{"id":24979,"date":"2025-12-04T14:59:45","date_gmt":"2025-12-04T10:59:45","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=24979"},"modified":"2025-12-04T15:00:06","modified_gmt":"2025-12-04T11:00:06","slug":"chatbot-eavesdropping-whisper-leak-protection","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/chatbot-eavesdropping-whisper-leak-protection\/24979\/","title":{"rendered":"How to eavesdrop on a neural network"},"content":{"rendered":"

People entrust neural networks with their most important, even intimate, matters: verifying medical diagnoses, seeking love advice, or turning to AI instead of a psychotherapist<\/a>. There are already known cases of suicide planning<\/a>, real-world attacks<\/a>, and other dangerous acts facilitated by LLMs.\u00a0 Consequently, private chats between humans and AI are drawing increasing attention from governments, corporations, and curious individuals.<\/p>\n

So, there won\u2019t be a shortage of people willing to implement the Whisper Leak attack in the wild. After all, it allows determining the general topic of a conversation with a neural network without interfering with the traffic in any way \u2014 simply by analyzing the timing patterns of sending and receiving encrypted data packets over the network to the AI server. However, you can still keep your chats private; more on this below\u2026<\/p>\n

How the Whisper Leak attack works<\/h2>\n

All language models generate their output progressively. To the user, this appears as if a person on the other end is typing word by word. In reality, however, language models operate not with individual characters or words, but with tokens \u2014 a kind of semantic unit for LLMs, and the AI response appears on screen as these tokens are generated. This output mode is known as \u201cstreaming\u201d, and it turns out you can infer the topic of the conversation by measuring the stream\u2019s characteristics. We\u2019ve previously covered a research effort<\/a> that managed to fairly accurately reconstruct the text of a chat with a bot by analyzing the length of each token it sent.<\/p>\n

Researchers at Microsoft took this further by analyzing the response characteristics<\/a> from 30 different AI models to 11,800 prompts. A hundred prompts were used: variations on the question, \u201cIs money laundering legal?\u201d, while the rest were random and covering entirely different topics.<\/p>\n

By comparing the server response delay, packet size, and total packet count, the researchers were able to very accurately separate \u201cdangerous\u201d queries from \u201cnormal\u201d ones. They also used neural networks for the analysis \u2014 though not LLMs. Depending on the model being studied, the accuracy of identifying \u201cdangerous\u201d topics ranged from 71% to 100%, with accuracy exceeding 97% for 19 out of the 30 models.<\/p>\n

The researchers then conducted a more complex and realistic experiment. They tested a dataset of 10,000 random conversations, where only one focused on the chosen topic.<\/p>\n

The results were more varied, but the simulated attack still proved quite successful. For models such as Deepseek-r1, Groq-llama-4, gpt-4o-mini, xai-grok-2 and -3, as well as Mistral-small and Mistral-large, researchers were able to detect the signal in the noise in 50% of their experiments with zero false-positives.<\/p>\n

For Alibaba-Qwen2.5, Lambda-llama-3.1, gpt-4.1, gpt-o1-mini, Groq-llama-4, and Deepseek-v3-chat, the detection success rate dropped to 20% \u2014 though still without false positives. Meanwhile, for Gemini 2.5 pro, Anthropic-Claude-3-haiku, and gpt-4o-mini, the detection of \u201cdangerous\u201d chats on Microsoft\u2019s servers was only successful in 5% of cases. The success rate for other tested models was even lower.<\/p>\n

A key point to consider is that the results depend not only on the specific AI model, but also on the server configuration on which it\u2019s running. Therefore, the same OpenAI model might show different results in Microsoft\u2019s infrastructure versus OpenAI\u2019s own servers. The same holds true for all open-source models.<\/p>\n

Practical implications: what does it take for Whisper Leak to work?<\/h2>\n

If a well-resourced attacker has access to their victims\u2019 network traffic \u2014 for instance, by controlling a router at an ISP or within an organization \u2014 they can detect a significant percentage of conversations on topics of interest simply by measuring traffic sent to the AI assistant servers, all while maintaining a very low error rate. However, this does not equate to automatic detection of any possible conversation topic. The attacker must first train their detection systems on specific themes \u2014 the model will only identify those.<\/p>\n

This threat cannot be dismissed as purely theoretical. Law enforcement agencies could, for example, monitor queries related to weapons or drug manufacturing, while companies might track employees\u2019 job search queries. However, using this technology to conduct mass surveillance across hundreds or thousands of topics isn\u2019t feasible \u2014 it\u2019s just too resource-intensive.<\/p>\n

In response to the research, some popular AI services have altered their server algorithms to make this attack more difficult to execute.<\/p>\n

How to protect yourself from Whisper Leak<\/h2>\n

The primary responsibility for defense against this attack lies with the providers of AI models. They need to deliver generated text in a way that prevents the topic from being discerned from the token generation patterns. Following Microsoft\u2019s research, companies including OpenAI, Mistral, Microsoft Azure, and xAI reported that they were addressing the threat. They now add a small amount of invisible padding to the packets sent by the neural network, which disrupts Whisper Leak algorithms. Notably, Anthropic\u2019s models were inherently less susceptible to this attack from the start.<\/p>\n

If you\u2019re using a model and servers for which Whisper Leak remains a concern, you can either switch to a less vulnerable provider, or adopt additional precautions. These measures are also relevant for anyone looking to safeguard against future attacks of this type:<\/p>\n