Whisper Leak: a side-channel attack on Large Language Models (arxiv.org)

Researchers disclosed "Whisper Leak," a practical side‑channel attack that infers the topic of user prompts from encrypted LLM traffic by analyzing packet sizes and timing in streaming responses. Although TLS hides message contents, metadata patterns in how models stream tokens leak strong signals: across 28 popular LLMs the authors report near‑perfect topic classification (often >98% AUPRC), robustness under extreme class imbalance (10,000:1 noise:target), and even 100% precision for certain sensitive topics (e.g., “money laundering”), recovering 5–20% of target conversations. The attack is practical for network observers such as ISPs, governments, or local adversaries and highlights an industry‑wide privacy vulnerability as LLMs are used for sensitive tasks. Technically, Whisper Leak leverages deterministic relationships between tokenization/response length and packetization/timing in streaming APIs; classifiers trained on these metadata patterns can map encrypted traces to topics. The paper evaluates three mitigations—random padding, token batching, and packet injection—which reduce but do not eliminate leakage, and notes trade‑offs in latency and bandwidth. The authors responsibly disclosed findings and worked with providers on initial countermeasures. The study underscores the need for protocol and model‑deployment changes (metadata obfuscation, padded streaming, or new transport designs) to protect user privacy beyond content encryption.