A physical adversarial attack translates digital perturbations into tangible objects—such as printed stickers, 3D-printed artifacts, or modified textures—that cause a machine learning model to misclassify the object when viewed through a camera. Unlike purely digital attacks that directly manipulate pixel values, these attacks must survive the domain shift introduced by lighting, rotation, distance, and sensor noise inherent in physical capture.
Glossary
Physical Adversarial Attack

What is Physical Adversarial Attack?
A physical adversarial attack is an attack that remains effective after being printed and captured by a camera in the physical world, demonstrating that adversarial vulnerabilities persist across varying real-world conditions.
The canonical example involves placing a carefully designed adversarial patch on a stop sign, causing an autonomous vehicle's perception system to classify it as a speed limit sign. This attack vector proves that adversarial robustness requires defenses beyond digital preprocessing, as the perturbation must remain effective under varied viewpoints, partial occlusion, and the non-linear transformations of real-world imaging pipelines.
Key Characteristics
Physical adversarial attacks demonstrate that machine learning vulnerabilities are not confined to the digital domain. These attacks maintain efficacy after being printed, captured by cameras, and subjected to real-world environmental variations.
Cross-Domain Perturbation Survivability
The defining characteristic of a physical attack is its ability to survive the domain shift from digital to physical. The perturbation must remain effective after undergoing the image formation pipeline: printing (color gamut reduction, halftoning), photographic capture (sensor noise, lens distortion, compression), and environmental interactions (lighting, viewing angle, distance). This requires the perturbation to be robust to a distribution of transformations, not just a single digital image. Attackers often use Expectation over Transformation (EoT) during optimization, averaging gradients over a range of simulated physical distortions to ensure the adversarial pattern generalizes.
Environmental Condition Invariance
A successful physical attack must induce misclassification across a wide range of real-world conditions. Key variables include:
- Illumination: Shadows, direct sunlight, and artificial lighting alter pixel intensities.
- Viewpoint: Oblique angles cause perspective distortion and foreshortening.
- Occlusion: Partial obstruction of the adversarial pattern.
- Distance: Changes in scale and resolution. Robust attacks are trained with data augmentation simulating these variations, ensuring the adversarial feature dominates the model's decision regardless of context.
Fabrication and Material Constraints
Unlike digital attacks that manipulate arbitrary floating-point values, physical attacks must be realizable in the physical world. This imposes constraints:
- Printability: Colors must lie within the printer's CMYK gamut. Non-printable digital colors are clipped, destroying the perturbation.
- Material: The attack may be applied via stickers, posters, 3D-printed objects, or clothing. The material's texture and reflectivity affect appearance.
- Inconspicuousness: To avoid human suspicion, attacks often mimic graffiti, stickers, or artistic patterns that blend into the environment while remaining adversarial to the model.
Adversarial Patches and Localized Attacks
A dominant form of physical attack is the adversarial patch—a localized, often highly visible pattern that, when placed in a scene, completely overrides the model's perception. Unlike full-image perturbations, patches are:
- Location-agnostic: Designed to work anywhere within the camera's field of view.
- Scale-invariant: Effective at various distances.
- Extremely robust: Often achieving near-100% attack success rates. Patches exploit the model's reliance on high-activation features, presenting a pattern that triggers a specific output neuron more strongly than any natural object in the scene.
Targeted Object Evasion and Impersonation
Physical attacks serve two primary objectives in object detection and classification systems:
- Evasion (Hiding): The attack causes the model to fail to detect an object entirely. For example, a carefully patterned sticker on a stop sign causes an autonomous vehicle's perception system to classify it as a speed limit sign.
- Impersonation: The attack causes a person or object to be recognized as a specific, unauthorized identity. Adversarial eyeglass frames have been demonstrated to cause facial recognition systems to identify an attacker as a targeted victim, enabling physical impersonation.
Real-World Attack Demonstrations
Seminal research has validated the physical threat model in operational contexts:
- Stop Sign Attacks: Black and white stickers applied to stop signs caused real-world classifiers to interpret them as speed limit signs with high confidence.
- Adversarial Clothing: Specially designed textile patterns have been shown to make individuals invisible to person detectors.
- 3D Adversarial Objects: 3D-printed turtles were consistently misclassified as rifles by object recognition systems from multiple angles.
- LIDAR Spoofing: Beyond cameras, physical attacks extend to placing carefully shaped objects that inject adversarial points into LIDAR point clouds, creating phantom obstacles.
Frequently Asked Questions
Explore the mechanics and real-world implications of adversarial attacks that persist through printing and camera capture, bridging the gap between digital vulnerabilities and physical security threats.
A physical adversarial attack is a class of evasion attack where an adversary creates a malicious perturbation that remains effective after being printed onto a physical medium and recaptured by a camera sensor. Unlike digital-only attacks that manipulate pixel values directly in software, physical attacks must survive environmental transformations including varying lighting conditions, viewing angles, camera noise, and print color gamut limitations. The attacker typically optimizes the perturbation using Expectation over Transformation (EOT), a technique that averages gradients across a distribution of simulated physical transformations during the optimization process. This ensures the adversarial pattern is robust to the real-world distortions introduced by the imaging pipeline, allowing an attacker to, for example, wear specially designed glasses to evade facial recognition or place a sticker on a stop sign to cause misclassification by an autonomous vehicle's perception system.
Notable Real-World Examples
Physical adversarial attacks demonstrate that carefully crafted perturbations remain effective after printing, capturing through camera lenses, and surviving varying lighting conditions—proving these vulnerabilities are not merely digital curiosities but genuine real-world threats.
Stop Sign Misclassification
Researchers demonstrated that placing small black and white stickers on a physical stop sign caused a state-of-the-art image classifier to interpret it as a Speed Limit 45 sign with high confidence. The attack exploited the model's reliance on high-level feature detectors rather than holistic shape recognition. The perturbation was designed to survive changes in distance, angle, and lighting—conditions inherent to real-world autonomous driving scenarios.
Adversarial Eyeglass Frames for Facial Recognition
Researchers at Carnegie Mellon University created specially designed eyeglass frames printed with adversarial patterns that caused facial recognition systems to misidentify the wearer as a targeted celebrity. The attack exploited the model's sensitivity to fine-grained texture patterns around the eye region. The frames remained effective under varying camera resolutions, head poses, and ambient lighting conditions, demonstrating a practical impersonation vector against biometric security systems.
Adversarial Patches for Object Hiding
A team developed a universal adversarial patch that, when placed near an object in a scene, caused YOLO and other real-time object detectors to completely ignore the target object. The patch was printed on cardboard and tested in physical environments. Key characteristics include:
- Translation-invariant: Effective regardless of patch position relative to the object
- Scale-invariant: Survived varying distances from the camera
- Cross-model transferable: Fooled detectors with different architectures The attack demonstrated that physical-world object detection evasion requires no digital access to the target system.
Road Sign Camouflage with Subtle Perturbations
Researchers proposed adversarial camouflage techniques that apply subtle, physically realizable perturbations to entire road sign surfaces. Unlike sticker-based attacks, these modifications mimic normal wear and tear—such as fading, dirt, or graffiti—making them inconspicuous to human observers. The perturbations were optimized using Expectation over Transformation (EoT) to ensure robustness across a distribution of physical transformations including rotation, scaling, and lighting variations. This approach highlights the tension between imperceptibility and physical realizability.
3D-Printed Adversarial Objects
MIT researchers demonstrated that a 3D-printed turtle with a subtly textured shell was consistently classified as a rifle by ImageNet models from nearly every viewing angle. The attack leveraged 3D rendering pipelines during optimization to generate a perturbation that survived the full perspective transformation of physical rotation. This work proved that adversarial examples are not limited to 2D surfaces—volumetric objects can be manufactured to systematically fool classifiers across their entire geometry.
LiDAR Spoofing via Adversarial Point Clouds
Beyond camera-based attacks, researchers demonstrated physical adversarial attacks against LiDAR sensors used in autonomous vehicles. By placing carefully shaped retroreflective objects at strategic positions, attackers created adversarial point cloud patterns that caused object detection models to perceive phantom obstacles or fail to detect real vehicles. The attack exploited the model's processing of raw 3D point cloud data rather than 2D imagery, highlighting that physical adversarial vulnerabilities extend across sensor modalities critical to autonomous navigation.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Physical vs. Digital Adversarial Attacks
A structural comparison of adversarial attacks executed in the physical world versus those confined to the digital signal domain, highlighting differences in perturbation delivery, environmental robustness, and threat surface.
| Feature | Digital Adversarial Attack | Physical Adversarial Attack |
|---|---|---|
Input Domain | Direct pixel or feature vector manipulation in software | Real-world objects, prints, or 3D artifacts captured by sensors |
Perturbation Delivery | Additive noise injected directly into the digital file | Modification of physical artifacts (stickers, textures, shapes) |
Environmental Robustness | Not required; attack assumes clean digital pipeline | Must survive lighting changes, viewpoint shifts, and camera noise |
Imperceptibility Constraint | Lp-norm bound (e.g., epsilon-ball) in raw input space | Perceptual similarity under human observation in the physical world |
Sensor Cross-Over | ||
Printability Requirement | ||
Attack Transferability | High across architectures in digital domain | Lower; must generalize across capture conditions and devices |
Threat Surface | API endpoints, file uploads, inference pipelines | Surveillance cameras, autonomous vehicle sensors, biometric scanners |
Related Terms
Explore the core concepts, attack vectors, and defense mechanisms that define the landscape of physical-world adversarial machine learning.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us