.png)
2 hours ago
2
Mischief-makers can guess the subjects being discussed with LLMs using a side-channel attack, according to Microsoft researchers. They told The Register that models from some providers, including Anthropic, AWS, DeepSeek, and Google, haven't been fixed, putting both personal users and enterprise communications at risk.
A side-channel attack monitors indirect signals, like power consumption, electromagnetic radiation, or timing, to steal cryptographic keys and other secrets. While they usually target hardware – remember Spectre, Meltdown, and all the related CPU bugs since – researchers have been poking around for side-channel vulnerabilities in LLMs.
Microsoft researchers successfully developed one such attack, named Whisper Leak, which infers the topics of prompts from encrypted LLM queries by analyzing packet size and timing patterns in streaming responses.
Streaming models send responses to users incrementally, in small chunks or tokens, as opposed to sending the complete responses all at once. This makes them susceptible to an attacker-in-the-middle scenario, where someone with the ability to intercept network traffic could sniff those LLM tokens.
"Cyberattackers in a position to observe the encrypted traffic (for example, a nation-state actor at the internet service provider layer, someone on the local network, or someone connected to the same Wi-Fi router) could use this cyberattack to infer if the user's prompt is on a specific topic," researchers Jonathan Bar Or and Geoff McDonald wrote.
"This especially poses real-world risks to users by oppressive governments where they may be targeting topics such as protesting, banned material, election process, or journalism," the duo added.
Redmond disclosed the flaw to affected vendors and says some of them – specifically, Mistral, Microsoft, OpenAI, and xAI - have all implemented mitigations to protect their models from the type of side-channel attack.
An adversary with the ability to save network packets could potentially perform this attack offline
Microsoft also tested the attack against other providers and models including Alibaba Qwen, Anthropic's Claude, Amazon Nova, DeepSeek, Lambda Labs, and Google's Gemini. Some providers declined to implement fixes citing various rationales, while several others remained unresponsive despite follow-up attempts, according to a related technical paper about Whisper Leak.
This is still the case, according to Bar Or, who told The Register that "to date, we have not heard from other vendors about additional mitigations."
The Register also reached out to these vendors but did not receive any response.
"As far as we know, there are currently no attacks in the wild," Bar Or said. "However, it's important to note that an adversary with the ability to save network packets could potentially perform this attack offline. The attack itself is probabilistic in nature, meaning different vendors are impacted in different ways."
Proof-of-concept shows how the attack would work
Redmond's team produced a Whisper Leak attack demo and proof-of-concept code that uses the models to conclude a probability (between 0.0 and 1.0) of a topic being "sensitive" – in this case, money laundering.
- ChatGPT side-channel attack has easy fix: Token obfuscation
- Chrome to patch decades-old flaw that let sites peek at your history
- Boffins trick AI model into giving up its secrets
- Googlers show off AI that can help developers protect crypto code from key-slurping side-channel attacks
For this proof-of-concept, the researchers used a language model to generate 100 variants of a question about the legality of money laundering, mixed them with general traffic, and then trained a binary classifier to distinguish the target topic from background queries.
Then they collected data from each language model service individually, recording response times and packet sizes via network sniffing (via tcpdump). Additionally, they shuffled the order of positive and negative samples for collection, and introduced variants by inserting extra spaces between words - this helps avoid caching interference risk.
After collecting data from all of the models, researchers evaluated three different machine learning models, and evaluated each in three modes (time-only, packet-size only, or both):
- LightGBM: A gradient boosting framework.
- LSTM-based (Bi-LSTM): A recurrent neural network architecture suitable for sequential data.
- BERT-based: Using a pre-trained transformer model (DistilBERT-uncased) adapted with extended tokens representing size and time buckets for sequence classification.
The duo then measured the models' performance using Area Under the Precision-Recall Curve (AUPRC).
In several of the models, including ones hosted by providers Alibaba, DeepSeek, Mistral, Microsoft, xAI, and OpenAI, classifiers achieved over 98 percent AUPRC, indicating near-perfect separation between sensitive and normal traffic.
They then simulated a "more realistic surveillance scenario" in which an attacker monitored 10,000 conversations, with only one about the target topic in the mix. They performed this test several times, and in many cases had zero false positives, while catching the money-laundering messages between 5 percent and 50 percent of the time. They wrote:
There are a few different ways to protect against size and timing information leakage. Microsoft and OpenAI adopted a method introduced by Cloudflare to protect against a similar side-channel attack: adding a random text sequence to response fields to vary token sizes, making them unpredictable, and thus mostly defending against size-based attacks.
"We have directly verified that Microsoft Azure's mitigation successfully reduces attack effectiveness to levels we consider no longer a practical risk," the duo said in the Friday blog.
Other mitigation measures include grouping multiple tokens before transmission. This decreases the number of observable network events and obscures individual token characteristics.
Or, providers could inject synthetic packets at random intervals, which obfuscates both size and timing patterns. ®
