AudioHijack: как скрытые звуки заставляют AI выполнять вредоносные команды

Voice assistants and AI systems are penetrating deeper into our lives — from smart speakers and smartphones to corporate chatbots and customer service systems. These systems can not only recognize speech but also generate responses, transcribe meetings, and connect to external services. But new research has uncovered a critical vulnerability: hidden sounds, completely inaudible to the human ear, can force such systems to execute malicious commands.

AudioHijack Technique

Researchers from Zhejiang University have developed a new attack method called AudioHijack. Its idea is deceptively simple: embed hidden instructions into an ordinary audio file that the human ear won't hear but an AI model will recognize and execute. Scientists will present the results of their experiments at the upcoming IEEE Symposium on Security and Privacy conference.

When specially prepared sound signals were embedded in audio files, AI models began performing dangerous actions: searching for sensitive information on the internet, downloading files from controlled servers, sending emails with personal data. Researchers tested 13 leading models, including commercial services from Microsoft and Mistral. The results are shocking: the attack works in 79-96% of cases.

The sound signal is created in half an hour and can be used repeatedly against one model, regardless of the user's instructions.

How the Attack Works

The technique is based on the concept of adversarial audio — sound files specially modified to deceive machine learning. But AudioHijack's distinction is significant: it targets generative models that can not only analyze sound but also make decisions and interact with other systems. Researchers identified a critical flaw in the architecture of large audio-language models (LALM). Since these models receive instructions in audio format, it's easy to embed malicious commands in audio files. The key difference from previous attacks: the attacker doesn't need to control either the user or their original instructions — only the audio file itself. Real-world attack scenarios are easy to imagine:

• Embedding hidden commands in music or video that the user sends for AI analysis
• Malicious audio on a Zoom call that is later uploaded to an automatic transcription service
• Injection into a live voice conversation with an AI assistant in real time

Defense is Practically Ineffective

Researchers tested several defensive approaches. Providing the model with examples of malicious instructions helped only 7%. Asking the AI to check whether its response matches the user's original instructions intercepted only 28% of attacks.

"These targeted defenses don't work because it's very difficult for models to distinguish between normal user intent and our attack," says

Meng Chen.

The only partially effective method is monitoring the model's attention mechanism to detect when it excessively focuses on malicious audio. However, such protection reduces speed, and if the attacker learns about it, they can calibrate the technique to bypass it.

What This Means

AudioHijack shows that voice AI systems are not just convenient assistants but potential channels for serious attacks. As these models become integrated into critical systems, the problem becomes more acute. Companies need not targeted defenses but deep architectural solutions — a rethinking of how models process and validate input data.