ML Security PapersNow You Hear Me: Audio Narrative Attacks Against Large Audio-Language Models
Ye Yu 1, Haibo Jin 1, Yaoning Yu 1, Jun Zhuang 2, Haohan Wang 1
Published on arXiv
2601.23255
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Narrative-style TTS jailbreaks achieve a 98.26% attack success rate on Gemini 2.0 Flash, far exceeding text-only baselines and revealing safety gaps specific to the audio modality.
Audio Narrative Attack
Novel technique introduced
Large audio-language models increasingly operate on raw speech inputs, enabling more seamless integration across domains such as voice assistants, education, and clinical triage. This transition, however, introduces a distinct class of vulnerabilities that remain largely uncharacterized. We examine the security implications of this modality shift by designing a text-to-audio jailbreak that embeds disallowed directives within a narrative-style audio stream. The attack leverages an advanced instruction-following text-to-speech (TTS) model to exploit structural and acoustic properties, thereby circumventing safety mechanisms primarily calibrated for text. When delivered through synthetic speech, the narrative format elicits restricted outputs from state-of-the-art models, including Gemini 2.0 Flash, achieving a 98.26% success rate that substantially exceeds text-only baselines. These results highlight the need for safety frameworks that jointly reason over linguistic and paralinguistic representations, particularly as speech-based interfaces become more prevalent.
Key Contributions
- Novel text-to-audio jailbreak attack that embeds disallowed directives within narrative-style synthetic speech to exploit safety mechanisms calibrated primarily for text inputs
- Demonstrates 98.26% attack success rate against Gemini 2.0 Flash, substantially exceeding text-only baseline performance
- Highlights that paralinguistic and structural audio properties create a largely uncharacterized attack surface in large audio-language models