Controlling Whisper: Universal Acoustic Adversarial Attacks to Control Speech Foundation Models

TL;DR

This paper reveals that speech foundation models like Whisper are vulnerable to universal adversarial acoustic segments that can manipulate their task output without model prompt access, highlighting security concerns.

Contribution

It introduces a novel universal acoustic adversarial attack method that can control speech foundation models' behavior regardless of prompts, exposing new security vulnerabilities.

Findings

Universal acoustic segments can override Whisper's task setting.

Adversarial segments enable control over speech translation vs. transcription.

The attack works without prompt access, demonstrating a significant security risk.

Abstract

Speech enabled foundation models, either in the form of flexible speech recognition based systems or audio-prompted large language models (LLMs), are becoming increasingly popular. One of the interesting aspects of these models is their ability to perform tasks other than automatic speech recognition (ASR) using an appropriate prompt. For example, the OpenAI Whisper model can perform both speech transcription and speech translation. With the development of audio-prompted LLMs there is the potential for even greater control options. In this work we demonstrate that with this greater flexibility the systems can be susceptible to model-control adversarial attacks. Without any access to the model prompt it is possible to modify the behaviour of the system by appropriately changing the audio input. To illustrate this risk, we demonstrate that it is possible to prepend a short universal adversarial acoustic segment to any input speech signal to override the prompt setting of an ASR foundation model. Specifically, we successfully use a universal adversarial acoustic segment to control Whisper to always perform speech translation, despite being set to perform speech transcription. Overall, this work demonstrates a new form of adversarial attack on multi-tasking speech enabled foundation models that needs to be considered prior to the deployment of this form of model.