Full Report
Encryption protects content, not context Mischief-makers can guess the subjects being discussed with LLMs using a side-channel attack, according to Microsoft researchers. They told The Register that models from some providers, including Anthropic, AWS, DeepSeek, and Google, haven't been fixed, putting both personal users and enterprise communications at risk.…
Analysis Summary
# Vulnerability: LLM Side-Channel Attack via Encrypted Response Streaming (Whisper Leak)
## CVE Details
- CVE ID: Not specified in the article.
- CVSS Score: Not specified in the article.
- CWE: Likely related to CWE-200 (Exposure of Sensitive Information To an Unauthorized Actor) and CWE-203 (Time-of-Check Time-of-Use (TOCTOU) or Side-Channel related CWEs).
## Affected Systems
- Products: LLM services utilizing streaming responses. Specifically called out as **not having implemented fixes** (as of the article date):
- Anthropic (Claude)
- AWS (Nova)
- DeepSeek
- Google (Gemini)
- Versions: Unspecified; applies to models configured to stream responses incrementally in a way that leaks timing and packet size information.
- Configurations: Susceptible when responses are sent to users incrementally (streaming), allowing an attacker-in-the-middle to observe encrypted network traffic.
## Vulnerability Description
Microsoft researchers discovered "Whisper Leak," a side-channel attack that infers the topics of user prompts from LLM queries by monitoring **packet size and timing patterns** in streaming responses, even when traffic is encrypted. Because streaming models send responses token-by-token, an attacker intercepting network traffic (e.g., at the ISP, local network, or Wi-Fi level) can analyze the sequence of network events. An offline analysis using machine learning classifiers (LightGBM, LSTM, BERT-based) trained on size/timing data allowed researchers to distinguish specific sensitive topics (like money laundering) from general traffic with very high accuracy (AUPRC > 98% in some models).
## Exploitation
- Status: **Not exploited in the wild** (as of the article date), but a **Proof-of-Concept (PoC) is available**.
- Complexity: Medium (Requires network interception capabilities and offline ML training/analysis).
- Attack Vector: Network (Attacker needs the ability to observe and record encrypted network traffic/packets).
## Impact
- Confidentiality: **High**. Sensitive user prompts and topics discussed can be inferred by an external observer monitoring network traffic.
- Integrity: Negligible/Not Affected (Focus is on information leakage).
- Availability: Negligible/Not Affected.
## Remediation
### Patches
Providers that have implemented mitigations:
- Mistral
- Microsoft
- OpenAI
- xAI
Mitigation Strategy Adopted (by Microsoft and OpenAI, referencing a Cloudflare technique):
1. **Adding random text sequences** to response fields to vary token sizes unpredictably.
2. **Grouping multiple tokens** before transmission to decrease observable network events.
### Workarounds
1. **Injecting synthetic packets** at random intervals to obfuscate both size and timing patterns.
2. **Avoiding the use of streaming interfaces** if the data being processed is highly sensitive, although this degrades user experience.
## Detection
- Indicators of Compromise: High volume of recorded network traffic correlated with LLM query/response cycles where response sizes/timing are highly varied or patterned.
- Detection Methods and Tools: Analyzing network packet size and timing sequences of encrypted traffic destined for known LLM API endpoints. (The PoC code itself, available on GitHub, outlines the detection methodology: training binary classifiers on size/timing features.)
## References
- Vendor Advisory: Microsoft Security Blog (Defanged link: hXXps://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/)
- Technical Paper: arXiv (Defanged link: hXXps://arxiv.org/pdf/2511.03675)
- PoC Code: GitHub by J. Bar Or (Defanged link: hXXps://github.com/yo-yo-yo-jbo/whisper_leak)
- Related Mitigation: Cloudflare Blog (Defanged link: hXXps://blog.cloudflare.com/ai-side-channel-attack-mitigated/)