According to TheRegister.com, Microsoft researchers have developed a side-channel attack called Whisper Leak that can guess the topics of encrypted LLM conversations by analyzing packet size and timing patterns in streaming responses. The attack achieved over 98% accuracy in detecting sensitive topics across models from Alibaba, DeepSeek, Mistral, Microsoft, xAI, and OpenAI, with classifiers nearly perfectly separating sensitive from normal traffic. While Mistral, Microsoft, OpenAI, and xAI have implemented mitigations, providers including Anthropic, AWS, DeepSeek, and Google haven’t fixed the vulnerability despite Microsoft’s disclosure. Researchers Jonathan Bar Or and Geoff McDonald warned this poses real-world risks for users in oppressive governments discussing topics like protesting, banned material, or journalism. In realistic surveillance scenarios monitoring 10,000 conversations, the attack caught money-laundering messages 5-50% of the time with zero false positives in many cases.
How this works
Here’s the thing about side-channel attacks – they don’t break the encryption itself. Instead, they look at the metadata. Think of it like someone watching the size and timing of envelopes going into and out of your house rather than reading your actual mail. Streaming AI models send responses in small chunks, and those chunks have distinctive patterns depending on what you’re asking about. An attacker on your network – or even at your ISP level – can sniff this traffic and build a pretty accurate picture of what you’re discussing.
Basically, the researchers used machine learning to train classifiers that can spot these patterns. They tested three different ML models using timing data, packet size data, or both. The results were frankly alarming – near-perfect separation between sensitive and normal traffic in many cases. And get this: an attacker doesn’t even need to intercept traffic in real-time. They can save network packets and perform the attack offline later. That’s a game-changer for surveillance operations.
Who fixed it and who didn’t
This is where it gets interesting from a competitive landscape perspective. Microsoft and OpenAI were quick to implement Cloudflare’s mitigation approach of adding random text to responses to vary token sizes. Mistral and xAI also jumped on board. But Anthropic, AWS, DeepSeek, and Google? According to the researchers, they’ve either declined to implement fixes or just haven’t responded at all.
Now, why would major providers ignore what seems like a pretty serious privacy vulnerability? That’s the million-dollar question. Maybe they’re downplaying the risk, or perhaps they’re working on more comprehensive solutions. But in the meantime, their users are potentially exposed. When you’re dealing with industrial applications or business communications that rely on secure AI interactions, this kind of vulnerability becomes a serious concern. Companies that depend on robust, secure computing systems for manufacturing or industrial automation need to be particularly careful about which AI providers they trust with sensitive operational data.
Real-world implications
Let’s be clear – this isn’t just about someone figuring out you’re asking about pizza recipes. The researchers specifically tested with money laundering queries, but the technique works for any sensitive topic. Think about journalists in authoritarian countries, activists organizing protests, or businesses discussing competitive strategies. The attack works even better when you’re dealing with specialized terminology that has distinctive response patterns.
And here’s what’s scary: in their simulated surveillance of 10,000 conversations, they were able to catch the one sensitive discussion between 5% and 50% of the time with zero false positives in many runs. That’s not perfect, but for a nation-state actor monitoring millions of conversations? Those are terrifyingly good odds. The technical paper available at arXiv shows just how methodical their approach was – they even accounted for caching interference by inserting extra spaces between words.
What protection looks like
The good news is that effective mitigations exist. Microsoft and OpenAI are using Cloudflare’s approach of adding random text sequences, which basically makes token sizes unpredictable. Other options include grouping multiple tokens before transmission or injecting synthetic packets at random intervals. These aren’t theoretical solutions – Microsoft has verified that their Azure mitigation reduces attack effectiveness to “no longer a practical risk.”
So why aren’t all providers implementing these fixes? That’s the frustrating part. The proof-of-concept code is available on GitHub, and the attack methodology is well-documented. Providers claiming this isn’t a practical risk might be underestimating how quickly these techniques could be weaponized. For businesses that need absolute security in their computing infrastructure – whether for industrial control systems, manufacturing operations, or sensitive business communications – this vulnerability should be a major consideration in vendor selection. The companies that have implemented fixes are clearly taking security more seriously, and that’s going to matter when enterprise customers are making their AI provider decisions.
