What happened
Microsoft researchers have uncovered a novel attack they’ve dubbed the “Whisper Leak,” whereby an adversary monitoring encrypted traffic to a streaming large‑language‑model (LLM) service can infer the topic of a user’s prompt, even though the full content remains encrypted.
Specifically, by observing packet sizes and timing sequences during a streaming AI response and applying trained classifiers, attackers achieved high accuracy in detecting when a conversation matched a sensitive category.
The proof-of-concept classifiers (LightGBM, Bi-LSTM, BERT) demonstrated success rates above 98% for certain models.
Microsoft states that the attack is effective despite HTTPS encryption and streaming responses.
The company also notes that Microsoft, OpenAI, and Mistral have deployed mitigations by adding random‐length padding to responses.
Who is affected
- Any user or organisation that uses an LLM service with streaming response mode, and whose traffic can be passively observed (for example, by a compromised WiFi network, an ISP, or a local network attacker).
- Enterprises relying on generative‑AI chatbots for sensitive internal work (e.g., legal, compliance, research) are at risk of topic exposure, even if the content remains encrypted.
- AI service providers and developers of LLM integrations: models that stream responses and expose packet/timing metadata may inadvertently leak information.
Sectors with regulatory sensitivity (finance, defence, critical infrastructure), where even the fact that a user asked about “money‑laundering” or “political dissent” in a conversation can be damaging.
Why CISOs should care
- This is a side‑channel risk, not the usual vulnerability of plaintext. Encryption still holds, but metadata (size/timing) leaks a signal. That means traditional TLS protections are not enough.
- As organisations deploy generative AI widely (for productivity, automation, customer interactions), the threat surface expands: even AI chat systems previously considered internal and secure can be tapped.
- For CISOs governing AI adoption, this raises a dimension of “conversation confidentiality” exposure that must be addressed in risk assessments and vendor evaluations.
- Regulators and auditors will increasingly ask: when using AI chat, what controls are in place to protect topic‑sensitive prompts? Failure to address this could result in regulatory, legal, or reputational consequences.
- Given that the mitigations are still emerging and depend on vendor implementation, this remains a live risk, not a theoretical one. Proactive engagement is required.
3 Practical Actions
- Inventory your AI chat usage and network exposure:
- Identify which internal or external AI chat services (LLMs) your organisation uses, especially those with streaming modes.
- Map where traffic flows, what networks are used, and whether traffic could be observed (e.g., remote workers on untrusted WiFi).
- Flag high‑sensitivity usage (legal, compliance, M&A, internal investigations) and treat it as higher risk.
- Require vendor risk assessments and mitigation proof‑points:
- In vendor contracts and SLAs, ask whether streaming responses expose size/timing patterns and whether padding, randomization, or batching mitigations are in place (as Microsoft notes).
- Request evidence or certifications that the vendor’s LLM has been tested for side‑channel topic‑leak attacks.
- Engage AI governance teams to classify which models are permitted for sensitive work and determine whether non-streaming modes should be used when possible.
- Implement network and operational controls:
- For high-sensitivity AI chat use cases, restrict access to controlled networks (e.g., corporate VPN, trusted network segments) and avoid open/untrusted WiFi. Microsoft explicitly recommends avoiding untrusted networks.
- Consider using a VPN or an encrypted overlay that obscures packet size/timing metadata from network observers. Microsoft suggests this as a mitigation.
- Where feasible, use non-streaming models (or turn off streaming mode) for highly sensitive discussions, as streaming is the channel that is exploited. Also, train staff on the risk of “topic exposure” even when content seems encrypted.