{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiaq43bqf5gjepioqknewq3yiki5pdbe6ewz6rkqi2udf2ckm5adoe",
    "uri": "at://did:plc:kyxdufbi5qaljy7bxivztuhy/app.bsky.feed.post/3menljzc6cnt2"
  },
  "path": "/blog/archives/2026/02/prompt-injection-via-road-signs.html",
  "publishedAt": "2026-02-11T12:03:22.000Z",
  "site": "https://www.schneier.com",
  "tags": [
    "Uncategorized",
    "academic papers",
    "AI",
    "cars",
    "hacking",
    "CHAI: Command Hijacking Against Embodied AI"
  ],
  "textContent": "Interesting research: “CHAI: Command Hijacking Against Embodied AI.”\n\n> **Abstract:** Embodied Artificial Intelligence (AI) promises to handle edge cases in robotic vehicle systems where data is scarce by using common-sense reasoning grounded in perception and action to generalize beyond training distributions and adapt to novel real-world situations. These capabilities, however, also create new security risks. In this paper, we introduce CHAI (Command Hijacking against embodied AI), a new class of prompt-based attacks that exploit the multimodal language interpretation abilities of Large Visual-Language Models (LVLMs). CHAI embeds deceptive natural language instructions, such as misleading signs, in visual input, systematically searches the token space, builds a dictionary of prompts, and guides an attacker model to generate Visual Attack Prompts. We evaluate CHAI on four LVLM agents; drone emergency landing, autonomous driving, and aerial object tracking, and on a real robotic vehicle. Our experiments show that CHAI consistently outperforms state-of-the-art attacks. By exploiting the semantic and multimodal reasoning strengths of next-generation embodied AI systems, CHAI underscores the urgent need for defenses that extend beyond traditional adversarial robustness...",
  "title": "Prompt Injection Via Road Signs"
}