A team of researchers from Zhejiang University, the National University of Singapore, and Nanyang Technological University has pulled back the curtain on AudioHijack, a stealthy new attack that leverages imperceptible audio to inject malicious prompt commands into voice-controlled AI systems. Presented at an IEEE Symposium, the demonstration underscores a growing threat vector for the millions of devices—from smart speakers to Windows laptops—that now accept voice input.

Voice AI has quietly woven itself into daily computing. Over 77% of U.S. adults own a smartphone with a voice assistant, and more than half of smart speaker owners use the device daily. On Windows, voice access features enable hands‑free control, and Microsoft Copilot’s voice interaction capabilities are rapidly expanding. With each passing software update, the attack surface widens. AudioHijack is the latest proof that the very convenience of speaking to our machines can be turned against us.

The anatomy of a hidden‑audio attack

Hidden‑audio attacks are not new, but they have evolved from academic curiosities into practical threats. Typically, an attacker crafts an audio signal that a human listener cannot consciously perceive—using ultrasonic frequencies, low‑volume embedding in background music, or psychoacoustic masking—but that a voice assistant’s speech‑recognition engine parses as a legitimate spoken command. The result: a device can be ordered to unlock doors, transfer funds, exfiltrate data, or browse to malicious websites, all without the user hearing a thing.

AudioHijack builds on this premise. While the researchers have not yet disclosed the full technical details, the very name suggests an attack that hijacks an existing audio stream or the AI’s processing pipeline to insert adversarial prompts. Because the research was accepted at a major IEEE Symposium, it underwent rigorous peer review, lending credibility to its claimed end‑to‑end exploitability.

Prompt injection meets voice interfaces

Prompt injection attacks originally gained notoriety in text‑based large language models, where a cleverly crafted input can override system instructions and make the model behave in unintended ways. Translating the concept to voice introduces new dimensions: An attacker can now inject commands through ambient audio in a cafe, over a phone call, or via a malicious video played on the same device. No keyboard interaction is required.

In an agent‑based setting—where the AI assistant can invoke third‑party skills, make API calls, or control smart home routines—the consequences escalate rapidly. A hidden prompt could instruct the AI to:
- Disable security cameras
- Post private information to social media
- Send phishing emails from the user’s account
- Execute arbitrary shell commands on a linked PC

AudioHijack is significant because it specifically targets these agent tool‑use scenarios, where the AI is empowered to act on the user’s behalf. Even if the assistant requires a wake word, researchers have shown that some devices interpret commands following a wake word within a short grace period; a hidden audio sequence played just after a genuine wake word can bypass this protection.

Windows: a growing target

Windows environments are increasingly voice‑driven. The Voice Access feature supports dictation and UI control. Microsoft Copilot, deeply integrated into Windows 11, now accepts natural‑language voice input, and its plugin architecture can trigger a wide range of system actions. A hidden‑audio prompt injection that slipped past Copilot’s safeguards could theoretically launch applications, modify settings, or interact with connected services—all silently.

Historically, Windows has also supported Cortana (now deprecated for standalone use, but still powering some voice features) and Microsoft 365 voice capabilities. Each of these listening endpoints represents a potential vector. With hybrid work, a single laptop often serves as both a personal and enterprise device, meaning a compromise could cascade from a harmless music player command to a full‑blown corporate breach.

The AudioHijack research does not single out any particular assistant, but the underlying principles apply to any voice AI that processes audio with machine‑learning models. Because Windows Copilot runs large language models both locally and in the cloud, its attack surface is multifaceted: on‑device processing might be more resistant to certain noise‑based attacks, but cloud‑side processing could be tricked if the audio encoding masks the adversarial payload.

Real‑world risks and past precedents

Past research provides a sobering backdrop. The 2017 DolphinAttack used ultrasonic tones to command Siri, Alexa, and Google Assistant. Follow‑up work, such as LipRead and SurfingAttack, extended these attacks to more realistic scenarios, including through solid surfaces and over telephony networks. The 2020 study “Light Commands” even used lasers to inject voice commands by vibrating microphone membranes. Each step brought the threat out of the lab and closer to a practical, low‑cost exploit.

AudioHijack appears to be the next iterative step—one that combines hidden audio with prompt injection, a technique that could bypass content filters designed to block known malicious commands. Because the prompt is injected as a natural‑language instruction embedded in what the AI perceives as a user’s request, it becomes much harder for static‑rule filters to detect.

Consider a smart office: a visitor’s phone plays a seemingly benign video, but buried in the audio is a command that instructs the conference room voice assistant to forward the next email attachment to an external address. The user hears only the video’s narration; the assistant hears both. Such an attack requires only that the attacker be in acoustic range, which in open‑plan offices, public transit, and coffee shops is trivial.

Defensive strategies and their limitations

Defending against hidden‑audio attacks is a multifaceted challenge:

Model resilience. Training speech‑recognition models on adversarial examples can improve robustness, but attackers constantly evolve their techniques. Audio adversarial samples are often transferable, meaning a defense trained on one type of perturbation may fail against a novel one.

Ultrasonic filtering. Many attacks rely on frequencies above the human hearing range (≈20 kHz). A high‑pass filter that discards ultrasonic content can thwart them, but this also degrades audio quality for high‑fidelity applications. Moreover, attacks that use low‑volume audio within the audible spectrum—like Psychoacoustic Hiding—remain effective.

Contextual anomaly detection. An assistant that suddenly receives a command to transfer money after a period of silence should be given extra scrutiny. Analyzing command sequences for unusual patterns (time, location, type) can flag injections, but such systems generate false positives that frustrate users.

User confirmation for sensitive actions. Requiring a touch‑screen confirmation for high‑impact commands is a straightforward and effective barrier. However, it undercuts the hands‑free convenience that voice AI promises, so adoption is inconsistent.

Wake‑word hardening. If wake words are recognized only when spoken by the enrolled user, an attacker cannot easily start a command sequence. Speaker‑verification models have improved, but they are not infallible, and many assistants still allow a generic wake word.

AudioHijack’s prompt‑injection angle may defeat some of these defenses because the attacker does not need to commandeer the entire session—they merely need to insert an instruction into an already‑active dialogue. Even if the wake word is securely verified, a hidden command whispered during the user’s legitimate request can be blended with genuine audio and processed together.

The Windows user’s mitigation playbook

While Microsoft and other platform vendors work on architectural defenses, Windows users can take several steps today:
- Disable always‑listening features when not needed. Under Windows Settings > Accessibility > Voice, turn off “Voice wakeup” if it is enabled.
- Restrict assistant privileges. In Windows Copilot, review which plugins and actions are permitted. Remove any that access sensitive data unless absolutely required.
- Use a physical microphone kill switch (available on many business‑class laptops) or a USB headset with a mute button when voice interaction is not being used.
- Keep audio drivers and firmware updated. Some attacks exploit vulnerabilities in microphone signal processing that vendors quietly patch.
- Be mindful of environmental noise. In public spaces, consider using push‑to‑talk for voice commands rather than relying on wake words.

The bigger picture

AudioHijack is yet another signal that the convenience‑security trade‑off in voice AI is dangerously unscaled. Every major OS vendor now treats voice as a primary input modality, yet the underlying speech‑recognition models remain largely opaque and under‑reviewed from a security perspective. The IEEE Symposium presentation will likely spark a new wave of countermeasure research, but real‑world deployment of those defenses often lags by years.

For Windows enthusiasts, the message is clear: voice‑activated features are powerful, but they must be configured with the same caution as any network service opening a new port. The same Copilot that helps you draft a document could, if exploited by a well‑crafted hidden‑audio prompt, become the vector for a silent compromise. The AudioHijack research team has not claimed that Windows Copilot is currently vulnerable, but their findings serve as a universal warning.

When the full paper and its associated demonstrations are made public, the community will gain a deeper understanding of the attack’s mechanics and its limitations. Until then, awareness and basic hygiene remain the best shields against an invisible adversary.