Security researchers are warning that hackers may be able to secretly manipulate smart speakers and AI voice assistants using hidden sounds embedded inside ordinary audio and video content.

The threat centres around what researchers describe as “auditory prompt injection”, where specially engineered audio signals are interpreted by artificial intelligence systems but remain inaudible to human listeners.

Modern AI assistants rely heavily on large language models that combine speech recognition with text processing. While text-based AI jailbreaks have already become a major cybersecurity concern, researchers from China and Singapore say audio-based attacks have received far less attention despite potentially creating even greater risks.

The study, published on the arXiv preprint server, explains how attackers can use “adversarial audio” to override the built-in restrictions of AI systems and influence their behaviour without users noticing anything unusual.

Hackers have previously used text jailbreaks to bypass AI safety rules and force chatbots into generating harmful content, exposing restricted information or assisting with cybercrime. The new research suggests similar manipulation may now be possible through hidden audio cues delivered through speakers, online videos or background sound.

Researchers created a system called AudioHijack and tested it against 13 advanced audio-based AI models, including systems commonly used in voice assistants and smart devices.

According to the study, the attacks achieved success rates ranging from 79 to 90 per cent. In some cases, the manipulated AI systems refused legitimate prompts, while in more serious scenarios they could be tricked into downloading malicious files, misusing connected tools or exposing user information through email systems.

The researchers warn that the growing integration of AI into phones, smart speakers and connected home devices increases the potential impact of these attacks. Because the malicious audio cannot normally be heard by people nearby, users may never realise an AI system has been manipulated.

The study also highlights a lack of existing protection against this type of attack. Researchers say current AI safeguards largely focus on text-based prompts rather than hidden audio instructions.

They argue that future testing should examine how these attacks could affect real-world consumer devices and third-party applications as AI assistants become more deeply connected to everyday digital systems.