Hidden Audio Signals Hijack Voice AI Systems with 79-96% Success Rate

New research presented at the IEEE Symposium on Security and Privacy reveals a practical attack vector against Large Audio-Language Models (LALMs). Attackers can embed imperceptible signals into audio clips to hijack model behavior, achieving a 79-96% average success rate across 13 leading open models, including commercial services from Microsoft and Mistral.
How the Attack Works
The modified audio clip is inaudible to human ears but triggers the model to execute hidden commands. Crucially, the attack works regardless of the user's accompanying instructions, making the same clip reusable against the same model multiple times. Training the adversarial signal takes approximately 30 minutes.
Exploited Capabilities
Researchers demonstrated that compromised models could be coerced into:
- Conducting sensitive web searches without user knowledge
- Downloading files from attacker-controlled sources
- Sending emails containing user data to external addresses
Affected Models
The attack was validated against 13 popular open-weight LALMs, including commercial voice AI APIs. This highlights that current voice AI systems lack robust safeguards against adversarial audio perturbations.
📖 Read the full source: HN AI Agents
👀 See Also

BlindKey: Blind Credential Injection for AI Agents
BlindKey is a security tool that prevents AI agents from accessing plaintext API credentials by using encrypted vault tokens and a local proxy. Agents reference tokens like bk://stripe, and the proxy injects the real credential at request time.

OpenClaw User Adds TOTP 2FA After Agent Exposed API Keys in Plain Text
An OpenClaw user created a security skill called 'Secure Reveal' that requires TOTP authentication via Telegram before displaying stored credentials, after their AI agent accidentally leaked API keys and passwords in plain text during a demo.

Ward: Open-source tool intercepts npm installs to block supply chain attacks for Claude Code users
Ward is an open-source tool that hooks into package managers to check every package before install scripts run. When Claude Code executes npm install, Ward automatically screens packages for malware, typosquats, suspicious scripts, and version anomalies.

AI-Built Apps Are Fragile: Why Small Changes Break Data Isolation and Permissions
Developers report that AI-generated apps (via Claude Code, Cursor) silently break login, permissions, and data isolation when small changes are made, because AI models lack understanding of original system intent like ownership rules.