ML Security PapersThe Echo Chamber Multi-Turn LLM Jailbreak
Ahmad Alobaid 1, Martí Jordà Roca 1, Carlos Castillo 2,3, Joan Vendrell 1
Published on arXiv
2601.05742
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Echo Chamber bypasses safety guardrails of multiple state-of-the-art LLMs through gradual multi-turn escalation, outperforming or matching existing multi-turn attack baselines in eliciting harmful outputs
Echo Chamber
Novel technique introduced
The availability of Large Language Models (LLMs) has led to a new generation of powerful chatbots that can be developed at relatively low cost. As companies deploy these tools, security challenges need to be addressed to prevent financial loss and reputational damage. A key security challenge is jailbreaking, the malicious manipulation of prompts and inputs to bypass a chatbot's safety guardrails. Multi-turn attacks are a relatively new form of jailbreaking involving a carefully crafted chain of interactions with a chatbot. We introduce Echo Chamber, a new multi-turn attack using a gradual escalation method. We describe this attack in detail, compare it to other multi-turn attacks, and demonstrate its performance against multiple state-of-the-art models through extensive evaluation.
Key Contributions
- Introduces Echo Chamber, a multi-turn jailbreak attack that seeds innocuous prompts with carefully crafted toxic keywords and manipulates the LLM into amplifying harmful content through gradual context poisoning
- Provides a detailed comparison of Echo Chamber against existing multi-turn attack strategies (Crescendo, Chain of Attack, Foot-in-the-Door, etc.) across key characteristics
- Demonstrates automated orchestration of the attack using a secondary LLM and evaluates performance against multiple state-of-the-art models