Whisper Leak side-channel attack bad actors access sensitive LLM conversations (www.scworld.com)

Microsoft disclosed a new side-channel technique called "Whisper Leak" that lets a passive network observer infer whether a user’s LLM session is about a sensitive topic even when TLS is intact. Rather than extracting plaintext, Whisper Leak uses machine learning to fingerprint streaming responses by analyzing patterns of encrypted packet sizes and inter‑arrival times. Tests reported in Microsoft’s writeup (and independent commentary) show extremely high classification accuracy — up to 100% for some sensitive categories and >98% across several providers — and validate the method across major services. This is distinct from prior token‑length or cache‑timing attacks because it treats the entire sequence of encrypted packet metadata as a topical fingerprint, not just token boundaries. The practical impact is large: attackers with any network vantage point (nation‑state monitors, ISP observers, or local Wi‑Fi adversaries) can triage who is discussing protests, elections, journalism, money laundering, etc., without breaking encryption or reading text. Whisper Leak doesn’t reveal the words, but a reliable yes/no on sensitive categories is sufficient for surveillance, targeting, or censorship. Some batching strategies can reduce the signal but don’t eliminate it, so Microsoft and security experts urge defenders to treat this as a real metadata risk — apply network hardening, threat modeling, and mitigation layers (flow padding, stronger batching or obfuscation, and monitoring for fingerprinting) to protect high‑risk users.