An acoustic adversarial example is an imperceptibly perturbed audio signal designed to force an automatic speech recognition (ASR) model to output a malicious target transcription while the audio remains indistinguishable from the original to a human ear. These attacks exploit the blind spots in a neural network's decision boundary by adding a minimal, optimized noise layer—often computed via the Carlini & Wagner (C&W) attack or Projected Gradient Descent (PGD)—that pushes the acoustic features just across a classification threshold. The perturbation is typically constrained by psychoacoustic masking principles to ensure it hides beneath the listener's perceptual threshold.
Glossary
Acoustic Adversarial Example

What is an Acoustic Adversarial Example?
An acoustic adversarial example is a carefully engineered audio waveform that sounds normal to human listeners but causes automatic speech recognition (ASR) systems to transcribe a completely different, attacker-chosen phrase.
In the context of embodied agents and voice-controlled autonomous systems, this attack vector enables hidden voice commands that can silently trigger actions like unlocking doors, initiating financial transfers, or rerouting navigation. Defenses include adversarial training on perturbed audio samples, input transformation techniques like quantization or filtering, and certified robustness methods such as randomized smoothing applied to spectrogram representations. The attack highlights the critical security gap between human auditory perception and machine signal processing in multimodal agent architectures.
Core Characteristics
The defining properties that distinguish acoustic adversarial examples from random noise, enabling them to reliably manipulate automatic speech recognition systems while remaining imperceptible to human listeners.
Imperceptibility Constraint
The perturbation must be psychoacoustically masked—inaudible or indistinguishable from background noise to human ears. Attackers leverage frequency masking and temporal masking phenomena, where louder sounds at nearby frequencies or times render the perturbation inaudible. The perturbation magnitude is typically constrained to a small Lp-norm (often L-infinity or L2) relative to the original waveform's amplitude, ensuring the modified audio sounds identical to the clean sample.
Targeted Transcription Mismatch
Unlike untargeted attacks that simply cause any error, acoustic adversarial examples aim for a specific, attacker-chosen transcription. The waveform is optimized so the ASR system outputs a target phrase (e.g., 'authorize transfer') while a human hears the original utterance (e.g., 'play music'). This is achieved by minimizing the Connectionist Temporal Classification (CTC) loss or sequence-to-sequence cross-entropy between the model's output distribution and the target token sequence.
Over-the-Air Robustness
For real-world attacks, the adversarial example must survive physical channel distortions. The perturbation is optimized using Expectation Over Transformation (EOT) to remain effective across varying room acoustics, microphone responses, speaker distances, and ambient noise. Without EOT, an example crafted in a digital domain fails immediately when played through a speaker and re-recorded due to reverberation, Doppler effects, and non-linear hardware distortion.
White-Box vs. Black-Box Transferability
Acoustic adversarial examples exhibit cross-model transferability, where perturbations generated against one ASR model (e.g., DeepSpeech) partially fool another (e.g., Kaldi or commercial APIs). This property enables black-box attacks on proprietary systems without gradient access. Transferability is enhanced by:
- Generating examples on an ensemble of surrogate models
- Using momentum-based iterative optimization
- Crafting perturbations that align with universal, model-agnostic spectrogram features
Psychoacoustic Loss Optimization
Advanced attacks incorporate psychoacoustic models directly into the loss function to enforce imperceptibility. Rather than relying solely on Lp-norm constraints, the optimizer penalizes perturbations that exceed frequency-dependent hearing thresholds. This is formalized using auditory masking curves from perceptual audio coding standards (e.g., MP3's psychoacoustic model), ensuring the added noise is shaped to fall below the absolute threshold of hearing at each frequency band.
Real-Time Attack Feasibility
Gradient-based acoustic attacks can be generated in near real-time on commodity hardware. Using optimized frameworks, a short utterance (under 5 seconds) can be adversarially perturbed in under 100 milliseconds. This enables interactive attack scenarios where an adversary injects a malicious command into a live audio stream—such as a phone call or smart speaker interaction—with imperceptible latency. The speed is achieved through fast gradient sign methods and pre-computed universal perturbation bases.
Frequently Asked Questions
Explore the mechanics, attack vectors, and defense strategies for imperceptible audio perturbations that hijack automatic speech recognition systems.
An acoustic adversarial example is an audio waveform that has been intentionally perturbed with a carefully calculated, quasi-imperceptible noise pattern. While the modified audio sounds virtually identical to the original to a human listener, it causes an Automatic Speech Recognition (ASR) model to transcribe a completely different, attacker-chosen phrase with high confidence. This works by exploiting the high-dimensional, non-linear decision boundaries of deep neural networks. By calculating the gradient of the ASR model's loss function with respect to the input audio, an attacker can add a tiny perturbation vector that pushes the acoustic features across a decision boundary, changing the model's phonetic interpretation without altering human perception. The attack typically targets the Mel-Frequency Cepstral Coefficients (MFCCs) or log-mel spectrogram features that serve as the input representation for most modern ASR pipelines.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the interconnected attack vectors and defense mechanisms surrounding acoustic adversarial examples, from hidden voice commands to robust detection frameworks.
Hidden Voice Command
An attack that embeds inaudible or obfuscated voice commands into audio streams—such as white noise, music, or ultrasonic carriers—to silently control voice assistants without the user's knowledge.
- Psychoacoustic hiding: Commands masked below human hearing thresholds using frequency masking models
- Ultrasonic upconversion: Baseband commands modulated onto ultrasonic carriers (>20kHz) that microphones nonlinearly demodulate
- DolphinAttack: Classic attack modulating voice commands onto ultrasonic carriers to control smartphones and smart speakers
- Key distinction: Unlike general acoustic adversarial examples, hidden voice commands specifically target human imperceptibility rather than just transcription alteration
Multimodal Adversarial Example
A perturbation crafted to simultaneously fool multiple sensing modalities—such as vision, audio, and depth—or to exploit inconsistencies in how a model fuses cross-modal information.
- Cross-modal transfer: Audio perturbations that degrade video action recognition when models rely on sound cues
- Fusion-layer targeting: Attacks on the concatenation or attention layers where unimodal features merge
- Embodied agent threat: An acoustic adversarial example could cause a robot to mishear a navigation command while visual input remains clean, creating dangerous action discrepancies
- Audio-visual speech recognition: Perturbing the audio track to alter lip-reading model outputs in tandem
Sensor Spoofing
An attack on an embodied agent that injects falsified data into hardware sensors such as microphones, LiDAR, or inertial measurement units to corrupt the agent's perception of its physical environment.
- Microphone array spoofing: Injecting phase-shifted adversarial audio to manipulate beamforming direction estimates
- Acoustic injection path: Direct electromagnetic interference on MEMS microphone diaphragms bypassing air-gapped systems
- Physical realization: Playing adversarial audio through a directional speaker to target a specific agent's microphone while humans hear normal sound
- Relationship: Acoustic adversarial examples are the payload; sensor spoofing is the delivery mechanism
Adversarial Training
A defensive technique that augments the training dataset with adversarially perturbed examples labeled with the ground-truth class, forcing the model to learn robust decision boundaries.
- Audio-specific challenges: Generating adversarial examples over raw waveforms requires differentiable audio processing pipelines
- Projected Gradient Descent on spectrograms: Iteratively perturbing mel-frequency cepstral coefficients while constraining perturbation magnitude
- Psychoacoustic constraints: Incorporating frequency masking thresholds into the perturbation budget to ensure imperceptibility during training
- Limitation: Adversarially trained ASR models often show reduced clean-audio accuracy and remain vulnerable to unseen attack formulations
Black-Box Attack
An adversarial attack executed without knowledge of the target model's architecture, parameters, or training data, relying instead on query access to observe input-output pairs or transferability.
- Transfer-based attacks: Crafting acoustic adversarial examples against a surrogate ASR model and playing them against the target system
- Query-based attacks: Genetic algorithms that iteratively mutate audio perturbations based on transcription feedback from cloud APIs
- Commercial ASR targeting: Black-box attacks against proprietary systems like Apple Siri, Amazon Alexa, or Google Speech-to-Text where model internals are opaque
- Practical threat model: Most real-world acoustic adversarial attacks operate in the black-box setting due to API-only access
Certified Robustness
A formal, provable guarantee that a model's prediction will not change for any input perturbation within a specified Lp-norm bound, often achieved through randomized smoothing or interval bound propagation.
- Randomized smoothing for audio: Adding Gaussian noise to raw waveforms and aggregating transcriptions to provide certified radii against L2 perturbations
- Temporal smoothing: Applying noise across time-stretched or pitch-shifted copies to certify robustness against temporal distortions
- Practical gap: Certified bounds for ASR models are typically too small to cover perceptible acoustic variations, limiting real-world deployment
- Active research area: Extending certification to sequence-to-sequence models where output length varies remains an open problem

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us