Executive Summary
In November 2025, researchers Geoff McDonald and Jonathan Bar Or identified a side-channel vulnerability in Large Language Models (LLMs) termed 'Whisper Leak.' This attack exploits patterns in encrypted network traffic—specifically packet sizes and timing—to infer user prompt topics during LLM interactions. Despite TLS encryption, these metadata patterns allow adversaries to classify conversation topics with high accuracy, posing significant privacy risks. The study demonstrated the attack's effectiveness across 28 popular LLMs, achieving near-perfect classification rates and high precision even in scenarios with extreme class imbalance. (microsoft.com)
The discovery of Whisper Leak underscores the urgent need for LLM providers to address metadata leakage vulnerabilities. As LLMs are increasingly deployed in sensitive domains such as healthcare and legal services, ensuring robust privacy protections is paramount. The researchers evaluated mitigation strategies like random padding, token batching, and packet injection; however, none provided complete protection, highlighting the complexity of securing LLM communications against side-channel attacks. (microsoft.com)
Why This Matters Now
The Whisper Leak vulnerability highlights a critical privacy risk in LLM deployments, especially as these models are integrated into sensitive sectors. Addressing this issue is urgent to prevent potential exploitation by adversaries capable of monitoring encrypted network traffic.
Attack Path Analysis
An adversary monitors encrypted network traffic between a user and a remote Large Language Model (LLM) service, analyzing packet sizes and timing patterns to infer sensitive information. By exploiting these side-channel leaks, the attacker deduces the topics of user prompts, potentially identifying confidential subjects. The adversary may escalate their attack by injecting malicious prompts to manipulate the LLM's responses. This manipulation could facilitate lateral movement within the system, allowing the attacker to access other services or data. The attacker establishes command and control by embedding covert instructions within the LLM's outputs, maintaining persistent access. Finally, the adversary exfiltrates sensitive data inferred from the LLM interactions, leading to significant privacy breaches and potential misuse of the information.
Kill Chain Progression
Initial Compromise
Description
An adversary monitors encrypted network traffic between a user and a remote LLM service, analyzing packet sizes and timing patterns to infer sensitive information.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Obtain Capabilities: Artificial Intelligence
Network Sniffing
Application Layer Protocol
Exfiltration Over C2 Channel
Exploitation for Client Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect stored cardholder data
Control ID: 3.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Data Protection
Control ID: 3.1
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Side-channel attacks against LLMs threaten patient confidentiality through timing patterns that can leak sensitive medical consultation topics despite encryption protection.
Financial Services
LLM timing vulnerabilities enable inference of financial advice topics and PII extraction including credit card numbers, violating regulatory compliance requirements.
Legal Services
Attorney-client privilege compromised as side-channel attacks can fingerprint confidential legal queries and leak privileged communication patterns through encrypted traffic analysis.
Computer Software/Engineering
Software development workflows exposed through LLM timing attacks that distinguish coding assistance queries, potentially revealing proprietary development strategies and technical implementations.
Sources
- Side-Channel Attacks Against LLMshttps://www.schneier.com/blog/archives/2026/02/side-channel-attacks-against-llms.htmlVerified
- Whisper Leak: a side-channel attack on Large Language Modelshttps://www.microsoft.com/en-us/research/publication/whisper-leak-a-side-channel-attack-on-large-language-models/Verified
- Whisper Leak: a side-channel attack on Large Language Modelshttps://arxiv.org/abs/2511.03675Verified
- Whisper Leak: A novel side-channel attack on remote language modelshttps://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to exploit side-channel leaks and manipulate LLM responses.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to infer sensitive information from encrypted traffic may be constrained, reducing the likelihood of successful initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges through manipulated LLM responses may be limited, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the system may be constrained, reducing the risk of further compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent access through covert instructions may be limited, reducing the duration of the compromise.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may be constrained, reducing the impact of the breach.
The overall impact of the incident may be reduced due to constrained attacker activities in earlier stages.
Impact at a Glance
Affected Business Functions
- Customer Support
- Data Analysis
- Content Generation
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive user data through inference of conversation topics from encrypted LLM traffic.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Encrypted Traffic (HPE) to secure data in transit and prevent packet sniffing.
- • Deploy East-West Traffic Security to monitor and control lateral movement within the network.
- • Utilize Zero Trust Segmentation to enforce least privilege access and limit unauthorized access.
- • Enhance Multicloud Visibility & Control to detect and respond to anomalous interactions.
- • Establish Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
