Novel 'Overthinking' Attack Can Render AI Robots Inoperable
Researchers have demonstrated a new denial-of-service attack that exploits the reasoning capabilities of AI vision-language models in robots, causing them to become confused and inoperable for extended periods.

Robots increasingly rely on sophisticated vision-language models (VLMs) to interpret their surroundings and make decisions. These AI systems process both visual input from cameras and textual information present in their environment. Researchers at Michigan Technological University have uncovered a novel attack vector that weaponizes this text-processing capability, leading to a denial-of-service (DoS) condition.
The attack targets a phenomenon known as "overthinking" in AI models. Reasoning-oriented models can sometimes enter prolonged deliberation loops, generating extensive output even for simple queries. Since the time it takes for an AI to respond, or infer, is directly proportional to the amount of text it produces, this extended reasoning can significantly increase latency. The researchers have demonstrated how to deliberately trigger this overthinking behavior in robots.
Unlike many AI security exploits that focus on data leakage or unauthorized actions, this attack prioritizes availability. The goal is to overwhelm the robot's decision-making process, rendering it too busy to perform its intended functions. The method is deceptively simple: attackers can place specially crafted text within the robot's camera view. This text, appearing as ordinary signage or stickers, is interpreted by the VLM as part of its input, initiating the overthinking cascade.
Crucially, this attack requires no direct access to the AI model's weights, internal prompts, or physical manipulation of sensors. The entire exploit relies on the visual presence of specific text. The effectiveness of the attack hinges on the precise wording and structure of the text, which must be designed to push the VLM into complex, recursive reasoning.
The researchers found that random text had little to no impact on the robots' response times. However, carefully constructed "trigger" texts, such as physics word problems, complex moral dilemmas, or requests for detailed pseudocode explanations, were highly effective. By combining these elements, the AI becomes entangled in trying to satisfy multiple complex demands simultaneously, leading to significant delays.
To efficiently discover these triggers, the team developed an automated search process. They employed a genetic algorithm approach, allowing effective "ingredients" of text to mutate and combine across generations, selecting for those that induced the longest delays. A key optimization was the ability to predict a trigger's effectiveness based on its initial output, allowing for rapid screening of thousands of candidates before running slow, full-length tests.
Experiments showed significant slowdowns, with one test on a Gemma3-based model resulting in a nearly seven-fold increase in response time. While this represented a best-case scenario, the attack also showed milder but still impactful results on other models like Kimi-VL and Qwen3-VL. In a real-world test, a robot equipped with a camera experienced slowdowns of up to five times its normal operational speed when presented with a printed trigger sign.
The good news for defenders is that mitigating this "overthinking" attack is relatively straightforward. Implementing token budget limits, setting hard timeouts for AI responses, and employing a bounded fallback policy can effectively prevent the AI from entering prolonged deliberation loops. Lightweight monitoring systems can also detect early signs of overthinking and interrupt the process before it causes significant operational disruption.