Abstract

Speech-enabled foundation models, such as the OpenAI Whisper model, are increasingly popular for their ability to perform various tasks beyond automatic speech recognition (ASR) using appropriate prompts. These models, including audio-prompted large language models (LLMs), offer significant flexibility, allowing for tasks like speech transcription and translation. However, this flexibility introduces susceptibility to adversarial attacks that can control the model’s behavior by altering the audio input. In our work, we demonstrate two forms of adversarial control over Whisper. The first form, “controlling Whisper,” shows that it is possible to prepend a short universal adversarial acoustic segment to any input speech signal, overriding the prompt settings of an ASR foundation model. Specifically, we successfully use this segment to force Whisper to always perform speech translation, even when set to perform speech transcription. The second form, “muting Whisper,” exploits Whisper’s use of special tokens in its vocabulary. We propose a method to learn a universal acoustic realization of Whisper’s special token, which, when prepended to any speech signal, causes the model to transcribe only the token, effectively muting the model. Our experiments demonstrate that a universal 0.64-second adversarial audio segment can mute a target Whisper ASR model for over 97% of speech samples and often transfers to new datasets and tasks. Overall, these works highlight the vulnerabilities of multi-tasking speech-enabled foundation models to adversarial attacks, demonstrating significant risks and potential implications for real-world applications.