Encryption is meant to make readable data into an unreadable format so that only authorized parties can access it. And in the world of AI, it's far from perfect.
Encryption is supposed to protect confidentiality, integrity, and authenticity of information during storage or transmission. Microsoft researchers shared that they have found a new side-channel vulnerability that shakes the confidence in encrypted AI communications.
This is because the vulnerability, dubbed the 'Whisper Leak,' is capable of inferring sensitive conversation topics from encrypted traffic between users and large language models. Despite the protection offered by TLS encryption, this attack demonstrates that patterns in packet size and timing can betray the subject matter of a user’s chat with an AI system.
The discovery exposes how modern AI streaming architectures, designed for responsiveness, inadvertently create identifiable digital fingerprints.
Researchers Geoff McDonald and Jonathan Bar Or led the study, training machine learning models to classify whether encrypted traffic corresponded to a sensitive prompt, such as discussions on money laundering, or to unrelated chatter.
They gathered encrypted traffic samples from 28 major AI models, analyzing over 21,000 queries per system.
The classifiers, built using LightGBM, Bi-LSTM, and BERT, relied solely on metadata like packet sizes and timing intervals.
In simulated conditions, some models achieved near-perfect detection rates, reaching 100% precision even when the sensitive topic represented only one in ten thousand random conversations. These results revealed that encrypted AI sessions leak subtle but consistent traces that can be exploited by a well-equipped eavesdropper.
For your eyes only: a side‑channel could tip off what you asked a chatbot, no message reading required. Mitigations deployed. Your mission? Get the details: https://t.co/06DGX48kpf
— Microsoft Security (@msftsecurity) November 7, 2025
According to Microsoft in a blog post:
"More recently, the unique characteristics of language models have opened new avenues for side-channel analysis. Our research into Whisper Leak builds upon and is contextualized by several concurrent and recent works specifically targeting language models."
What makes Whisper Leak especially troubling is that it operates without breaking encryption.
Instead, it exploits the streaming nature of language models, which send responses token by token. Each generated token corresponds to a network packet, and even though the contents are encrypted, the length and timing of these packets reflect the model’s internal processing and response structure.
By observing these encrypted sequences, attackers can infer whether a user’s discussion touches on restricted or politically sensitive topics.
This makes the technique particularly potent for adversaries capable of passively monitoring traffic, such as ISPs, surveillance agencies, or anyone with access to the same Wi-Fi network.
Microsoft’s experiments confirmed that models from OpenAI, Mistral, xAI, and DeepSeek platform were among the most vulnerable.
Systems like GPT-4o and Mistral Large streamed outputs in fine-grained tokens, creating easily recognizable patterns. Google’s Gemini and Amazon’s Nova models performed better due to batching mechanisms that obscure token boundaries, but none were fully immune.
The researchers found that the more data the attacker collects, the more accurate the classification becomes, suggesting that large-scale surveillance could make Whisper Leak increasingly effective over time.
In response to Microsoft’s disclosure, several companies moved quickly to implement mitigations.
OpenAI and Azure introduced random obfuscation fields within streaming responses, inserting unpredictable filler text to disrupt packet length patterns. Testing showed that this sharply reduced the attack’s effectiveness, lowering its success rate to impractical levels. Mistral adopted a similar defense through a new “p” parameter designed to randomize packet output.
Other mitigations, such as random padding, token batching, and dummy packet injection, were also evaluated.
While each approach reduced attack accuracy, none completely eliminated the leak, and some introduced significant performance costs or bandwidth overhead.
Microsoft emphasized that Whisper Leak is not a flaw in TLS itself but rather a design side effect of how LLMs deliver real-time outputs.
The vulnerability underscores the delicate balance between efficiency and privacy in AI systems. As conversational models become embedded in healthcare, legal, and enterprise settings, the exposure of even indirect information, like whether someone is asking about a confidential medical condition or a financial crime, could have severe implications.
The researchers also highlighted that Whisper Leak’s threat is magnified in multi-turn conversations or repeated interactions with the same user, where consistent behavioral patterns accumulate into richer data for attackers to analyze.
A single intercepted session might not reveal much, but dozens could form a behavioral signature linked to a specific user or organization. This opens doors to targeted surveillance, corporate espionage, or political monitoring without direct data compromise.
To mitigate risk, Microsoft advises users to exercise caution when discussing highly sensitive topics over public or untrusted networks.
Using VPNs can obscure traffic patterns by adding an additional layer of encryption and rerouting data through unpredictable paths. For enterprises, deploying on-premises LLMs or using providers that have implemented robust obfuscation measures can help maintain confidentiality. Additionally, switching to non-streaming models where responses are generated in full before transmission offers stronger resistance to this form of attack.
Ultimately, Whisper Leak serves as both a warning and a lesson.
It exposes an unseen layer of risk in how AI systems communicate, showing that even encrypted channels can whisper secrets to those who know how to listen.
As LLMs continue to evolve and embed themselves deeper into society, securing their communication pathways will become as critical as aligning their behaviors and outputs. In the arms race between privacy and observation, the discovery of Whisper Leak reminds us that silence itself can still speak volumes.