The model sees the hidden instruction; we don't.
Inaudible audio modifications can hijack AI chatbots to steal data, send emails, or download files while remaining undetectable to human ears. The attack exploits Large Audio-Language Models used in voice assistants and transcription tools, affecting millions of daily users across multiple platforms.
- AudioHijack achieves 79-96% success rate in covert instruction injection
- Attack requires only 30 minutes of training to create a reusable signal
- Tested on 13 open-source models including Microsoft and Mistral voice AI
- Six attack categories: false claims, request rejection, misinformation, malicious links, personality alteration, unauthorized tool use
- Existing defenses reduce attack success by only 7-28%
Researchers discovered AudioHijack, a technique manipulating AI language models through imperceptible audio alterations, achieving 79-96% success rates in covert instruction injection without user detection.
A team of researchers has demonstrated a new way to hijack artificial intelligence systems—not by breaking into servers or stealing passwords, but by whispering instructions that human ears cannot hear. The attack, called AudioHijack, works by subtly altering the audio signals fed into AI voice models, embedding hidden commands that the systems obey with a success rate between 79 and 96 percent. The person using the chatbot hears nothing unusual. The AI hears everything the attacker wants it to hear.
The vulnerability sits at the intersection of two technologies that have become woven into daily life: large language models and voice interfaces. These systems—the kind that transcribe video calls, answer questions on smartphones, or process voice commands—work by converting audio into text, then generating responses or taking actions based on what they understand. Researchers at institutions including Zhejiang University in China tested the attack on thirteen open-source models, including Microsoft's voice AI services and Mistral. They could not test it on the most advanced closed systems from OpenAI or Anthropic because those companies do not publicly disclose their internal architecture.
The mechanics are straightforward in concept but sophisticated in execution. An attacker modifies the numerical values that represent a sound wave—the raw data underneath the audio file itself. This manipulation leaves the sound imperceptible to human hearing but changes how the AI model processes it. Using an optimization algorithm, the attacker repeatedly adjusts the audio, measures how the model responds, and fine-tunes the signal until the system does what the attacker wants. Meng Chen, a doctoral student leading the research, told IEEE Spectrum that only thirty minutes of training is needed to create such a signal, and because it works independently of context, it can be deployed against a target model repeatedly, regardless of what the legitimate user is saying.
The researchers demonstrated six categories of attack. They made models claim they could not process audio. They made them reject user requests. They injected false information into responses, embedded malicious links, altered the personality of the AI assistant, and triggered unauthorized use of tools. In one scenario, the hidden instruction was embedded in a video. In another, it was hidden in a music clip or voice note. The researchers even showed it working in real-time voice chat, where the AI is receiving the user's voice as it speaks.
What makes AudioHijack particularly alarming is how resistant it proved to existing defenses. When researchers gave models examples of malicious instructions to help them learn to detect such attacks, the success rate of AudioHijack dropped by only seven percent. When they asked the models to reflect on whether their responses matched the user's actual instructions—a kind of internal consistency check—detection improved to only 28 percent. Chen noted that the models struggle fundamentally to distinguish between a user's legitimate intent and the hidden attack signal. The only effective defense involved monitoring the internal attention mechanisms of the models to catch when AudioHijack tries to redirect focus toward the malicious audio. But even this barrier can be circumvented: attackers who know about this defense can reduce their manipulation of attention, accepting a slight decrease in success rate in exchange for evading detection.
This research builds on years of prior work exploring audio-based attacks on AI systems. Earlier studies showed how to trick simpler, one-directional models used only for speech recognition or audio classification. AudioHijack targets a more powerful class of systems—those capable of understanding audio, generating text, and taking real-world actions. The implications ripple outward. These voice-based AI tools are embedded in applications used by millions of people daily. A successful attack could extract sensitive data like banking credentials if a user is logged into a financial app. It could send emails, download files, or perform searches on confidential information, all while the user remains unaware that their AI assistant has been compromised. The researchers published their findings to alert the industry to a critical weakness in how these systems are designed and defended. For now, the most advanced closed-source models remain untested against AudioHijack, leaving an open question about whether the systems trusted by the largest number of people are equally vulnerable.
Notable Quotes
Only thirty minutes of training is needed to create such a signal, and because it works independently of context, it can be deployed against a target model repeatedly.— Meng Chen, doctoral student at Zhejiang University, to IEEE Spectrum
These models struggle fundamentally to distinguish between a user's legitimate intent and the hidden attack signal.— Meng Chen
The Hearth Conversation Another angle on the story
So the AI can't hear the attack, but it responds to it anyway. How is that possible?
The attack doesn't work on sound as humans perceive it. It modifies the raw numerical data underneath the audio—the waveform itself. The AI processes that data directly, before it becomes something a person would recognize as sound. The model sees the hidden instruction; we don't.
And the AI just... obeys? Even though the user never said anything?
That's the core problem. The model can't tell the difference between a legitimate instruction from the user and a hidden one embedded in the audio. Both are just data to process. It has no way to know which voice to trust.
The researchers said only thirty minutes of training creates an attack signal. That seems fast.
It is. And once you have that signal, you can use it over and over. It doesn't depend on what the user is actually saying. You could deploy it against the same model a hundred times with a hundred different users, and it would work every time.
What about the defenses they tested? Couldn't the AI be taught to spot these attacks?
They tried. Showing the model examples of malicious instructions barely helped—success rates only dropped seven percent. Asking the model to double-check its own reasoning helped more, but still only caught 28 percent of attacks. The model fundamentally struggles to distinguish between what the user wants and what the hidden signal wants.
So what actually works?
Monitoring the model's internal attention mechanisms—watching where it's focusing its processing power. But that's expensive and complex. And researchers showed that attackers who know about this defense can adapt by being more subtle, accepting a slightly lower success rate to stay hidden.