Multimodal AI Attacks
Attacks spanning multiple modalities
Attacks spanning multiple modalities
Modern AI models like GPT-4V, Claude, and Gemini process both text and images. This multimodal capability is powerful, but each new modality opens a new door for attackers. If the AI can see images, attackers can hide instructions in images.
Visual Prompt Injection
Placing text directly in images that overrides the user's prompt. The AI reads the text in the image and follows those instructions instead of the user's actual request. As simple as adding white text on a white background.
Using images to bypass text-only safety filters. If the AI refuses to answer a harmful text question, the attacker puts the same question in an image. Text safety filters do not scan image content.
Hiding instructions in image pixel values that are invisible to humans but readable by the AI model. The image looks completely normal to human eyes.
The most devious attacks use one modality to compromise another. An adversarial patch on an image can change how the AI interprets accompanying text. Audio embedded in a video can override visual analysis. Each modality becomes a potential backdoor into the others.
A document contains a photo with hidden instructions. When the AI summarizes the document, it follows the image instructions instead of the text prompt, potentially exfiltrating sensitive content from the document.
Small patches added to product images that change how the AI describes them. A competitor could add invisible patches that make an AI shopping assistant recommend against purchasing.
As models gain more capabilities โ vision, audio, video, code execution โ the attack surface grows multiplicatively. Defenders must secure not just each modality individually, but also the interactions between them. A model that is safe against text attacks and safe against image attacks might still be vulnerable to a combined attack.
Each new capability โ vision, audio, code โ opens new attack vectors. Multimodal models must defend against attacks in every modality and against cross-modal attacks that exploit interactions between them.
For hands-on practice, check out the AI Security course on GitHub.