"I am bad": Interpreting Stealthy, Universal and Robust Audio Jailbreaks in Audio-Language Models

TL;DR

This paper uncovers universal, robust audio adversarial attacks on Audio-Language Models, revealing their vulnerability to imperceptible perturbations that encode toxic speech, and discusses implications for improving model defenses.

Contribution

It introduces the first universal audio jailbreaks that generalize across prompts and samples, highlighting new vulnerabilities in Audio-Language Models and providing insights for defense strategies.

Findings

Universal audio adversarial perturbations exist.

Perturbations encode toxic speech imperceptibly.

Attacks remain effective in real-world conditions.

Abstract

The rise of multimodal large language models has introduced innovative human-machine interaction paradigms but also significant challenges in machine learning safety. Audio-Language Models (ALMs) are especially relevant due to the intuitive nature of spoken communication, yet little is known about their failure modes. This paper explores audio jailbreaks targeting ALMs, focusing on their ability to bypass alignment mechanisms. We construct adversarial perturbations that generalize across prompts, tasks, and even base audio samples, demonstrating the first universal jailbreaks in the audio modality, and show that these remain effective in simulated real-world conditions. Beyond demonstrating attack feasibility, we analyze how ALMs interpret these audio adversarial examples and reveal them to encode imperceptible first-person toxic speech - suggesting that the most effective perturbations for eliciting toxic outputs specifically embed linguistic features within the audio signal. These results have important implications for understanding the interactions between different modalities in multimodal models, and offer actionable insights for enhancing defenses against adversarial audio attacks.