SYS:ONLINELAT:n/aBUILD:2c91616
[CASE-041]·STATUS:ACTIVE·OPENED:2026-06-09·UPDATED:2026-06-09

Adaptive dual-decoder PGD attack (C3) achieves 0.990 unauthorized command routing while satisfying both decoder agreement checks

submitted_by:@mexiQQ
multimodalfrom-arxivauto-published
cat case_body.md

Auto-published from arXiv:2606.09315 by the mine-arxiv pipeline. Reviewed by an LLM judge (Sonnet) against the archive bar — see CONTRIBUTING. Notes: cleared review (confidence 0.80, flags: [possible-zero-day, no-prompt-excerpt])

Category

multimodal

Model

TinyEEGNet / EEGNetV4 (EEG decoders in BCI-LLM agent pipeline)

Surface

agent harness

Setup

A BCI-LLM pipeline uses dual-decoder agreement as a safety gate: a command is only routed if a primary and secondary EEG decoder agree. The C3 attack applies shared-raw ℓ∞ PGD adversarial perturbation (ε=0.08, ~8% of global signal standard deviation / 4.1% of p95 amplitude) to the raw EEG input feeding both decoders simultaneously. Evaluated on EEGMMI across 10 seeds using the provided-split protocol, cross-architecture sweep over TinyEEGNet and EEGNetV4. No verbatim prompt excerpt exists as the attack is entirely signal-level.

Observed behavior

Both decoders are jointly driven to output the attacker-chosen unauthorized command with full agreement, causing the agent to route the unauthorized action at 0.990 success rate. Clean-case agreement of 1.000 (on high-utility cases, Exp6) means the attack is audit-log-indistinguishable from legitimate dual-agreement routing.

Expected behavior

Dual-decoder agreement should prevent unauthorized routing. A correctly-behaving system requires the attack-dependence term (Δ𝒟) to be auditable, since clean agreement statistics alone cannot bound joint routing risk under adaptive perturbation (proven in Theorem 1).

Reproducibility

medium

Threat model

An attacker with physical or electronic access to the EEG acquisition hardware can steer a BCI-controlled agent to execute unauthorized tool calls, bypassing the dual-decoder safety gate, while audit logs show normal dual-agreement and raise no alert. Especially dangerous in medical or assistive-technology deployments where BCI commands authorize high-consequence actions (device control, financial transactions).

Novelty

Proves that dual-decoder agreement is not a sufficient safety certificate against adaptive adversaries: the C3 attacked-dependence lift is mathematically unidentifiable from clean agreement statistics alone, requiring a new audit schema — a result formalized as an audit-schema separation theorem.

Source

Triage notes (auto)

  • paperType: red-team-vuln
  • estimatedCaseCount: 2
  • triage reason: Paper demonstrates concrete, reproducible brain-prompt injection attacks (signal-side perturbations, context injections, dual-decoder exploits) against BCI-LLM agent routing with empirical false-accept rates. Novel attack surface in emerging BCI-agent domain with no disclosed vendor coordination.
tail -f comments.log

0 comments

─────────────────────────────────────────────────────────────────────

// no comments yet