Test-time Adversarial Takeover: A Real-time Hijacking Interface against Robotic Diffusion Policies

Researchers demonstrate Test-time Adversarial Takeover (TAKO), a novel attack that allows adversaries to remotely hijack diffusion-based robotic policies by injecting universal visual patches into camera streams. The attack achieves 100% success across multiple robotic tasks and visual encoders, revealing a critical vulnerability in vision-conditioned AI systems deployed in robotics.

This research exposes a fundamental security weakness in diffusion-based embodied AI systems that extend beyond simple disruption attacks. Rather than merely degrading performance, TAKO enables complete policy takeover through learned universal patches—small visual perturbations that create persistent biases within the generative inference loop. The attacker essentially gains a real-time steering interface over frozen robot policies, transforming them into remotely piloted instruments. The attack's universality across different visual encoders, inference methods, and robotic tasks suggests the vulnerability is inherent to how diffusion models condition on visual inputs rather than specific implementation details.

This work builds on growing concerns about adversarial robustness in vision-based AI systems, but escalates the threat model significantly. Previous research focused on disruption—reducing task success through perturbations. TAKO demonstrates that the visual conditioning pathway in diffusion models creates attack surfaces enabling positive control, not just negative sabotage. The finding that target-policy matching fails as a defense is particularly telling, indicating that victims cannot reliably supervise themselves against out-of-distribution attacks.

For the robotics and embodied AI industries, this research carries substantial implications. As diffusion-based policies become foundational components in real-world robotic systems—from manufacturing to autonomous delivery—understanding these vulnerabilities becomes critical before large-scale deployment. Organizations developing visuomotor policies must now consider adversarial robustness as a core design requirement. The successful takeover across physical-world navigation demonstrates this isn't merely a simulation concern. Future work likely needs to explore certified defenses, robust visual encoders, or alternative conditioning mechanisms that resist such attacks.

• →TAKO enables remote hijacking of robotic policies through learned universal visual patches with 100% success rate
• →The attack persists through iterative diffusion inference by exploiting the visual conditioning pathway
• →Vulnerability affects multiple visual encoders and generative inference methods across diverse robotic tasks
• →Standard defenses like target-policy matching fail because victim policies cannot supervise out-of-distribution targets
• →Physical-world demonstrations confirm takeover works in real robotic systems, not just simulations