Table of Contents
Fetching ...

Now You Hear Me: Audio Narrative Attacks Against Large Audio-Language Models

Ye Yu, Haibo Jin, Yaoning Yu, Jun Zhuang, Haohan Wang

TL;DR

This paper reveals a new vulnerability in end-to-end large audio-language models where paralinguistic voice delivery can steer model behavior toward unsafe outputs. It introduces a black-box audio jailbreak pipeline that uses five psychology-informed vocal styles to bias responses, outperforming text-based and acoustic baselines. Across GPT-4o Realtime, Gemini 2.0 Flash, and Qwen2.5-Omni, stylized audio raises attack success rates by up to about 26 percentage points, underscoring the need for multimodal safety defenses. The work highlights the necessity of modeling linguistic content and delivery cues jointly to secure voice-enabled AI systems and outlines directions for automated style discovery and multilingual evaluation.

Abstract

Large audio-language models increasingly operate on raw speech inputs, enabling more seamless integration across domains such as voice assistants, education, and clinical triage. This transition, however, introduces a distinct class of vulnerabilities that remain largely uncharacterized. We examine the security implications of this modality shift by designing a text-to-audio jailbreak that embeds disallowed directives within a narrative-style audio stream. The attack leverages an advanced instruction-following text-to-speech (TTS) model to exploit structural and acoustic properties, thereby circumventing safety mechanisms primarily calibrated for text. When delivered through synthetic speech, the narrative format elicits restricted outputs from state-of-the-art models, including Gemini 2.0 Flash, achieving a 98.26% success rate that substantially exceeds text-only baselines. These results highlight the need for safety frameworks that jointly reason over linguistic and paralinguistic representations, particularly as speech-based interfaces become more prevalent.

Now You Hear Me: Audio Narrative Attacks Against Large Audio-Language Models

TL;DR

This paper reveals a new vulnerability in end-to-end large audio-language models where paralinguistic voice delivery can steer model behavior toward unsafe outputs. It introduces a black-box audio jailbreak pipeline that uses five psychology-informed vocal styles to bias responses, outperforming text-based and acoustic baselines. Across GPT-4o Realtime, Gemini 2.0 Flash, and Qwen2.5-Omni, stylized audio raises attack success rates by up to about 26 percentage points, underscoring the need for multimodal safety defenses. The work highlights the necessity of modeling linguistic content and delivery cues jointly to secure voice-enabled AI systems and outlines directions for automated style discovery and multilingual evaluation.

Abstract

Large audio-language models increasingly operate on raw speech inputs, enabling more seamless integration across domains such as voice assistants, education, and clinical triage. This transition, however, introduces a distinct class of vulnerabilities that remain largely uncharacterized. We examine the security implications of this modality shift by designing a text-to-audio jailbreak that embeds disallowed directives within a narrative-style audio stream. The attack leverages an advanced instruction-following text-to-speech (TTS) model to exploit structural and acoustic properties, thereby circumventing safety mechanisms primarily calibrated for text. When delivered through synthetic speech, the narrative format elicits restricted outputs from state-of-the-art models, including Gemini 2.0 Flash, achieving a 98.26% success rate that substantially exceeds text-only baselines. These results highlight the need for safety frameworks that jointly reason over linguistic and paralinguistic representations, particularly as speech-based interfaces become more prevalent.
Paper Structure (37 sections, 4 equations, 5 figures, 8 tables)

This paper contains 37 sections, 4 equations, 5 figures, 8 tables.

Figures (5)

  • Figure 1: illustrates how voice modality enables new attack vectors via social influence. (a) Textual jailbreak prompt (DeepInception) fails to bypass LALM's alignment filters. (b) The same prompt, when transformed into spoken audio using therapeutic or performative delivery, successfully induces the model to produce dangerous instructions.
  • Figure 2: Comparison of ASR towards OpenAI: Text vs Audio Attacks by Category
  • Figure 3: Comparison of ASR towards Gemini: Text vs Audio Attacks by Category
  • Figure 4: Comparison of ASR towards Qwen: Text vs Audio Attacks by Category
  • Figure 5: Comparison of ASR towards Qwen: Text vs Audio Attacks by Category