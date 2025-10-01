Abstract and 1. Introduction

Our research has developed a comprehensive typographic attack framework designed for benchmarking Vision-LLMs under AD systems, exploring their adoption, the potential impacts on decision-making autonomy, and the methods by which these attacks can be physically implemented. Firstly, our dataset-agnostic framework is capable of automatically generating misleading responses that misdirect the reasoning of Vision-LLMs. Secondly, our linguistic formatting scheme is shown to augment attacks at a higher degree and can extend to simultaneously targeting multiple reasoning tasks. Thirdly, our study on the practical implementation of these attacks in physical traffic scenarios is critical for highlighting the need for defense models. Our empirical findings on the effectiveness, transferability, and realizability of typographic attacks in traffic environments highlight their effects on existing Vision-LLMs (e.g., LLaVA, Qwen-VL, VILA). This research underscores the urgent need for increased awareness within the community regarding vulnerabilities associated with integrating Vision-LLMs into AD systems.

\ Limitations. One of the primary limitations of our typographic attack framework lies in its dependency on environmental control and predictability. Our framework can demonstrate the vulnerability of Vision-LLMs to typographic manipulations in controlled settings, so the variability and unpredictability of real-world traffic scenarios can significantly diminish the consistency and reproducibility of the attacks. Additionally, our attacks assume that AD systems do not evolve to recognize and mitigate such manipulations, which may not hold true as defensive technologies advance. Another limitation is the ethical concern of testing and deploying such attacks, which could potentially endanger public safety if not managed correctly. This necessitates a careful approach to research and disclosure to ensure that knowledge of vulnerabilities does not lead to malicious exploitation.

\ Safeguards. To safeguard against the vulnerabilities exposed by typographic attacks, it is essential to develop robust defensive mechanisms within AD systems. While the current literature on defensive techniques is still understudied, there are ways forward to mitigate potential issues. A concurrent work is investigating how better prompting can support better reasoning to defend against the attacks [16], or how incorporating keyword training of Vision-LLMs can make these systems more resilient to such attacks by conditioning their answers on specific prefixes [15]. Another basic approach is to detect and remove all non-essential texts in the visual information. Overall, it is necessary to foster a community-wide effort toward establishing standards and best practices for the secure deployment of Vision-LLMs into AD.

\ Broader Impacts. The implications of our research into typographic attacks extend beyond the technical vulnerabilities of AD systems, touching on broader societal, ethical, and regulatory concerns. As Vision-LLMs and AD technologies proliferate, the potential for such attacks underscores the need for comprehensive safety and security frameworks that anticipate and mitigate unconventional threats. This research highlights the interplay between technology and human factors, illustrating how seemingly minor alterations in a traffic environment can lead to significant misjudgments by AD systems, potentially endangering public safety.

\