Speech-Specific Jailbreaks

• Speech-specific jailbreaks are adversarial techniques that manipulate acoustic and linguistic features of audio inputs to bypass safety guardrails in speech models.
• Innovative frameworks like JAMA and AudioJailbreak employ gradient-based and PGD methods to achieve up to 98% attack success across multimodal architectures.
• Defensive strategies such as adversarial audio training and cross-modal anomaly detection are emerging, though real-world robustness remains a significant challenge.

Speech-specific jailbreaks refer to adversarial strategies that subvert the safety guardrails of spoken LLMs (SLMs), Audio-LLMs (ALMs), or Large Audio LLMs (LALMs) specifically through the speech or audio modality. These attacks exploit the rich, multidimensional structure of audio input—encompassing both linguistic content and acoustic features such as timbre, pitch, and temporal dynamics—to generate harmful or policy-violating outputs that would be blocked by alignment mechanisms in the text-only setting. Recent research demonstrates that speech-specific jailbreaks pose unique and substantially more severe risks than their text-based analogues, especially as SLMs integrate multimodal inputs and increasingly rely on real-world open-channel deployment (Krishnan et al., 19 Mar 2026, Chen et al., 20 May 2025, Peng et al., 23 May 2025, Ling et al., 14 Mar 2026, Roh et al., 1 Apr 2025).

1. Formal Characterization and Adversarial Objectives

In speech-specific jailbreaks, the adversarial goal is to construct audio—or joint audio-text—inputs that induce the model to generate a predetermined unsafe response, formally by optimizing the input to maximize the probability of a specified class or sequence of outputs. Let $(q, x)$ denote a text prompt $q$ and its associated speech waveform $x \in \mathbb{R}^d$. Attackers aim to jointly perturb $x$ and optionally append a text suffix $S = (s_1,...,s_N)$ so that the system's response matches a harmful or affirmative target $y$ (Krishnan et al., 19 Mar 2026):

$$\min_{S, \Delta x} ~ \mathcal{L}_{\rm joint}(S, \Delta x)$$

subject to norm and discreteness constraints on $\Delta x$ and $S$, respectively. For purely audio models, attacks focus on constructing a perturbation $\delta$ (additive or functional) which may be universal (transferable across base samples/prompts) or sample-specific (Gupta et al., 2 Feb 2025, Chen et al., 20 May 2025):

$$\min_{\delta} \; L_{\rm ce}(M(x^0 + \delta), y_t) \quad \text{s.t.} \; \|\delta\|_p \leq \epsilon$$

Stealth constraints, such as psychoacoustic thresholds and imperceptibility, are typically enforced to evade human detection, and universal perturbations are constructed to generalize across tasks and base audios (Gupta et al., 2 Feb 2025, Krishnan et al., 19 Mar 2026).

2. Algorithmic Implementations and Attack Variants

Speech-specific jailbreaks can be categorized as unimodal (audio-only or text-only), joint audio-text multimodal, and signal-covert attacks. Key algorithmic paradigms include:

• Multimodal attacks (JAMA framework): JAMA (Joint Audio-text Multimodal Attack) combines Greedy Coordinate Gradient (GCG) for optimizing token suffixes with Projected Gradient Descent (PGD) on the audio waveform, interleaving updates to simultaneously perturb both modalities. This exploits complementary decision subspaces, surpassing unimodal methods by 1.5x to 10x in jailbreak success rates across state-of-the-art SLMs. A sequential approximation (SAMA) exploits gradient dominance in the text component before switching to audio, yielding comparable efficacy at 4x–6x computational speedup (Krishnan et al., 19 Mar 2026).
• End-to-end audio attacks: AudioJailbreak and other frameworks leverage continuous optimization over either entire inputs or adversarial suffixes, incorporating asynchrony (suffix does not temporally align to user prompt), universality, semantic camouflage, and room impulse response modeling for over-the-air robustness (Chen et al., 20 May 2025). Adaptive manipulation of pitch, speed, intonation, or noise—sometimes via Bayesian or grid search (Best-of-N, Audio Perturbation Toolkit)—facilitates transferability and signal-level opacity (Song et al., 21 May 2025, Peng et al., 23 May 2025, Cheng et al., 23 Jan 2025).
• Covert channel attacks: Sirens' Whisper uses near-ultrasonic encoding (17–22 kHz) modulated onto baseband audio via SSB modulation and channel-inversion compensation. Microphone nonlinearity demodulates this to normal speech on the microphone input, allowing imperceptible, highly transferable jailbreak injection even in black-box settings (Ling et al., 14 Mar 2026).
• Stealth and robustness: Time-stretching (speed-up masking), semantic camouflage (mixing music/benign speech), and explicit restriction to ASR-robust/vocab-pronounceable tokens are used to maintain both intelligibility for the model and concealment from human auditors (Chen et al., 20 May 2025, Ling et al., 14 Mar 2026).

3. Benchmarks and Empirical Findings

Multiple comprehensive benchmarks and large-scale evaluations have quantified ALM vulnerability:

• Attack Success Metrics: Standard metrics include Jailbreak Success Rate (JSR), Attack Success Rate (ASR), Non-refusal Rate (NR), Specific-Convincing Rate (SC), and Toxicity Score (TS). These are typically based on the fraction of model outputs which comply with the adversarial request (Chen et al., 20 May 2025, Ling et al., 14 Mar 2026, Peng et al., 23 May 2025, Song et al., 21 May 2025, Gupta et al., 2 Feb 2025, Roh et al., 1 Apr 2025).
• Model and language sensitivity: Across SLMs (Audio Flamingo 3, Qwen2 Audio, Gemma 3N, Qwen2.5 Omni), joint attacks deliver up to 60–98% success. JAMA outperforms unimodal baselines by up to 10x (e.g., Gemma 3N: GCG-only 3%, PGD-only 20%, JAMA 60%) (Krishnan et al., 19 Mar 2026). Benchmarks such as AJailBench, JALMBench, and Jailbreak-AudioBench confirm that audio-originated attacks (e.g., AMSE, AdvWave) obtain ASR up to 97.3%, with average ASR for audio-originated attacks at 72.9% across diverse architectures (Peng et al., 23 May 2025, Song et al., 21 May 2025, Cheng et al., 23 Jan 2025).
• Acoustic and cross-modal phenomena: Non-English languages and underrepresented accents yield higher ASR due to acoustic/phonetic variation and coverage limits in model safety data (Roh et al., 1 Apr 2025). Multilingual and multi-accent attacks, especially when convolved with reverberation or echo, produce ΔJSR increases of up to +57 percentage points (Roh et al., 1 Apr 2025).
• Human perception: Near-ultrasonic (Sirens’ Whisper) attacks remain imperceptible (ABX test accuracy≈50%, mean difference ≤4.92/5 in Likert ratings), yet exhibit up to 0.94 NR and 0.925 SC on commercial APIs (Ling et al., 14 Mar 2026).

Attack Framework	Modality	Best ASR (approx.)	Stealth	Transferability
JAMA (joint)	audio+text	60–98%	moderate	moderate
AudioJailbreak/AdvWave	audio-only	97.3%	high	strong (to similar)
Ultrasonic channel	audio (covert)	NR=0.94/SC=0.925	impercept.	device/room robust
BoN, AMSE, APT+	audio-edited	52–89%	moderate	model-dependent

4. Comparative Analysis: Audio- vs Text-Based and Multimodal Attacks

The addition of the audio modality fundamentally increases the attack surface of foundation models:

• Bypassing Textual Filters: Audio attacks can encode adversarial semantics at the signal level, bypassing prompt-level text filtering and tokenization-based defensive measures (Cheng et al., 23 Jan 2025, Song et al., 21 May 2025).
• Complementary decision subspaces: Joint perturbations in audio and text exploit different subsystems (acoustic front end, text backbone), together traversing boundaries that unimodal attacks cannot (Krishnan et al., 19 Mar 2026).
• Cross-lingual vulnerability: Multilingual attacks using TTS in less-covered phonemes or accents achieve disproportionately higher ASR, even when text-based defenses are present (Roh et al., 1 Apr 2025).
• Robustness to channel and environment: Over-the-air, reverberation and bandwidth-limited transmission continue to yield substantial ASR (~70–80% for robust attacks), which suggests that real-world constraints do not reliably prevent jailbreak success (Chen et al., 20 May 2025, Ling et al., 14 Mar 2026, Gupta et al., 2 Feb 2025).

5. Defensive Strategies and Open Challenges

The growing sophistication of speech-specific jailbreaks has motivated a spectrum of mitigation proposals:

• Adversarial audio training: Incorporating both unimodal and joint multimodal adversarial perturbations during training—especially with RIR and device diversity—yields improved robustness, but does not close the gap completely (Krishnan et al., 19 Mar 2026, Chen et al., 20 May 2025, Song et al., 21 May 2025, Cheng et al., 23 Jan 2025).
• Cross-modal consistency and anomaly detection: Imposing joint constraints across text and audio inputs to enforce similar safety behavior; anomaly detectors deployed in joint embedding spaces show promise (e.g., Mahalanobis) (Krishnan et al., 19 Mar 2026, Cheng et al., 23 Jan 2025).
• Activation-patching (SPIRIT): Post-hoc identification and zeroing or correction of the most noise-sensitive neurons at inference can restore 99%+ robustness with negligible utility penalty, provided mild denoising is used to recover baseline activations (Djanibekov et al., 18 May 2025).
• Signal-based and hardware countermeasures: Ultrasonic feature detectors, strict microphone cutoffs, and jammers are proposed to mitigate covert channel attacks, but real-world efficacy may be undermined by device variability and user constraints (Ling et al., 14 Mar 2026).
• Prompt- and response-level output filtering: LLM-based classifiers, system-prompted refusal templates, and content safety APIs reduce but cannot eradicate attack success, especially against audio-originated or universal perturbations (Peng et al., 23 May 2025).
• Voice biometrics and authentication augmentation may provide an additional verification channel, but the attack surface (especially for over-the-air, impersonation, and accent-based attacks) remains incompletely addressed (Ling et al., 14 Mar 2026).

Open challenges include: scaling defenses to streaming/real-time pipelines, coverage for unseen accents and acoustic perturbations, integrating psychoacoustic constraints into both attack and defense objectives, and closing transferability gaps in black-box or cross-model attack scenarios (Djanibekov et al., 18 May 2025, Chen et al., 20 May 2025, Roh et al., 1 Apr 2025).

6. Future Research Directions and Open Problems

The literature identifies several directions requiring immediate attention:

• Cross-lingual and cross-accent benchmarks: Expanding coverage of adversarial corpora across languages, accents, and real-world audio environments is essential to accurately reflect deployment vulnerabilities (Roh et al., 1 Apr 2025, Peng et al., 23 May 2025).
• Universal trigger theory: A better information-theoretic account of minimal sufficient perturbation for audio triggers and their semantic/representational footprint could facilitate more rigorous defenses (Gupta et al., 2 Feb 2025).
• Unified, cross-modal defenses: Methods are needed that do not merely concatenate the safety properties of unimodal modules, but align representations and responses across modalities under adversarial distribution shift (Krishnan et al., 19 Mar 2026, Djanibekov et al., 18 May 2025).
• Signal-level and embedding-level joint detectors: Applying anomaly detection or consistency regularization at multiple levels (waveform, embedding, output space) remains an open area with empirical promise (Cheng et al., 23 Jan 2025).
• Adversarial evaluation protocols and benchmarks: Systematic evaluation pipelines, integrating both synthetic and real-world acoustic perturbations, are required to drive progress, as evidenced by initiatives such as AJailBench and JALMBench (Song et al., 21 May 2025, Peng et al., 23 May 2025).

The consensus in the field is that robust alignment for SLMs and ALMs necessitates domain-specific adversarial training, multi-granular system monitoring, and hardware co-design; generic text-based safety cannot adequately protect modern models operating over speech or audio input. The interdisciplinary nature of the attack surface—spanning signal processing, machine learning, and user studies—demands a similarly broad research and engineering response.