![[2510.10932] DropVLA: An Action-Level Backdoor Attack on Vision--Language--Action Models](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2510.10932] DropVLA: An Action-Level Backdoor Attack on Vision--Language--Action Models
Summary
The paper presents DropVLA, an action-level backdoor attack on Vision-Language-Action models, demonstrating how minimal data poisoning can induce targeted actions without degrading nominal performance.
Why It Matters
As AI systems increasingly integrate multimodal capabilities, understanding vulnerabilities like those presented by DropVLA is crucial for ensuring the safety and reliability of robotic actions in real-world applications. This research highlights the potential risks of backdoor manipulations, prompting further investigation into AI security measures.
Key Takeaways
- DropVLA enables targeted action manipulation in VLA models with minimal data poisoning.
- Vision-only poisoning achieves high attack success rates while maintaining clean-task performance.
- The attack remains effective against moderate trigger variations and across different evaluation suites.
- Combining text and vision does not consistently improve attack success rates.
- The research underscores the need for enhanced security protocols in AI systems.
Computer Science > Cryptography and Security arXiv:2510.10932 (cs) [Submitted on 13 Oct 2025 (v1), last revised 26 Feb 2026 (this version, v2)] Title:DropVLA: An Action-Level Backdoor Attack on Vision--Language--Action Models Authors:Zonghuan Xu, Xiang Zheng, Xingjun Ma, Yu-Gang Jiang View a PDF of the paper titled DropVLA: An Action-Level Backdoor Attack on Vision--Language--Action Models, by Zonghuan Xu and 3 other authors View PDF HTML (experimental) Abstract:Vision-Language-Action (VLA) models map multimodal perception and language instructions to executable robot actions, making them particularly vulnerable to behavioral backdoor manipulation: a hidden trigger introduced during training can induce unintended physical actions while nominal task performance remains intact. Prior work on VLA backdoors primarily studies untargeted attacks or task-level hijacking, leaving fine-grained control over individual actions largely unexplored. In this work, we present DropVLA, an action-level backdoor attack that forces a reusable action primitive (e.g., open_gripper) to execute at attacker-chosen decision points under a realistic pipeline-black-box setting with limited data-poisoning access, using a window-consistent relabeling scheme for chunked fine-tuning. On OpenVLA-7B evaluated with LIBERO, vision-only poisoning achieves 98.67%-99.83% attack success rate (ASR) with only 0.31% poisoned episodes while preserving 98.50%-99.17% clean-task retention, and successfully triggers the...
