There is more than one kind of robustness: Fooling Whisper with adversarial examples
This work highlights security vulnerabilities in a widely used open-source ASR model, emphasizing the need for adversarial robustness in speech recognition systems.
The study demonstrated that Whisper, a robust automatic speech recognition model, is vulnerable to adversarial noise, with performance degrading significantly or allowing transcription of chosen sentences using small perturbations at 35-45dB signal-to-noise ratios.
Whisper is a recent Automatic Speech Recognition (ASR) model displaying impressive robustness to both out-of-distribution inputs and random noise. In this work, we show that this robustness does not carry over to adversarial noise. We show that we can degrade Whisper performance dramatically, or even transcribe a target sentence of our choice, by generating very small input perturbations with Signal Noise Ratio of 35-45dB. We also show that by fooling the Whisper language detector we can very easily degrade the performance of multilingual models. These vulnerabilities of a widely popular open-source model have practical security implications and emphasize the need for adversarially robust ASR.