Audio Jailbreak Attacks: Exposing Vulnerabilities in SpeechGPT in a White-Box Framework

TL;DR

This paper introduces a novel adversarial attack on SpeechGPT, exploiting speech tokenization to generate audio prompts that bypass safeguards, revealing significant vulnerabilities in voice-enabled multimodal models.

Contribution

The work presents a new token-level attack method for speech inputs in a white-box setting, demonstrating high success rates and exposing security weaknesses in SpeechGPT.

Findings

Achieves up to 89% attack success rate

Outperforms existing voice jailbreak methods

Reveals vulnerabilities in voice-enabled multimodal systems

Abstract

Recent advances in Multimodal Large Language Models (MLLMs) have significantly enhanced the naturalness and flexibility of human computer interaction by enabling seamless understanding across text, vision, and audio modalities. Among these, voice enabled models such as SpeechGPT have demonstrated considerable improvements in usability, offering expressive, and emotionally responsive interactions that foster deeper connections in real world communication scenarios. However, the use of voice introduces new security risks, as attackers can exploit the unique characteristics of spoken language, such as timing, pronunciation variability, and speech to text translation, to craft inputs that bypass defenses in ways not seen in text-based systems. Despite substantial research on text based jailbreaks, the voice modality remains largely underexplored in terms of both attack strategies and defense mechanisms. In this work, we present an adversarial attack targeting the speech input of aligned MLLMs in a white box scenario. Specifically, we introduce a novel token level attack that leverages access to the model's speech tokenization to generate adversarial token sequences. These sequences are then synthesized into audio prompts, which effectively bypass alignment safeguards and to induce prohibited outputs. Evaluated on SpeechGPT, our approach achieves up to 89 percent attack success rate across multiple restricted tasks, significantly outperforming existing voice based jailbreak methods. Our findings shed light on the vulnerabilities of voice-enabled multimodal systems and to help guide the development of more robust next-generation MLLMs.