Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Audio Jailbreak Attacks: Exposing Vulnerabilities in SpeechGPT in a White-Box Framework

Binhao Ma, Hanqing Guo, Zhengping Jay Luo, Rui Duan

TL;DR

The paper investigates security vulnerabilities in voice-enabled multimodal language models by introducing a white-box, token-level adversarial attack on SpeechGPT. It leverages discrete HuBERT tokens and greedy search to synthesize adversarial audio via a vocoder, achieving up to 89% attack success across six harmful categories. The results expose gaps in current alignment safeguards for audio inputs and show that semantically meaningful adversarial audio outperforms purely random perturbations. The work highlights the need for robust defenses and provides a publicly available codebase for replication and further research.

Abstract

Recent advances in Multimodal Large Language Models (MLLMs) have significantly enhanced the naturalness and flexibility of human computer interaction by enabling seamless understanding across text, vision, and audio modalities. Among these, voice enabled models such as SpeechGPT have demonstrated considerable improvements in usability, offering expressive, and emotionally responsive interactions that foster deeper connections in real world communication scenarios. However, the use of voice introduces new security risks, as attackers can exploit the unique characteristics of spoken language, such as timing, pronunciation variability, and speech to text translation, to craft inputs that bypass defenses in ways not seen in text-based systems. Despite substantial research on text based jailbreaks, the voice modality remains largely underexplored in terms of both attack strategies and defense mechanisms. In this work, we present an adversarial attack targeting the speech input of aligned MLLMs in a white box scenario. Specifically, we introduce a novel token level attack that leverages access to the model's speech tokenization to generate adversarial token sequences. These sequences are then synthesized into audio prompts, which effectively bypass alignment safeguards and to induce prohibited outputs. Evaluated on SpeechGPT, our approach achieves up to 89 percent attack success rate across multiple restricted tasks, significantly outperforming existing voice based jailbreak methods. Our findings shed light on the vulnerabilities of voice-enabled multimodal systems and to help guide the development of more robust next-generation MLLMs.

Audio Jailbreak Attacks: Exposing Vulnerabilities in SpeechGPT in a White-Box Framework

TL;DR

The paper investigates security vulnerabilities in voice-enabled multimodal language models by introducing a white-box, token-level adversarial attack on SpeechGPT. It leverages discrete HuBERT tokens and greedy search to synthesize adversarial audio via a vocoder, achieving up to 89% attack success across six harmful categories. The results expose gaps in current alignment safeguards for audio inputs and show that semantically meaningful adversarial audio outperforms purely random perturbations. The work highlights the need for robust defenses and provides a publicly available codebase for replication and further research.

Abstract

Recent advances in Multimodal Large Language Models (MLLMs) have significantly enhanced the naturalness and flexibility of human computer interaction by enabling seamless understanding across text, vision, and audio modalities. Among these, voice enabled models such as SpeechGPT have demonstrated considerable improvements in usability, offering expressive, and emotionally responsive interactions that foster deeper connections in real world communication scenarios. However, the use of voice introduces new security risks, as attackers can exploit the unique characteristics of spoken language, such as timing, pronunciation variability, and speech to text translation, to craft inputs that bypass defenses in ways not seen in text-based systems. Despite substantial research on text based jailbreaks, the voice modality remains largely underexplored in terms of both attack strategies and defense mechanisms. In this work, we present an adversarial attack targeting the speech input of aligned MLLMs in a white box scenario. Specifically, we introduce a novel token level attack that leverages access to the model's speech tokenization to generate adversarial token sequences. These sequences are then synthesized into audio prompts, which effectively bypass alignment safeguards and to induce prohibited outputs. Evaluated on SpeechGPT, our approach achieves up to 89 percent attack success rate across multiple restricted tasks, significantly outperforming existing voice based jailbreak methods. Our findings shed light on the vulnerabilities of voice-enabled multimodal systems and to help guide the development of more robust next-generation MLLMs.

Paper Structure

This paper contains 14 sections, 4 figures, 4 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Multimodal Language Models
  4. Jailbreak Attacks
  5. Threat Model
  6. Methodology
  7. Discrete Token Extraction
  8. Greedy Adversarial Token Search
  9. Audio Reconstruction
  10. Experiments
  11. Experiment Settings
  12. Attack Performance
  13. Future Work and Potential Defenses
  14. Conclusion

Figures (4)

  • Figure 1: This pipeline presents a greedy search-based adversarial audio token attack targeting speech models such as SpeechGPT. Harmful speech, which normally fails to elicit a response due to alignment constraints, is first discretized into tokens. Adversarial tokens are then appended and optimized via greedy search to construct a token sequence that bypasses safety filters. The resulting audio triggers jailbreak responses from the model.
  • Figure 2: Example of an audio jailbreak in SpeechGPT
  • Figure 3: NISQA Score Comparison of Adversarial Speech for Jailbreak Attacks
  • Figure 4: Effect of Noise Budget on Attack Success and Reverse Loss