Age estimation systems are increasingly deployed as gatekeepers for age-restricted online content, yet their robustness to cosmetic modifications has not been systematically evaluated. We investigate whether simple, household-accessible cosmetic changes, including beards, grey hair, makeup, and simulated wrinkles, can cause AI age estimators to classify minors as adults. To study this threat at scale without ethical concerns, we simulate these physical attacks on 329 facial images of individuals aged 10 to 21 using a VLM image editor (Gemini 2.5 Flash Image). We then evaluate eight models from our prior benchmark: five specialized architectures (MiVOLO, Custom-Best, Herosan, MiViaLab, DEX) and three vision-language models (Gemini 3 Flash, Gemini 2.5 Flash, GPT-5-Nano). We introduce the Attack Conversion Rate (ACR), defined as the fraction of images predicted as minor at baseline that flip to adult after attack, a population-agnostic metric that does not depend on the ratio of minors to adults in the test set. Our results reveal that a synthetic beard alone achieves 28 to 69 percent ACR across all eight models; combining all four attacks shifts predicted age by +7.7 years on average across all 329 subjects and reaches up to 83 percent ACR; and vision-language models exhibit lower ACR (59 to 71 percent) than specialized models (63 to 83 percent) under the full attack, although the ACR ranges overlap and the difference is not statistically tested. These findings highlight a critical vulnerability in deployed age-verification pipelines and call for adversarial robustness evaluation as a mandatory criterion for model selection.

翻译：年龄估计系统正日益被部署为限制性在线内容的守门员，但其对化妆修饰的鲁棒性尚未得到系统评估。我们研究了简单、家庭可及的化妆改变（包括胡须、灰发、妆容和模拟皱纹）是否会导致AI年龄估计器将未成年人误判为成年人。为了在无伦理顾虑的前提下大规模研究此威胁，我们使用VLM图像编辑器（Gemini 2.5 Flash Image）对329张10至21岁个体的面部图像模拟了这些物理攻击。随后评估了我们先前基准测试中的八个模型：五个专用架构（MiVOLO、Custom-Best、Herosan、MiViaLab、DEX）和三个视觉语言模型（Gemini 3 Flash、Gemini 2.5 Flash、GPT-5-Nano）。我们提出了攻击转化率（ACR）指标，定义为基线时被预测为未成年人的图像在遭受攻击后转为成年人预测的比例，这是一个与测试集中未成年人/成年人比例无关的群体无关度量。研究结果显示：仅合成胡须攻击就使所有八个模型的ACR达到28%至69%；组合全部四种攻击使所有329名受试者的预测年龄平均增加+7.7岁，ACR最高可达83%；在完整攻击下，视觉语言模型的ACR（59%至71%）低于专用模型（63%至83%），尽管ACR范围存在重叠且差异未经统计检验。这些发现揭示了已部署年龄验证流程中的关键脆弱性，并呼吁将对抗鲁棒性评估作为模型选择的强制性标准。