Whisper Leak: a side-channel attack on Large Language Models

TL;DR

Whisper Leak reveals that TLS-encrypted streaming traffic from Large Language Models leaks high-level prompt information through packet-size and timing metadata, enabling topic classification even without decrypting content. By evaluating 28 provider-hosted LLMs and training binary classifiers on encrypted traffic patterns, the study reports strong attack performance (AUPRC often above $0.98$) and 100% precision at low recall under realistic imbalance in many cases. It also assesses three mitigations—random padding, token batching, and packet injection—finding that none fully prevents leakage, though each reduces effectiveness with varying tradeoffs in bandwidth and latency. The work argues that metadata leakage is an architectural vulnerability of current LLM deployments and calls for systemic defenses and architecture redesigns, underscored by a responsible disclosure process with multiple providers.

Abstract

Large Language Models (LLMs) are increasingly deployed in sensitive domains including healthcare, legal services, and confidential communications, where privacy is paramount. This paper introduces Whisper Leak, a side-channel attack that infers user prompt topics from encrypted LLM traffic by analyzing packet size and timing patterns in streaming responses. Despite TLS encryption protecting content, these metadata patterns leak sufficient information to enable topic classification. We demonstrate the attack across 28 popular LLMs from major providers, achieving near-perfect classification (often >98% AUPRC) and high precision even at extreme class imbalance (10,000:1 noise-to-target ratio). For many models, we achieve 100% precision in identifying sensitive topics like "money laundering" while recovering 5-20% of target conversations. This industry-wide vulnerability poses significant risks for users under network surveillance by ISPs, governments, or local adversaries. We evaluate three mitigation strategies - random padding, token batching, and packet injection - finding that while each reduces attack effectiveness, none provides complete protection. Through responsible disclosure, we have collaborated with providers to implement initial countermeasures. Our findings underscore the need for LLM providers to address metadata leakage as AI systems handle increasingly sensitive information.

Figures (7)

• Figure 1: Whisper Leak attack pipeline: A passive network adversary observes encrypted TLS traffic between user and LLM service, extracts packet size and timing sequences, and uses trained classifiers to infer whether the conversation topic matches a sensitive target category.
• Figure 2: Examples of target and noise prompts. Target prompts are 100 different phrasings for a user asking about money laundering, while noise prompts are questions from Quora Questions Pairquora_questions.
• Figure 3: Examples of prompts perturbed by inserting extra spaces. Space insertions are marked with a + to indicate their location.
• Figure 4: AUPRC vs. data volume for microsoft-gpt-4o by attacking model. A notable increase in attack effectiveness is observed as data size is increased - especially for the BERT-based attacking model.
• Figure 5: Attack effectiveness measured by AUPRC vs microsoft-gpt-4o model temperature using the LSTM attack architecture across five trials at each temperature. No clear trend in attack effectiveness versus temperature is observed.