{"id":5730,"date":"2025-11-10T11:47:46","date_gmt":"2025-11-10T11:47:46","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5730"},"modified":"2025-11-10T11:47:46","modified_gmt":"2025-11-10T11:47:46","slug":"whisper-leak-uses-a-side-channel-attack-to-eavesdrop-on-encrypted-ai-conversations","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5730","title":{"rendered":"Whisper Leak uses a side channel attack to eavesdrop on encrypted AI conversations"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Researchers at Microsoft have revealed a new side channel attack named Whisper Leak that can reveal the topic of encrypted conversations between users and language models, even without access to the underlying text.<\/p>\n<p>The discovery highlights a growing blind spot in AI security where encryption alone no longer guarantees privacy in model interactions.<\/p>\n<p>Microsoft\u2019s Security Defender Security Research team <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/11\/07\/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models\/\" target=\"_blank\" rel=\"noopener\">said<\/a> that attackers are in a position to exploit\u202flarge language models that use metadata such as network packet sizes and timings. For instance, a nation-state actor at the internet service provider layer, someone on the local network, or someone connected to the same Wi-Fi router can observe the encrypted traffic and use it to infer if the user\u2019s prompt is on a specific topic.<\/p>\n<h2 class=\"wp-block-heading\">Metadata becomes the new attack surface<\/h2>\n<p>Unlike traditional data breaches or model leaks, Whisper Leak exploits a <a href=\"https:\/\/www.csoonline.com\/article\/567149\/what-is-a-side-channel-attack-how-these-end-runs-around-encryption-put-everyone-at-risk.html?utm=hybrid_search\">side channel<\/a> in network communication rather than a flaw in encryption itself.<\/p>\n<p>LLM services generate responses step by step, by producing one token at a time instead of the entire response at once. Also, the communications with AI-powered chatbots are often encrypted with HPPS over TLS (HTTPS), ensuring the authenticity of the server and security through encryption.<\/p>\n<p>But while the Transport Layer Security successfully encrypts the content of communications, it leaks the size of the underlying data chunks being transmitted. For an LLM that streams responses token by token, this size information reveals patterns about the tokens being generated.<\/p>\n<p>Combined with timing information between packets, these leaked patterns form the basis of the Whisper Leak attack as sufficient information is leaked to enable topic classification, explained Microsoft Defender Security Team in the <a href=\"https:\/\/arxiv.org\/pdf\/2511.03675\" target=\"_blank\" rel=\"noopener\">technical report<\/a>.<\/p>\n<p>\u201cThese are not usual data breaches either. They do not steal the files directly; they observe what is happening around the data,\u201d said <a href=\"https:\/\/www.primuspartners.in\/team\/devroop-dhar\" target=\"_blank\" rel=\"noopener\">Devroop Dhar<\/a>, co-founder &amp; MD at Primus Partners. \u201cThey don\u2019t have to break encryption or code. What they do instead is look for small clues; timing, lags, maybe how quickly a system answers, and from that, they try to understand what\u2019s going on inside. It\u2019s very technical and tough to catch when it\u2019s happening,\u201d he added.<\/p>\n<h2 class=\"wp-block-heading\">Inside Microsoft\u2019s proof-of-concept<\/h2>\n<p>Researchers at Microsoft simulated a real-world scenario in which the adversary could observe encrypted traffic but not decrypt it. They chose \u201clegality of money laundering\u201d as the target topic for the proof-of-concept.<\/p>\n<p>For positive samples, the team used a\u202flanguage model\u202fto generate 100 semantically similar variants of questions about this topic. For negative\u202fnoise\u202fsamples,\u202fit randomly sampled 11,716 unrelated questions from the Quora Questions Pair dataset, covering a wide variety of topics.<\/p>\n<p>Once done, the collected data was trained using LightGBM, Bi-LSTM, and BERT-based models, evaluated in\u202ftime-only, packet-size only, or both modes.<\/p>\n<p>The research team demonstrated the attack across 28 popular LLMs from major providers, and achieved near-perfect classification (often &gt;98% Area Under the Precision-Recall Curve (AUPRC)) and high precision even at extreme class imbalance (10,000:1 noise-to-target ratio). For many models, they achieved 100% precision in identifying sensitive topics while recovering 5-20% of target conversations, noted the report.<\/p>\n<h2 class=\"wp-block-heading\">Plugging the leaks<\/h2>\n<p>The findings were shared with <a href=\"https:\/\/www.networkworld.com\/article\/4083656\/openai-spends-even-more-money-it-doesnt-have.html?utm=hybrid_search\">OpenAI<\/a>, <a href=\"https:\/\/www.networkworld.com\/article\/3821150\/cisco-launches-ai-renewals-agent-with-mistral-ai.html?utm=hybrid_search\">Mistral<\/a>, Microsoft, and <a href=\"https:\/\/www.networkworld.com\/article\/3608660\/musks-xai-shifts-ai-server-business-from-struggling-supermicro-to-dell.html?utm=hybrid_search\">xAI<\/a>, and mitigation measures were implemented to minimise the risk. To mitigate the effectiveness of cyberattacks, OpenAI, and\u202flater Microsoft\u202fAzure, added a random sequence of text of variable length to each response.<\/p>\n<p>This obfuscation field masked the length of each token, reducing the attack\u2019s effectiveness. Similarly, Mistral included a new parameter called \u201cp\u201d that had a similar effect.<\/p>\n<h2 class=\"wp-block-heading\">CISO\u2019s next frontier<\/h2>\n<p>Even if the attack doesn\u2019t expose the exact prompt or content of a conversation, it can accurately classify its subject or intent, putting enterprises at major risk.<\/p>\n<p>\u201cIf an LLM is just handling public data, it is fine. But if it is processing data like client records, internal documents, financial data, etc, then even a small leak matters. The bigger worry is for companies that run their own AI models or connect them to cloud APIs. Like banks, healthcare, legal firms, defence, where data sensitivity is too high,\u201d Dhar said.<\/p>\n<p>While it is the AI providers that will have to address the issue, Microsoft researchers\u2019 recommendations include avoiding discussing highly sensitive topics over AI chatbots when on untrusted networks, using VPN services for adding an additional layer of protection, opting for providers that have already implemented mitigation, and using non-streaming models of large language model providers.<\/p>\n<p>Dhar pointed out that most AI security checklists do not even mention side channels yet. CISOs need to start asking their teams and vendors how they test for these kinds of probable issues.<\/p>\n<p>\u201cAlso, in order to be defensive, we need to keep models isolated, add a bit of random delay so timing data is not predictable, and watch for weird or repeated queries that look like probing. Basically, we need to treat the AI pipeline the way we would treat a critical server, by following a few simple steps like logging it, segmenting it, and not assuming that it is invisible just because it is encrypted,\u201d he added. Over time, we will need proper \u201c<a href=\"https:\/\/www.csoonline.com\/article\/3965405\/generative-ai-is-making-pen-test-vulnerability-remediation-much-worse.html?utm=hybrid_search\">AI pen-testing<\/a>,\u201d like what happened when cloud APIs first became mainstream. It is the same pattern, once the tech matures, attackers get creative and then security always has to catch up, he noted.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Researchers at Microsoft have revealed a new side channel attack named Whisper Leak that can reveal the topic of encrypted conversations between users and language models, even without access to the underlying text. The discovery highlights a growing blind spot in AI security where encryption alone no longer guarantees privacy in model interactions. Microsoft\u2019s Security [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5731,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5730","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5730"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5730"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5730\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5731"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}