Ddos 
Microsoft’s Threat Intelligence team has disclosed a novel side-channel attack on remote language models, demonstrating that a cyberattacker observing encrypted network traffic could still infer the topics of AI chatbot conversations—even though the traffic is fully protected by Transport Layer Security (TLS).
The attack, dubbed “Whisper Leak,” leverages subtle patterns in packet sizes and timing intervals from AI responses in streaming mode. In controlled experiments, Microsoft showed that these signals alone are distinct enough to classify conversation topics with extremely high accuracy.
“This type of side-channel attack could allow a cyberattacker a position to observe your network traffic to conclude language model conversation topics, despite being end-to-end encrypted via Transport Layer Security (TLS),” the researchers wrote. “We have worked with multiple vendors to get the risk mitigated, as well as made sure Microsoft-owned language model frameworks are protected.”
Traditional encryption like TLS protects message contents—but not metadata such as packet size and timing. Microsoft researchers found that when AI chatbots stream responses token-by-token, each token’s generation slightly alters these metadata patterns. Over time, this creates a digital fingerprint that can be correlated with the topic of conversation.
“We hypothesized that the sequence of encrypted packet sizes and inter-arrival times during a streaming language model response contains enough information to classify the topic of the initial prompt,” the report explained. “Even in cases where responses are streamed in groupings of tokens.”
In their proof-of-concept, Microsoft simulated an attacker who can observe—but not decrypt—chatbot traffic. Using network sniffing tools like tcpdump, researchers captured packet traces for both targeted and general queries. Then, they trained machine learning classifiers (LightGBM, Bi-LSTM, and BERT-based models) to detect whether a conversation was about a specific topic, such as money laundering laws.
Across multiple model types and test setups, attack accuracy exceeded 98%. Even when one sensitive conversation was hidden among 10,000 random sessions, attackers could still achieve 100% precision—meaning every conversation flagged as “sensitive” truly was about the topic in question.
“For many models, the cyberattack achieved scores above 98%. This tells us that the unique digital ‘fingerprints’ left by conversations on a specific topic are distinct enough for our AI-powered eavesdropper to reliably pick them out in a controlled test.”
“Even with this extreme imbalance, our analysis shows concerning results,” Microsoft warned. “A cyberattacker could achieve 100% precision while still catching 5–50% of target conversations.”
This finding suggests that nation-state actors, internet service providers, or even local network eavesdroppers could, in theory, monitor AI traffic for politically sensitive or banned topics, despite encryption.
“This especially poses real-world risks to users under oppressive governments where they may be targeted for topics such as protesting, banned material, election processes, or journalism,” the researchers cautioned.
Microsoft coordinated with multiple AI vendors, including OpenAI, Mistral, and xAI, to address the issue. The companies have since deployed countermeasures to randomize packet patterns and obfuscate token lengths.
For example, OpenAI and Azure added an “obfuscation” field to streaming responses, inserting random text sequences of varying length to mask token sizes. Mistral introduced a new parameter “p” in its API that achieves a similar effect.
Microsoft confirmed that its Azure mitigation “successfully reduces attack effectiveness to levels we consider no longer a practical risk.”
To encourage further research, Microsoft has open-sourced its Whisper Leak framework on GitHub, including data collection scripts and machine learning models that estimate the probability of a conversation being about a sensitive topic.
Donate