Now You Hear Me: Audio Narrative Attacks Against Large Audio-Language Models

TL;DR

This paper uncovers security vulnerabilities in large audio-language models by demonstrating a novel audio-based jailbreak attack that embeds disallowed directives within narrative speech, exposing safety gaps in current models.

Contribution

It introduces a text-to-audio jailbreak method exploiting speech and structural cues, revealing significant security risks in speech-enabled AI systems.

Findings

Achieved a 98.26% success rate in bypassing safety measures

Synthetic narrative speech can elicit restricted outputs from state-of-the-art models

Highlights the need for safety frameworks considering linguistic and paralinguistic cues

Abstract

Large audio-language models increasingly operate on raw speech inputs, enabling more seamless integration across domains such as voice assistants, education, and clinical triage. This transition, however, introduces a distinct class of vulnerabilities that remain largely uncharacterized. We examine the security implications of this modality shift by designing a text-to-audio jailbreak that embeds disallowed directives within a narrative-style audio stream. The attack leverages an advanced instruction-following text-to-speech (TTS) model to exploit structural and acoustic properties, thereby circumventing safety mechanisms primarily calibrated for text. When delivered through synthetic speech, the narrative format elicits restricted outputs from state-of-the-art models, including Gemini 2.0 Flash, achieving a 98.26% success rate that substantially exceeds text-only baselines. These results highlight the need for safety frameworks that jointly reason over linguistic and paralinguistic representations, particularly as speech-based interfaces become more prevalent.