Whisper Leak: a side-channel attack on Large Language Models
Geoff McDonald, Jonathan Bar Or
TL;DR
Whisper Leak reveals that encrypted traffic patterns of large language models can be exploited as a side-channel to infer user prompt topics with high accuracy, posing privacy risks in sensitive applications.
Contribution
This paper introduces Whisper Leak, a novel side-channel attack on LLM traffic that infers prompt topics from encrypted streams, demonstrating significant privacy vulnerabilities.
Findings
Achieves over 98% AUPRC in topic classification
Identifies sensitive topics with 100% precision in many cases
Mitigation strategies reduce but do not eliminate leakage
Abstract
Large Language Models (LLMs) are increasingly deployed in sensitive domains including healthcare, legal services, and confidential communications, where privacy is paramount. This paper introduces Whisper Leak, a side-channel attack that infers user prompt topics from encrypted LLM traffic by analyzing packet size and timing patterns in streaming responses. Despite TLS encryption protecting content, these metadata patterns leak sufficient information to enable topic classification. We demonstrate the attack across 28 popular LLMs from major providers, achieving near-perfect classification (often >98% AUPRC) and high precision even at extreme class imbalance (10,000:1 noise-to-target ratio). For many models, we achieve 100% precision in identifying sensitive topics like "money laundering" while recovering 5-20% of target conversations. This industry-wide vulnerability poses significant…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Spam and Phishing Detection · Internet Traffic Analysis and Secure E-voting