Emerging Side-Channel Threats Target Large Language Models (LLMs)

Researchers Uncover Critical Side-Channel Vulnerabilities in LLMs

Security researchers have identified multiple side-channel attack vectors targeting large language models (LLMs), exposing user prompts, conversation topics, and even personally identifiable information (PII) despite encrypted communications. Three recently published papers detail novel techniques that exploit timing characteristics, speculative decoding patterns, and metadata leakage in LLM inference systems.

1. Remote Timing Attacks on Efficient LLM Inference

A team of researchers demonstrated how efficiency optimizations in LLMs—such as speculative sampling and parallel decoding—introduce data-dependent timing variations that can be exploited remotely. By analyzing encrypted network traffic between a user and an LLM service, attackers can infer:

• Conversation topics (e.g., medical advice vs. coding assistance) with >90% precision on open-source systems
• Specific messages or user language on production platforms like OpenAI’s ChatGPT and Anthropic’s Claude
• PII recovery (e.g., phone numbers, credit card details) via active boosting attacks on open-source models

The attack requires only black-box access, making it feasible for adversaries monitoring network traffic. Potential defenses include traffic shaping and constant-time inference techniques, though these may impact performance.

2. Side Channels via Speculative Decoding in LLMs

Speculative decoding—a technique used to improve LLM throughput and latency—was found to leak sensitive information through input-dependent speculation patterns. Researchers showed that monitoring per-iteration token counts or packet sizes enables attackers to:

• Fingerprint user queries from a set of 50 prompts with >75% accuracy across four speculative decoding schemes (REST, LADE, BiLD, EAGLE)
• Leak confidential datastore contents at rates exceeding 25 tokens/second

Even at higher temperature settings (e.g., 1.0), accuracy remained significantly above random baselines. Proposed mitigations include packet padding and iteration-wise token aggregation, though these introduce trade-offs in efficiency.

**3. Whisper Leak: Metadata-Based Prompt Inference

The Whisper Leak attack exploits packet size and timing patterns in encrypted LLM traffic to classify user prompt topics. Evaluated across 28 popular LLMs from major providers, the attack achieved:

• Near-perfect classification (often >98% AUPRC) for sensitive topics like "money laundering"
• High precision even with extreme class imbalance (10,000:1 noise-to-target ratio)
• Recovery of 5-20% of target conversations in some models

The attack poses risks for users under network surveillance by ISPs, governments, or local adversaries. Mitigations such as random padding, token batching, and packet injection reduce effectiveness but do not eliminate the threat.

Impact and Recommendations

These side-channel attacks highlight a growing risk as LLMs are deployed in healthcare, legal services, and confidential communications. Key takeaways for security professionals:

• Monitor encrypted traffic patterns for anomalous timing or packet size variations
• Evaluate speculative decoding implementations for potential information leakage
• Implement traffic shaping (e.g., constant-time responses) where feasible
• Adopt metadata obfuscation techniques (e.g., padding, batching) to reduce leakage

While some providers have begun deploying countermeasures, the research underscores the need for industry-wide collaboration to address metadata leakage in AI systems.