LLM side-channel attack could allow snoops to guess what you're talking about (www.theregister.com)

Microsoft researchers have demonstrated a practical side‑channel attack, dubbed "Whisper Leak," that can infer the topic of encrypted LLM queries by analyzing streaming response patterns—specifically packet sizes and timing. The PoC mixes many paraphrases of a target prompt (they used money‑laundering queries) into background traffic, records response packet sizes and timings (tcpdump), and trains classifiers (LightGBM, Bi‑LSTM, and a DistilBERT variant with time/size tokens) in time‑only, size‑only, and combined modes. In several services the classifiers achieved >98% AUPRC, and in a simulated 10,000‑conversation surveillance run they recovered 5–50% of target conversations while maintaining up to 100% precision in many cases. The attack works offline if an adversary can save encrypted packets and is probabilistic across vendors and deployment choices. This matters because encryption protects content but not contextual metadata—streaming LLMs emit tokenized responses that leak size/timing signals useful to a network‑level observer (ISP, local Wi‑Fi snoop, nation‑state). Microsoft disclosed affected vendors; Mistral, Microsoft, OpenAI and xAI have implemented mitigations (token‑size obfuscation inspired by Cloudflare, grouping tokens before send, or injecting synthetic packets), and Microsoft reports its Azure fix reduces practicality of the attack. Other providers have been unresponsive or declined fixes. The result is a realistic privacy risk for users and organizations using streaming LLMs unless service providers adopt obfuscation or batching defenses.