← back home

Steganography in AI: Could Hidden Image Commands Control LLMs?

June 9, 2025
Ai Security Steganography Llm Computer Vision Prompt Injection Adversarial Attacks Ai Hallucination Ai Agents Model Behavior Non-Determinism
View original discussion on Hacker News

A recent Hacker News discussion delved into a compelling, if speculative, security concern: could LLMs or Computer Vision (CV) models be manipulated into executing commands embedded within images using steganography, especially if these models are linked to operational agents or Master Control Programs (MCPs)? The original poster drew parallels to concepts seen in fiction like Ghost in the Shell SAC 2045 and a Black Mirror episode.

Key Discussion Points:

Commenters explored the practicalities and nuances of such an attack vector:

  • Exploiting Model Behavior: User muzani pointed out an interesting characteristic of LLMs: they can decode base64 if it represents a popular quote, but often 'hallucinate' the original quote if the encoded data is slightly modified. Similarly, image enlargement tasks can lead to models hallucinating details. This suggests an attack might not rely on perfect steganographic decoding but rather on triggering a model's pattern-matching or completion capabilities with elements it's prone to recognize or misinterpret. The analogy given was how many recognize 'S.O.S.' in Morse code without knowing the full alphabet, implying commands might need to be framed in similarly recognizable 'quotes' or patterns.

  • Prompt Injection via Images: User ge96 clarified that the concern wasn't necessarily about extracting complex code, but rather about a generic image-parsing command (e.g., "what does this image show?") becoming a vulnerability. If the underlying mechanism could be tricked into 'reading' simple embedded text like "run this script," it could pose a risk. moritzwarhier identified this as a form of prompt injection, questioning the novelty of using steganography specifically for this, as the core issue remains allowing unsupervised AI to operate on important resources.

  • Steganography's Role: The use of steganography was emphasized as being image-based, potentially making the attack less obvious than a direct textual prompt. However, moritzwarhier also distinguished between fictional portrayals (like an 'imaginary QR code') and actual steganographic techniques.

  • LLM Determinism: A side discussion highlighted that even setting an LLM's temperature to 0 doesn't guarantee complete determinism, adding another layer of unpredictability to how a model might interpret hidden data.

Realistic Threat or Sci-Fi Fantasy?

The consensus leaned towards this being a sophisticated form of prompt injection, with the main safeguard being robust security practices around AI agents. The idea of leveraging an LLM's tendency to 'fill in the blanks' or recognize familiar patterns (even when subtly altered) for malicious purposes was a notable takeaway. While direct, complex command execution via steganography seems challenging, the potential for simpler commands or data exfiltration through these means, especially with image-understanding AI models, remains an area for cautious exploration.

The discussion underscores the evolving landscape of AI security, where understanding model quirks and tendencies—like hallucination or imperfect pattern matching—could be as crucial as traditional security measures.

Get the most insightful discussions and trending stories delivered to your inbox, every Wednesday.