Audio-Based Prompt Injection: Attacks You Cannot Hear

Audio-based prompt injection targets voice interfaces, audio transcription services, and any LLM pipeline that processes spoken content. The DolphinAttack paper (ACM CCS 2017) demonstrated that inaudible ultrasonic voice commands could control digital assistants. The same principle applies to LLM applications.

Attack techniques

• Speech-based: Simply speaking the injection payload. If the audio is transcribed and fed to an LLM, the spoken injection becomes text injection.
• Ultrasonic: Embedding commands above the human hearing range (typically above 20kHz). The microphone captures them, the transcription model processes them, but humans cannot hear them.
• Whispered: Very quiet spoken commands mixed into ambient audio. Hard for humans to notice in a noisy recording.
• Background embedding: Injection commands layered beneath background music or ambient sound.
• Reversed audio: Commands played backwards that, when reversed by the transcription model, produce injection text.
• Speed-shifted: Commands spoken at unusual speeds that normalise when processed by the model.

In Bordair's Castle

Kingdom 4, the Echo Chamber, is dedicated to audio-based attacks. From Dex, the half-deaf gate guard, to the Sonic Overlord who hears every frequency, players must use audio to get past sonic defences.

The Sonic Overlord hears everything. Six guards have fallen, and their echoes still bounce off the walls.

Prevalence

Audio injection is the newest multimodal attack category. Our dataset contains 2,760 text-audio combinations across 6 delivery methods.

How Bordair detects it

Bordair's audio scanning pipeline uses a three-stage approach: ultrasonic gate (detects frequencies above human hearing), spectral anomaly analysis (identifies unusual patterns in the audio spectrum), and Whisper-based transcription followed by text scanning. This catches both audible and inaudible injection attempts.