There is more than one kind of robustness: Fooling Whisper with adversarial examples

TL;DR

This paper demonstrates that despite Whisper's robustness to noise and out-of-distribution inputs, it is vulnerable to adversarial examples that can significantly degrade performance or alter transcriptions, highlighting security concerns.

Contribution

The study reveals that Whisper's robustness does not extend to adversarial noise and introduces methods to generate such examples, exposing critical security vulnerabilities.

Findings

Adversarial noise can drastically reduce Whisper's accuracy.

Targeted transcriptions can be achieved with small perturbations.

Multilingual models' performance can be compromised by fooling language detectors.

Abstract

Whisper is a recent Automatic Speech Recognition (ASR) model displaying impressive robustness to both out-of-distribution inputs and random noise. In this work, we show that this robustness does not carry over to adversarial noise. We show that we can degrade Whisper performance dramatically, or even transcribe a target sentence of our choice, by generating very small input perturbations with Signal Noise Ratio of 35-45dB. We also show that by fooling the Whisper language detector we can very easily degrade the performance of multilingual models. These vulnerabilities of a widely popular open-source model have practical security implications and emphasize the need for adversarially robust ASR.