When Good Sounds Go Adversarial: Jailbreaking Audio-Language Models with Benign Inputs

TL;DR

This paper presents WhisperInject, a novel two-stage adversarial attack framework that subtly manipulates audio inputs to jailbreak audio-language models, revealing practical vulnerabilities in multimodal AI systems.

Contribution

The paper introduces WhisperInject, combining reward-based optimization and gradient-based payload injection to effectively attack state-of-the-art audio-language models.

Findings

Achieves 60-78% success rate across multiple benchmarks and models.

Demonstrates practical, covert audio adversarial attacks.

Reveals vulnerabilities in multimodal AI systems.

Abstract

As large language models (LLMs) become increasingly integrated into daily life, audio has emerged as a key interface for human-AI interaction. However, this convenience also introduces new vulnerabilities, making audio a potential attack surface for adversaries. Our research introduces WhisperInject, a two-stage adversarial audio attack framework that manipulates state-of-the-art audio language models to generate harmful content. Our method embeds harmful payloads as subtle perturbations into audio inputs that remain intelligible to human listeners. The first stage uses a novel reward-based white-box optimization method, Reinforcement Learning with Projected Gradient Descent (RL-PGD), to jailbreak the target model and elicit harmful native responses. This native harmful response then serves as the target for Stage 2, Payload Injection, where we use gradient-based optimization to embed subtle perturbations into benign audio carriers, such as weather queries or greeting messages. Our method achieves average attack success rates of 60-78% across two benchmarks and five multimodal LLMs, validated by multiple evaluation frameworks. Our work demonstrates a new class of practical, audio-native threats, moving beyond theoretical exploits to reveal a feasible and covert method for manipulating multimodal AI systems.