Physical World Interactions
T11 · Agentic & Orchestrator Exploitation →When agents are connected to actuators and cyber-physical systems — IoT/smart-home APIs, building automation, industrial control systems (ICS/SCADA), medical devices, vehicle interfaces — software compromise crosses into physical-world consequences. The trust boundary violated is the cyber-physical bridge: an API call that looks identical to any other tool invocation can open a lock, change a thermostat to a dangerous extreme, or alter an industrial setpoint, but the impact is physical and frequently irreversible or safety-critical. The architectural gaps are severe: many IoT/OT systems have weak or absent authorization, agents are granted device-control scopes without per-action safety interlocks, and there is rarely human-in-the-loop confirmation before a physically consequential action.
- Require human-in-the-loop confirmation for any physically consequential actuation (locks, ICS setpoints, medical/vehicle controls)
- Log and alert on all agent-initiated device/actuator commands with full parameters
- Enforce safety envelopes: reject commands outside safe operating ranges (temperature limits, setpoint bounds)
- Detect device-control actions inconsistent with the agent's declared task
Physical-world actions are typically the endpoint of a chain that begins with T1 prompt injection or T11-AT-001 browser hijacking and pivots through T11-AT-008 (credentials for the device/IoT platform) and T11-AT-010 (lateral movement into OT networks). Environment-manipulation pretexts (T11-AT-007, "no external harm possible") lower the agent's caution before it actuates devices, and the cross-modal physical attacks catalogued in T9 can serve as the entry trigger.