Adversarial Patches Can Fool Military Object Detection at Trivially Low Cost

Researchers have demonstrated that a printed patch — essentially a sticker — costing less than a dollar to produce can cause state-of-the-art object detection models to misclassify or entirely ignore military vehicles, personnel, and equipment. An adversary could plaster these patches on the roof of a tank and make it invisible to a drone's AI targeting system, or place them on a civilian bus to make it look like a military target. This is not an academic curiosity. It means that any autonomous targeting system that relies on deep learning-based computer vision can be systematically defeated by an adversary who understands the model architecture — and model architectures for common frameworks like YOLO and Faster R-CNN are publicly documented. The entire value proposition of AI-enabled ISR and autonomous weapons is undermined if the adversary can trivially manipulate what the AI sees. The problem persists because adversarial robustness and model accuracy are in fundamental tension. Techniques like adversarial training (exposing the model to adversarial examples during training) reduce clean accuracy by 5-15%, which program managers are unwilling to accept. Certified defenses that provably resist perturbations only work for small perturbation budgets and do not scale to the physical-world patch attacks that actually matter. Meanwhile, the offensive side keeps advancing — transferable attacks mean an adversary does not even need to know the exact model, just the general architecture family. DARPA's GARD program has funded defensive research since 2019 but has not produced a deployable solution.