Microsoft has recently unveiled a new side-channel attack termed "Whisper Leak," which targets remote language models. This attack potentially allows an adversary capable of observing encrypted network traffic to extract sensitive information about the topics of conversations occurring on AI models, even with encryption in place.
The underlying mechanism of the Whisper Leak involves analyzing the packet sizes and timing of encrypted traffic between users and AI services. According to researchers from Microsoft, including Jonathan Bar Or and Geoff McDonald, attackers, such as cyber espionage actors, can use these data points to assess whether a user’s query pertains to certain sensitive subjects, like political dissent or financial crimes.
One significant aspect of this attack is that it exploits the model’s streaming capabilities, where responses are generated incrementally rather than all at once. This streaming can reveal information based on the characteristics of the traffic, independent of the encryption that secures the actual content of the dialogue.
To validate their concerns, Microsoft created a binary classifier as a proof-of-concept. This model, utilizing several different machine learning algorithms including LightGBM, Bi-LSTM, and BERT, demonstrated a high success rate in identifying specific conversation topics based on the encrypted data being transmitted. Tests showed that several prominent AI frameworks, such as Mistral and OpenAI, produced classifiers that could correctly identify sensitive topics with over a 98% accuracy.
This capability raises significant privacy risks. For instance, if a government agency or an Internet service provider monitored traffic to an AI chatbot, they could discern if users were querying about sensitive issues, despite HTTPS encryption safeguarding the content itself.
The researchers indicated that the attack’s efficacy could improve as an attacker amasses more data over time, making it an increasingly practical threat. Following this disclosure, major AI developers, including OpenAI and Microsoft, have begun implementing measures to mitigate this risk, such as introducing random sequences of text responses to mask timing and packet sizes.
Microsoft also recommended users exercise caution by refraining from discussing sensitive matters over untrusted networks, utilizing VPNs for added security, and opting for AI services that incorporate protective measures against such vulnerabilities.
The release of this research aligns with other findings that have identified vulnerabilities in various AI models, underscoring the necessity for robust security controls and stringent operational protocols when using advanced technologies in sensitive or critical contexts.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.