Hidden in Plain Sound: Environmental Backdoor Poisoning Attacks on Whisper, and Mitigations

TL;DR

This paper reveals that transformer-based speech recognition models like Whisper are vulnerable to environmental backdoor poisoning attacks, and explores mitigation strategies using voice activity detection to defend against such threats.

Contribution

It introduces a novel environmental trigger sound poisoning method for Whisper and evaluates the effectiveness of VAD-based mitigation techniques.

Findings

Whisper is highly vulnerable to environmental backdoor attacks.

VAD-based filtering can reduce attack success, with varying effectiveness.

Environmental triggers can be mapped to target phrases during fine-tuning.

Abstract

Thanks to the popularisation of transformer-based models, speech recognition (SR) is gaining traction in various application fields, such as industrial and robotics environments populated with mission-critical devices. While transformer-based SR can provide various benefits for simplifying human-machine interfacing, the research on the cybersecurity aspects of these models is lacklustre. In particular, concerning backdoor poisoning attacks. In this paper, we propose a new poisoning approach that maps different environmental trigger sounds to target phrases of different lengths, during the fine-tuning phase. We test our approach on Whisper, one of the most popular transformer-based SR model, showing that it is highly vulnerable to our attack, under several testing conditions. To mitigate the attack proposed in this paper, we investigate the use of Silero VAD, a state-of-the-art voice activity detection (VAD) model, as a defence mechanism. Our experiments show that it is possible to use VAD models to filter out malicious triggers and mitigate our attacks, with a varying degree of success, depending on the type of trigger sound and testing conditions.