"I am bad": Interpreting Stealthy, Universal and Robust Audio Jailbreaks in Audio-Language Models
This addresses a critical safety issue for users of multimodal AI systems, particularly in spoken communication, by exposing vulnerabilities that could lead to harmful outputs, though it is incremental in building on existing adversarial attack research.
The paper tackles the problem of audio jailbreaks in Audio-Language Models by constructing adversarial perturbations that generalize across prompts and tasks, demonstrating the first universal jailbreaks in audio, which remain effective in simulated real-world conditions and reveal imperceptible toxic speech encoding.
The rise of multimodal large language models has introduced innovative human-machine interaction paradigms but also significant challenges in machine learning safety. Audio-Language Models (ALMs) are especially relevant due to the intuitive nature of spoken communication, yet little is known about their failure modes. This paper explores audio jailbreaks targeting ALMs, focusing on their ability to bypass alignment mechanisms. We construct adversarial perturbations that generalize across prompts, tasks, and even base audio samples, demonstrating the first universal jailbreaks in the audio modality, and show that these remain effective in simulated real-world conditions. Beyond demonstrating attack feasibility, we analyze how ALMs interpret these audio adversarial examples and reveal them to encode imperceptible first-person toxic speech - suggesting that the most effective perturbations for eliciting toxic outputs specifically embed linguistic features within the audio signal. These results have important implications for understanding the interactions between different modalities in multimodal models, and offer actionable insights for enhancing defenses against adversarial audio attacks.