Side-Channel Attacks Expose Vulnerabilities in Large Language Models
Recent research has revealed a growing threat to the privacy of users interacting with Large Language Models (LLMs): side-channel attacks. These attacks don’t target the LLMs’ core algorithms or data directly, but instead exploit subtle patterns in network traffic to infer information about user prompts, even when that traffic is encrypted using TLS. Three separate research papers, published in late 2025 and early 2026, detail different methods for extracting this information, raising concerns about the security of sensitive data processed by these increasingly popular AI systems.
The core principle behind these attacks is that while the *content* of a conversation with an LLM is protected by encryption, metadata about the communication – specifically, the timing and size of network packets – can reveal clues about the underlying prompt. Researchers have demonstrated that these patterns can be used to identify the topic of a user’s query with surprisingly high accuracy.
Timing Attacks Reveal Conversation Topics
One approach, detailed in the paper “Remote Timing Attacks on Efficient Language Model Inference,” focuses on exploiting data-dependent timing characteristics introduced by techniques designed to speed up LLM responses. Methods like speculative sampling and parallel decoding, which aim to improve efficiency, inadvertently create variations in response times based on the complexity of the prompt. By carefully monitoring these timing differences in encrypted network traffic, attackers can learn information about the content of the messages. The researchers demonstrated the ability to determine whether a user was seeking medical advice or coding assistance with over 90% precision, even on production systems like OpenAI’s ChatGPT and Anthropic’s Claude. Alarmingly, they also showed the potential to recover Personally Identifiable Information (PII) like phone numbers and credit card numbers from open-source systems using a “boosting attack.”
Speculative Decoding Leaks Information
Another attack vector, outlined in “When Speculation Spills Secrets: Side Channels via Speculative Decoding in LLMs,” centers on speculative decoding itself. This technique involves generating and verifying multiple candidate tokens in parallel. The researchers found that patterns in the success or failure of these speculative attempts – observable through per-iteration token counts or packet sizes – can be used to fingerprint user queries. Their experiments showed that an attacker could accurately identify the prompt from a set of 50 possibilities with over 75% accuracy, even at a relatively high temperature setting (which introduces more randomness into the LLM’s output). They also demonstrated the ability to leak confidential data used for prediction at rates exceeding 25 tokens per second.
Whisper Leak: A Broadly Applicable Attack
Perhaps the most concerning finding comes from the research described in “Whisper Leak: a side-channel attack on Large Language Models.” This attack, which gives its name to the broader class of vulnerabilities, demonstrates that packet size and timing patterns in streaming responses leak sufficient information to enable topic classification, *despite* TLS encryption. The researchers tested their attack against 28 popular LLMs from major providers, achieving near-perfect classification accuracy (often exceeding 98% Area Under the Receiver Operating Characteristic curve, or AUPRC). They even achieved 100% precision in identifying sensitive topics like “money laundering” while recovering 5-20% of the target conversations. This suggests a widespread vulnerability affecting a significant portion of deployed LLMs.
The Whisper Leak research highlights the particular risk to users under network surveillance by Internet Service Providers (ISPs), governments, or local adversaries. Because the attack operates on metadata, it doesn’t require decryption of the content itself, making it significantly more difficult to detect and prevent.
Mitigation Efforts and Remaining Challenges
The researchers behind the Whisper Leak attack collaborated with LLM providers to implement initial countermeasures through responsible disclosure. They evaluated three mitigation strategies: random padding, token batching and packet injection. While each of these techniques reduces the effectiveness of the attack, none provides complete protection. Random padding adds noise to the packet sizes, making it harder to discern patterns. Token batching groups multiple tokens together, obscuring timing variations. Packet injection adds artificial packets to the stream, further disrupting timing signals. However, attackers can still glean information, albeit with reduced accuracy.
The findings underscore the need for LLM providers to address metadata leakage as AI systems handle increasingly sensitive information. The researchers emphasize that simply encrypting the content of communications is not enough to guarantee privacy. Protecting the metadata surrounding those communications is equally crucial. Further research and development are needed to explore more robust mitigation strategies and to ensure that LLMs can be deployed securely in sensitive domains like healthcare, legal services, and confidential communications.
These side-channel attacks represent a new and evolving threat to the privacy of LLM users. As LLMs become more integrated into our daily lives, addressing these vulnerabilities will be critical to maintaining trust and protecting sensitive data.
