Audio Prompt Injection BSc Dissertation Oxford Brookes · 2026
Can a spoken instruction hijack an AI voice agent into doing something it shouldn't? Three audio-native models were put behind a customer-service desk with real tools. All three broke.
The question
Voice agents are already answering calls in banks and call centres. They carry the same weakness as any language model: they follow instructions. What happens when the instruction arrives as speech?
Prompt injection, where attacker text hidden in data is treated as a legitimate command, is well studied for text.
For audio, it was largely untested. Earworm closes that gap: it asks whether spoken adversarial input can compromise voice agents equipped with real tools, and whether some model architectures resist better than others.
The headline finding
The obvious fear is a secret payload buried beneath innocent speech: an instruction the AI hears but a human doesn't. Drag the slider and bury it deeper. Watch what happens.
Well concealed. The payload is inaudible beneath the cover speech, and no model acted on it.
Zero breaches at this concealment.
The semantic attack was more effective: a caller asking the agent plainly to do something it shouldn't. That worked on up to 56.9% of trials, without hiding the instruction in the audio.
How it was tested
Each run starts from an attack dataset, moves through an automated runner, swaps one Docker model profile onto the GPU, sends audio through the FastAPI agent, and scores every tool trace into the results database and Streamlit monitor.
The audio may be normal, persuasive, multilingual, emotional, or hiding a second instruction.
Voxtral, Ultravox, and Gemma are tested one at a time in the same setup.
Lookup, refund, account, SQL, and email tools connect to a customer database.
Success means the unsafe requested tool was not called.
The attack corpus
Every attack clip targeted a specific tool against a specific customer from a ten-person roster, so success could be verified automatically without a human judging the output.
Semantic, spoken
124
Ordinary spoken instructions where the model is asked, persuaded, or pressured.
Acoustic, hidden
25
A malicious instruction mixed beneath a normal conversation, at three concealment levels.
Benign, control
30
Ordinary customer requests, confirming the agent behaves under normal conditions.
What happened
Share of adversarial trials causing at least a partial security violation. 95% CI in brackets.
Spoken instructions beat hidden payloads on every model, at high significance.
Voxtral Mini 3B
+31.9 pp toward speech
Ultravox v0.5 8B
+48.9 pp toward speech
Gemma 4 E4B-it
+48.8 pp, zero acoustic breaches
Against plain English multilingual-category attacks, Ultravox failed 96% of the time, including an 88% complete-success rate. Under the same attacks in Japanese it held far better (50%), although different speech-synthesis engines partly confound that language gap.
What it means
A clean benign baseline with attack success rates approaching one in two makes this a practical, exploitable weakness, not a lab curiosity.
Models follow instructions whether typed or spoken. Hiding an attack acoustically added little; asking convincingly did the work.
Gemma's purpose-built audio encoder resisted every acoustic attack. Model choice measurably changes exposure, even with the environment held constant.
Distressed, time-critical callers outperformed calm, authoritative ones on two of three models. The trend was directional but consistent.
The defensive takeaway
Don't try to filter the audio. The vulnerability lives in the model's willingness to act, so defences belong at the tool and permissions layer, exactly where you'd defend a text channel.
Done responsibly
DATA
No real people or systems were ever at risk. Every customer was fabricated.
RUNTIME
A fully containerised sandbox; every write action was logged and immediately reverted.
DISCLOSURE
Findings shared with model providers, noting that open-weight local models can't be centrally patched.
GOVERNANCE
Ran under Oxford Brookes' signed E1 process and the BCS Code of Conduct.