The Security Gap in Open-Source Audio Watermarks
Why we built Open Access for audio watermarking
Open research has accelerated audio watermarking. But open deployment introduces a harder security question.
Audio is now easy to generate, easy to transform, and increasingly difficult to verify at scale. When a watermarking system is fully exposed, attackers can optimize directly against the system they want to defeat.
As generative audio scales, the question is no longer only whether we can embed a transparent watermark. It is whether that watermark remains meaningful under attack without turning the watermark system itself into an attack surface.
Introduction: the open-source security paradox
As generative audio has moved from research novelty to production reality, watermarking has become one of the most widely discussed tools for copyright protection, provenance, and AI-content authentication.
Open-source work, including visible systems such as Meta AudioSeal, has helped make audio watermarking more accessible to researchers. That visibility matters. Research transparency matters. But transparency and deployment security are not the same thing.
When the full watermark stack is open, from encoder to decoder to detection logic, the same access that helps inspection can also give attackers a precise optimization target.
To understand the deployment risk, we evaluated mainstream open-source audio watermark systems under a white-box threat model. Our conclusion is direct: under white-box access, open-source audio watermark systems can be far more fragile than they appear in standard demos.
- Destructionblinding the watermark recovery path
- Graftingtransferring watermark identity
- Forgeryrewriting hidden payloads
The point is not that open research is bad. The point is that open source is not the same thing as secure deployment.
1. The Eraser: destruction under white-box access
The most basic attack asks a simple question: how hard is it to perturb the audio just enough that the watermark can no longer be recovered reliably?
We tested 500 watermarked audio files, each 10 seconds long, at AudioSeal's native sampling rate of 16 kHz. The original files began with 100% recovery accuracy. We then applied a white-box adversarial perturbation: an imperceptible, optimized signal designed specifically to disrupt watermark recovery.
- Success rate: 100%
- Time to break: 2-3 optimization steps
- Runtime: about 2 seconds on a consumer GPU
In practice, the watermark recovery path was blinded almost immediately. Accuracy fell from 100% to below 50%, close to random guessing.
Once the model is exposed, watermark erasure becomes cheap, fast, and highly reliable.
VIS 01 / ERASER EFFICACY
Recovery collapses under white-box access
Pending
The visualization shows the measured endpoints only: 100% before the attack and below 50% after the attack. The middle state represents the optimization process, not an additional reported data point.
2. The Copy-Paste: grafting and identity transfer
The second attack asks a more troubling question: if a watermark signal can be isolated from one file, can it be transferred onto a completely different file and still be read as valid?
To test this, we extracted watermark masks from watermarked audio and overlaid them onto unrelated, previously unwatermarked clips.
- Overall viability: high
- Perfect transfers: 77 out of 500 reached 100% recovery
- Common range: many other transfers landed between 87.5% and 93.75%
This is not a positive outcome for the system. A high transfer success rate means watermark-bearing identity can be moved from one asset to another unrelated asset and still be accepted as valid.
Grafting should be understood as a form of identity theft for audio provenance.
VIS 02 / IDENTITY TRANSFER
Grafting Accuracy Distribution
500 transferred samples grouped by recovery band. Red is the highest-risk outcome.
Risk legend
3. The Brainwash: targeted forgery of hidden payloads
Destroying a watermark is one thing. Transferring a watermark is worse. The highest-risk scenario is targeted forgery: making the system recover a completely different hidden message chosen by the attacker.
We instructed the attack to rewrite the original hidden 16-bit payload into a random target 16-bit message. The success criterion was strict: the recovered message had to match the attacker-chosen target perfectly.
- Success rate: 100%
- Time to break: 3-16 optimization steps
- Runtime: about 2-6 seconds on a consumer GPU
- Average: roughly 5 steps
Under that threat model, the watermark system was fully compromised. With only a small allowed waveform disturbance, the attack consistently forced recovery of the attacker-chosen target watermark. This is no longer simple removal. It is payload forgery.
VIS 03 / TARGETED FORGERY
The detector recovers the attacker target
Why white-box access changes the game
Under white-box access, the attacker is not guessing. They can optimize directly against the watermark system itself.
At 16 kHz audio, every second of waveform gives the attacker 16,000 dimensions they can manipulate. Once the model is open, those dimensions become controllable knobs for destruction, transfer, or forgery.
From vulnerability to design choice
These attacks point to the same deployment issue: many open-source watermark systems are built first for transparency and research accessibility, not with security as the primary product constraint.
OfSpectrum takes a different path. We treat security as a first-order design requirement, which is why Open Access is built to support external evaluation without exposing the full attack blueprint.
Our solution: Open Access over open source
Open Access lets researchers, labs, and enterprise teams evaluate real workflows and pressure-test the API without making the core watermark stack permanently available as an optimization target.
Privacy, provenance, and a stronger community
Privacy-preserving provenance should be useful to researchers, builders, institutions, and the broader public, not only a small technical circle.
Open Access keeps participation possible while preserving the integrity of security-sensitive infrastructure.
