Originally reported by Schneier on Security
TL;DR
Researchers demonstrate three distinct side-channel attacks against LLMs that exploit timing patterns and network metadata to infer conversation topics and leak sensitive data.
Three research papers demonstrate side-channel attacks achieving up to 98% accuracy in inferring LLM conversation topics through network metadata analysis. Significant privacy implications for all LLM users but requires network-level access for exploitation.
Researchers have identified three distinct side-channel attack classes that compromise LLM privacy despite TLS encryption protecting message content.
The first attack exploits timing variations introduced by efficiency optimizations like speculative sampling and parallel decoding. By monitoring encrypted network traffic between users and remote LLMs, attackers can:
The second attack targets speculative decoding mechanisms that generate and verify multiple candidate tokens in parallel. Researchers demonstrated that input-dependent patterns of correct and incorrect speculations leak through:
Testing across four speculative-decoding schemes (REST, LADE, BiLD, EAGLE) using vLLM serving frameworks, the attack achieved:
The third attack, dubbed "Whisper Leak," analyzes packet size and timing patterns in streaming responses to classify user prompt topics. Testing across 28 popular LLMs from major providers revealed:
These vulnerabilities affect LLMs deployed across sensitive domains including healthcare, legal services, and confidential communications. The attacks pose particular risks for users under network surveillance by:
Researchers evaluated three defensive approaches:
While each mitigation reduces attack effectiveness, none provides complete protection against all three attack vectors. The research teams have engaged in responsible disclosure with LLM providers to implement initial countermeasures.
Originally reported by Schneier on Security