This study presents the first systematic investigation into the security vulnerabilities of learning-based surgical robots under adversarial attacks. Focusing on end-to-end policies that map visual inputs directly to motor outputs, the work introduces two distinct attack paradigms—disruptive and directive—and proposes a photometric adversarial attack method that simulates natural illumination variations to generate visually plausible yet highly effective perturbations. Extensive physical experiments (560 trials) were conducted on three state-of-the-art policy architectures—ACT, Diffusion Policy, and Pi0—across debridement and suturing tasks. Results demonstrate that even advanced policies suffer an average 61% drop in subtask success rate under adversarial conditions, revealing significant safety risks in current learning-enabled surgical systems.

Learning-based policies are being considered to augment the dexterity of human surgeons in robot-assisted surgery. Can the end-to-end mapping from visual observations to robot actions be vulnerable to adversarial attacks, potentially leading to patient injury? In this paper, we present the first study of adversarial threats to learning-based policies in surgical robotics. We investigate two threat modes: (a) disruptive attacks, where imperceptible visual perturbations interrupt policy execution, and (b) steering attacks, where such perturbations steer policy actions toward attacker-specified directions. We formulate three adversarial attack methods, each with increasing access to policy information, and evaluate their impact on two surgical subtasks: debridement and suturing. Our evaluation covers three end-to-end policy architectures: ACT, Diffusion Policy, and Pi0. In addition, we introduce a new class of photometric adversarial attacks that mimic natural visual changes, such as lighting variations, to generate effective yet visually plausible perturbations. Results from 560 physical experiments using phantoms for debridement and suturing suggest that state-of-the-art policies can be significantly disrupted, resulting in an average 61% reduction in surgical subtask success rates. Project page: https://sites.google.com/view/adversary-surgery