Inaudible Audio Hijacks AI Voice Models, Zhejiang Study Finds
Zhejiang University researchers built AudioHijack, embedding inaudible commands in audio to control LALMs with 79–96% success; attacks also affected Microsoft and Mistral voice systems.
Researchers at Zhejiang University described a method called AudioHijack that hides inaudible commands in digital audio to change how large audio-language models behave. The team reported success rates between 79% and 96% and found the technique transferred to commercial voice systems from Microsoft and Mistral.
The work was presented at the 47th IEEE Symposium on Security and Privacy in San Francisco. The attack alters numerical values in an audio waveform in ways human listeners do not detect but that change how models interpret sound. Meng Chen, a Ph.D. student and lead author, wrote the adversarial signal takes about half an hour to train and is context-agnostic, so the same hidden command can be applied regardless of the spoken content.
The researchers tested AudioHijack on 13 open-source audio models and observed it could repeatedly change model behavior even when legitimate user instructions were present. In experiments the manipulated audio caused models to refuse valid requests, produce false information, insert harmful links, shift personality, or perform actions the user did not ask for, including web searches, file downloads, and composing emails that included personal data.
The team confirmed the technique worked against commercial voice AI systems that share similar audio components. The researchers identified possible delivery channels as online video and music files, voice messages, and audio from video calls later uploaded to transcription or voice services. Because the hidden command is not tied to a specific spoken phrase, a single precomputed signal can be reused across many targets and contexts.
The study evaluated common defenses and found most standard measures blocked only a small fraction of attack attempts. Monitoring a model’s internal attention mechanisms proved the most effective defense the researchers tested, but they noted attackers who know about such monitoring can weaken the manipulation and still preserve much of its effect.
The paper states previous attacks often required control of both the final audio input and the original user instructions, while AudioHijack needs only control of the audio being processed. The researchers are now investigating whether the technique can reach closed commercial models from other companies by exploiting shared open-source audio components. The team also cited unpublished follow-up work that showed comparable attacks in live AI voice chats.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
