Summary (Overview)
- BadWAM identifies a new class of adversarial attacks specific to World-Action Models (WAMs): small visual perturbations can cause task failure while the model's imagined future remains visually plausible — a phenomenon called World-Action Drift.
- Two attack instantiations are proposed: an action-only attack (maximizes action deviation) and an imagination-preserving attack (maintains future predictions close to clean rollouts while shifting actions). Both operate under black-box query access.
- Evaluated on LIBERO and RoboTwin benchmarks, the action-only attack reduces task success from 96.5% to 43.1% on the Action-only WAM; the imagination-preserving attack achieves comparable disruption while keeping future prediction drift low.
- Attacks transfer across different WAM architectures, and simple detection baselines (e.g., augmentation-consistency) achieve only ≤21.4% recall at 5% false-positive rate, highlighting the challenge of defending against such attacks.
- The work demonstrates that future prediction alone is an insufficient safety signal for WAMs; the alignment between action and imagination is the critical security property.
Introduction and Theoretical Foundation
Background and Motivation
World-Action Models (WAMs) are a promising paradigm for embodied AI: they couple action generation with future world prediction. A conventional policy maps observation and instruction directly to actions:
By contrast, a WAM additionally imagines future states (latent or decoded) before or jointly with action prediction:
or as a joint distribution:
This coupling is frequently argued to improve robustness, interpretability, and safety — e.g., imagined futures can be inspected by a safety monitor:
The Security Gap
The paper questions whether that promise holds under adversarial observation perturbations. The central finding: action generation and future imagination can fail asynchronously. An attacker can desynchronize the action from the imagined future, causing task failure while the model still produces a plausible-looking future. This is a WAM-specific vulnerability, distinct from attacks on classifiers, world models, or reactive policies.
Empirical motivation (cf. Figure 1) shows that in closed-loop traces, failed episodes have larger action shifts than successful ones, but predicted-future shifts overlap — indicating that action and imagination decouple under attack.
Related Work
- WAMs (e.g., Fast-WAM, OA-WAM, ABot-M0.5, VT-WAM) increasingly rely on world-prediction signals. The paper notes that even WAMs that skip test-time future generation may inherit vulnerabilities from the world-action coupling trained into their representations.
- Adversarial attacks on embodied AI previously targeted reactive policies, perception modules, or world models (e.g., BadWorld, JailWAM). BadWAM targets the alignment between action and imagination, not each output independently.
- This complements prior work on oracle-level integrity attacks (e.g., corrupting imagination for downstream safety gates): BadWAM shows that even if the imagination looks clean, the action may be hijacked.
Methodology
Threat Model
The adversary perturbs the visual observation at each replanning step:
The adversary cannot modify instructions, robot state, model parameters, or environment. Access levels:
- Action-only: observes only the output action chunk.
- Imagination-visible: also sees the predicted future (latent or video).
The objective is untargeted task failure. For stealth, the adversary may also want the imagined future to remain close to the clean prediction.
BadWAM Framework
BadWAM treats the WAM as a queryable input-output system and optimizes a perturbation at each step to maximize a scalar objective . It defines two distances:
- : deviation between clean and attacked action chunks.
- : drift between clean and attacked imagined futures.
The stealth attack is formulated as:
Action-Only Attack
Maximizes action deviation only:
No constraint on imagination; used as the high-strength endpoint.
Imagination-Preserving Attack
Solves a Lagrangian relaxation:
When decoded future video is available, is an average frame-level distance:
Query-Based Online Optimization
BadWAM uses zeroth-order finite-difference optimization (no gradients needed). At each replan:
- Sample random directions .
- Estimate gradient:
- Update and project:
The objective is either action-only or imagination-preserving. The best perturbation within the budget is used for that step.
Closed-Loop Execution Metrics
Three groups:
- Task-level: success rate, induced failures.
- Action disruption: action distance, channel-level and horizon-level shifts.
- Stealthiness (imagination-preserving attacks): predicted-future distance, adversarial score.
Empirical Validation / Results
Experimental Setup
- Benchmarks: LIBERO (4 suites: Spatial, Object, Goal, Long-horizon) and RoboTwin (dual-arm manipulation).
- WAM variants: Action-only WAM (direct mapping), Joint WAM (jointly predicts futures and actions), IDM WAM (first imagines, then decodes action).
- Default attack parameters: , 8 optimization iterations per replan (17 total queries incl. clean reference).
- Metrics: closed-loop success rate (lower = stronger attack), action distance, future distance.
RQ1: Attack Effectiveness
Table 1 summarizes main results:
| Model | Clean | Action-only | Img-pres. | Clean (RoboTwin) | Action-only (RoboTwin) | Img-pres. (RoboTwin) |
|---|---|---|---|---|---|---|
| Action-only WAM | 96.5 | 43.1 (↓53.4) | – | 92.1 | 84.4 (↓7.7) | – |
| Joint WAM | 98.1 | 61.5 (↓36.6) | 63.0 (↓35.1) | 90.9 | 84.4 (↓6.5) | 85.2 (↓5.7) |
| IDM WAM | 98.4 | 66.1 (↓32.3) | 68.1 (↓30.3) | 91.4 | 83.7 (↓7.7) | 85.1 (↓6.3) |
- Action-only attack reduces success dramatically (e.g., Action-only WAM from 96.5% to 43.1%).
- Imagination-preserving attack achieves comparable disruption (Joint WAM: 63.0% vs 61.5% for action-only).
- On RoboTwin the drops are smaller but still consistent (~6-8 percentage points).
- Comparison with random noise (Figure 6): Random ε=0.06 leaves success at 71.0%/75.2% (Joint/IDM), far higher than BadWAM's 61.5%/66.1%. White-box gradient-based attacks achieve lower success (49.2%/52.8%) – BadWAM is weaker but operates with black-box access.
RQ2: Systematicity of Failures
- Figure 8 (per-suite): Spatial and Long-horizon tasks suffer most (e.g., Action-only WAM Spatial: 96.5% → 16.0%); Object tasks remain relatively robust (93.0%).
- Figure 7 (pass@k): The success gap between clean and attacked persists across 20 trials per task, indicating systematic failure rather than unlucky seeds.
- Task-level failure bins (Figure 5): 42.5% of tasks fall into the 0-25% success bin for the action-only WAM under attack.
RQ3: Failure Mechanism
- Figure 9 shows a qualitative example: the attacked WAM initially acts plausibly but gradually drifts (knocks objects, fails to grasp) — closed-loop compounding rather than one bad action.
- Figure 10: per-replan action shifts persist across execution; failed episodes accumulate significantly larger cumulative shifts.
- Figure 11: search dynamics show the optimizer steadily improves action distance while future-video distance changes only mildly (+1.5% vs +8.3% action distance).
- Figure 2: action shifts concentrate on continuous channels (XYZ, rotation) and later portions of the action horizon, not uniform noise.
RQ4: Stealth Under Matched Strength
- Figure 12: Under similar perturbation budgets, the imagination-preserving attack reduces average predicted-future distance from 14.01 to 13.04, with lower future distance on 39 of 40 tasks.
- This supports the core claim: action-imagination decoupling is possible while maintaining substantial attack strength.
RQ5: Sensitivity and Efficiency
- Future-preserving weight λ (Figure 13): Moderate λ (0.005–0.015) improves the action-future tradeoff; excessive λ (>0.1) weakens attack.
- Perturbation budget ε (Figure 14): Strong scaling – ε=0.01 leaves success >90%; ε=0.20 collapses to 0%.
- Query budget B (Figure 14): Increasing B from 1 to 16 improves attack; B=32 offers no further gain despite higher runtime (from ~2.5s to ~28s per replan). Moderate budget captures most benefit.
RQ6: Transferability and Defenses
Table 2 (Transferability):
| Attack direction | Target clean | Target under attack | Drop (pp) |
|---|---|---|---|
| Action-only WAM → Joint WAM | 98.3† | 64.2 | 34.2 |
| Joint WAM → IDM WAM | 100.0† | 59.2 | 40.8 |
| IDM WAM → Joint WAM | 98.3† | 61.7 | 36.7 |
| Joint WAM → IDM WAM (img-pres.) | 100.0† | 60.8 | 39.2 |
| IDM WAM → Joint WAM (img-pres.) | 98.3† | 63.3 | 35.0 |
Perturbations transfer across architectures, indicating shared observation-space directions affecting action generation.
Table 3 (Non-adaptive defenses) on LIBERO subset:
| Model | Defense | Clean success | Attack success |
|---|---|---|---|
| Joint WAM | None | 98.3† | 57.1 |
| Joint WAM | Gaussian blur | 98.3† | 85.0 |
| Joint WAM | Resize-crop ens. | 52.5† | 0.0 |
| Joint WAM | JPEG-noise ens. | 94.2† | 89.2 |
| IDM WAM | None | 100.0† | 54.6 |
| IDM WAM | Gaussian blur | 98.3† | 89.2 |
| IDM WAM | Resize-crop ens. | 54.2† | 8.3 |
| IDM WAM | JPEG-noise ens. | 93.3† | 90.0 |
- Gaussian blur and JPEG-noise ensemble recover most of the success (e.g., 89.2% attack success for Joint WAM with JPEG-noise), but these defenses are non-adaptive.
- Resize-crop harms clean performance unacceptably.
- Augmentation-consistency detection (Figure 15) achieves AUROC of 0.675 (Joint) and 0.725 (IDM), but at 5% FPR detects only 13.4% and 21.4% of attacked replans — insufficient for robot safety.
Theoretical and Practical Implications
- World-action drift is a fundamentally new attack surface: the adversary exploits the interface between two coupled capabilities (imagining and acting) rather than corrupting a single output.
- Future-based monitors are overconfident: a WAM can produce plausible imagined futures while executing failing actions. A safety monitor that only checks future plausibility will miss such attacks.
- Evaluation must be multi-metric: task success alone insufficient; action distance, future distance, horizon-level shifts, and transfer behavior are needed to distinguish overt hijacking from stealthy desynchronization.
- Defenses are challenging:
- Simple preprocessing (blur, JPEG noise) helps against non-adaptive attacks but is not a principled solution; an adaptive attacker can circumvent them.
- Detection via consistency suffers from low recall at acceptable FPR.
- A robust defense must restore action-imagination synchronization under adversarial perturbations, not just suppress one attack pattern.
- Transferability indicates the vulnerability is architectural rather than implementation-specific, implying that security evaluations should cover multiple WAM families.
Conclusion
- BadWAM demonstrates that world-action models are vulnerable to World-Action Drift Attacks: small black-box visual perturbations can cause task failure while the imagined future remains plausible.
- Two concrete attack instantiations cover a spectrum from overt action hijacking (action-only) to stealthy decoupling (imagination-preserving).
- Extensive closed-loop experiments on LIBERO and RoboTwin show substantial success drops (up to 53.4 percentage points), systematic failure patterns, and a tunable tradeoff between attack strength and stealthiness.
- The results highlight a critical security gap: coupling action generation with future prediction, often seen as a safety asset, can itself become an attack surface.
- Future directions: developing synchronization-aware defenses, extending the framework to physical-world attacks (adversarial patches), and integrating BadWAM into the safety evaluation pipeline for deployed WAM-based robots.
Related papers
- MolmoMotion: Forecasting Point Trajectories in 3D with Language Instruction
MolmoMotion predicts language-conditioned 3D point trajectories from videos, significantly outperforming all baselines and transferring effectively to robotics and video generation.
- 4D Human-Scene Reconstruction from Low-Overlap Captures
Decoupled reconstruction of static backgrounds and dynamic humans from as few as four low-overlap cameras using diffusion and SMPL priors
- SearchOS-V1: Towards Robust Open-Domain Information-Seeking Agent Collaboration
SearchOS achieves state-of-the-art F1 on information-seeking benchmarks by externalizing search state and enforcing grounded citations via middleware governance.