Now You Hear Me: Audio Narrative Attacks Against Large Audio-Language Models
Ye Yu, Haibo Jin, Yaoning Yu, Jun Zhuang, Haohan Wang
TL;DR
This paper reveals a new vulnerability in end-to-end large audio-language models where paralinguistic voice delivery can steer model behavior toward unsafe outputs. It introduces a black-box audio jailbreak pipeline that uses five psychology-informed vocal styles to bias responses, outperforming text-based and acoustic baselines. Across GPT-4o Realtime, Gemini 2.0 Flash, and Qwen2.5-Omni, stylized audio raises attack success rates by up to about 26 percentage points, underscoring the need for multimodal safety defenses. The work highlights the necessity of modeling linguistic content and delivery cues jointly to secure voice-enabled AI systems and outlines directions for automated style discovery and multilingual evaluation.
Abstract
Large audio-language models increasingly operate on raw speech inputs, enabling more seamless integration across domains such as voice assistants, education, and clinical triage. This transition, however, introduces a distinct class of vulnerabilities that remain largely uncharacterized. We examine the security implications of this modality shift by designing a text-to-audio jailbreak that embeds disallowed directives within a narrative-style audio stream. The attack leverages an advanced instruction-following text-to-speech (TTS) model to exploit structural and acoustic properties, thereby circumventing safety mechanisms primarily calibrated for text. When delivered through synthetic speech, the narrative format elicits restricted outputs from state-of-the-art models, including Gemini 2.0 Flash, achieving a 98.26% success rate that substantially exceeds text-only baselines. These results highlight the need for safety frameworks that jointly reason over linguistic and paralinguistic representations, particularly as speech-based interfaces become more prevalent.
