This work reveals severe adversarial vulnerability in state-of-the-art deep noise suppression (DNS) models: imperceptible adversarial perturbations can cause complete output distortion or even induce targeted speech generation. Method: We systematically evaluate four representative SOTA DNS models and propose gradient-based white-box and black-box adversarial attack methods. Contribution/Results: We provide the first empirical evidence of pervasive strong adversarial fragility across these models; demonstrate effective cross-model transferability of attacks; and successfully realize over-the-air attacks in realistic speaker–microphone setups. All tested models degrade to unintelligible outputs under attack, with high success rates in targeted speech injection. These findings expose critical security risks for industrial DNS deployment, underscoring an urgent need for practical, robust defense mechanisms against adversarial perturbations.

Deep noise suppression (DNS) models enjoy widespread use throughout a variety of high-stakes speech applications. However, in this paper, we show that four recent DNS models can each be reduced to outputting unintelligible gibberish through the addition of imperceptible adversarial noise. Furthermore, our results show the near-term plausibility of targeted attacks, which could induce models to output arbitrary utterances, and over-the-air attacks. While the success of these attacks varies by model and setting, and attacks appear to be strongest when model-specific (i.e., white-box and non-transferable), our results highlight a pressing need for practical countermeasures in DNS systems.