Now You Hear Me: Audio Narrative Attacks Against Large Audio-Language Models
This addresses a critical safety problem for users and developers of voice assistants, education, and clinical systems, exposing a new class of attacks as models shift to raw speech inputs.
The paper tackles the security vulnerabilities of large audio-language models by designing a text-to-audio jailbreak that embeds disallowed directives in narrative-style audio, achieving a 98.26% success rate in eliciting restricted outputs from models like Gemini 2.0 Flash.
Large audio-language models increasingly operate on raw speech inputs, enabling more seamless integration across domains such as voice assistants, education, and clinical triage. This transition, however, introduces a distinct class of vulnerabilities that remain largely uncharacterized. We examine the security implications of this modality shift by designing a text-to-audio jailbreak that embeds disallowed directives within a narrative-style audio stream. The attack leverages an advanced instruction-following text-to-speech (TTS) model to exploit structural and acoustic properties, thereby circumventing safety mechanisms primarily calibrated for text. When delivered through synthetic speech, the narrative format elicits restricted outputs from state-of-the-art models, including Gemini 2.0 Flash, achieving a 98.26% success rate that substantially exceeds text-only baselines. These results highlight the need for safety frameworks that jointly reason over linguistic and paralinguistic representations, particularly as speech-based interfaces become more prevalent.