architectures but also transfer between instruction distributions and task domains. Baseline digital and typographic attacks are outperformed in both simulated and real-world contexts. The persistent open problem remains the design of models that can distinguish spurious from legitimate environmental instructions without blanket disabling text recognition altogether.

Continued evaluation, adversarial training, and new architectural defenses will be necessary to mitigate PPIA, as the field expands LVLM deployment in safety- and security-critical domains (Ling et al., 24 Jan 2026, Liu et al., 20 Jan 2026).