Side-Channel Attacks Against LLMs

Here are three papers describing different side-channel attacks against LLMs.

Remote Timing Attacks on Efficient Language Model Inference“:

Abstract: Scaling up language models has significantly increased their capabilities. But larger models are slower models, and so there is now an extensive body of work (e.g., speculative sampling or parallel decoding) that improves the (average case) efficiency of language model generation. But these techniques introduce data-dependent timing characteristics. We show it is possible to exploit these timing differences to mount a timing attack. By monitoring the (encrypted) network traffic between a victim user and a remote language model, we can learn information about the content of messages by noting when responses are faster or slower. With complete black-box access, on open source systems we show how it is possible to learn the topic of a user’s conversation (e.g., medical advice vs. coding assistance) with 90%+ precision, and on production systems like OpenAI’s ChatGPT and Anthropic’s Claude we can distinguish between specific messages or infer the user’s language. We further show that an active adversary can leverage a boosting attack to recover PII placed in messages (e.g., phone numbers or credit card numbers) for open source systems. We conclude with potential defenses and directions for future work.

When Speculation Spills Secrets: Side Channels via Speculative Decoding in LLMs“:

Abstract: Deployed large language models (LLMs) often rely on speculative decoding, a technique that generates and verifies multiple candidate tokens in parallel, to improve throughput and latency. In this work, we reveal a new side-channel whereby input-dependent patterns of correct and incorrect speculations can be inferred by monitoring per-iteration token counts or packet sizes. In evaluations using research prototypes and production-grade vLLM serving frameworks, we show that an adversary monitoring these patterns can fingerprint user queries (from a set of 50 prompts) with over 75% accuracy across four speculative-decoding schemes at temperature 0.3: REST (100%), LADE (91.6%), BiLD (95.2%), and EAGLE (77.6%). Even at temperature 1.0, accuracy remains far above the 2% random baseline—REST (99.6%), LADE (61.2%), BiLD (63.6%), and EAGLE (24%). We also show the capability of the attacker to leak confidential datastore contents used for prediction at rates exceeding 25 tokens/sec. To defend against these, we propose and evaluate a suite of mitigations, including packet padding and iteration-wise token aggregation.

Whisper Leak: a side-channel attack on Large Language Models“:

Abstract: Large Language Models (LLMs) are increasingly deployed in sensitive domains including healthcare, legal services, and confidential communications, where privacy is paramount. This paper introduces Whisper Leak, a side-channel attack that infers user prompt topics from encrypted LLM traffic by analyzing packet size and timing patterns in streaming responses. Despite TLS encryption protecting content, these metadata patterns leak sufficient information to enable topic classification. We demonstrate the attack across 28 popular LLMs from major providers, achieving near-perfect classification (often >98% AUPRC) and high precision even at extreme class imbalance (10,000:1 noise-to-target ratio). For many models, we achieve 100% precision in identifying sensitive topics like “money laundering” while recovering 5-20% of target conversations. This industry-wide vulnerability poses significant risks for users under network surveillance by ISPs, governments, or local adversaries. We evaluate three mitigation strategies – random padding, token batching, and packet injection – finding that while each reduces attack effectiveness, none provides complete protection. Through responsible disclosure, we have collaborated with providers to implement initial countermeasures. Our findings underscore the need for LLM providers to address metadata leakage as AI systems handle increasingly sensitive information.

Tags: , ,

Posted on February 17, 2026 at 7:01 AM8 Comments

Comments

Clive Robinson February 17, 2026 12:24 PM

@ Bruce, AKL,

With regards,

“Here are three papers describing different side-channel attacks against LLMs.”

A couple of things to note,

1, These are all “visible on the wire” from a long way away.
2, These are just the start of the fun.

The “visible on the wire” is both a TEMPEST / EmSec issue as well as an attacker hiding / covert / passive attack issue.

That is as a security person you are limited in that you can only see the devices “on the wire” that you control. That is to the point just past where the wire leaves the last device under your direct control i.e. your edge or perimeter device.

After that you can not detect a “passive attacker” who only “observes” so they are “hidden from sight” or “covert” in the traditional sense.

This is why the “first device up stream” that is vulnerable such as a router is where SigInt Agencies like to “hide out”.

With regards the second point this is where “traffic analysis” meets “the rubber of the road” as far as all “traffic as opposed to message” security hangs.

Traffic analysis thus security of LLM’s used in “frameworks” will “live or die” by the ability to passively observe.

The “Retrieval-Augmented Generation “(RAG), Ralph loops, and Gas Town are all frameworks where the results you are seeking get writ large on the wire for anyone to passively observe.

This happens because the “framework” and “results rules” run at your end of the wire, but the LLM and the tools used with it run at the other end of the wire. Including those that examine your “local files” from inside your perimeter and they all have visible meta-data that crypto does not obscure unless you take additional precautions.

Look on it like the gangster boss and his bodyguards issue, where they make their presence known by ordering in “take away food”. The message of who is actually there is “in the toppings”, but the traffic of group dynamics is the visible number of boxes.

Any observer can passively see the data flows and make very fast determination of what you are doing.

And realistically there is no crypto or other standard security in commercial or consumer use that can stop this hemorrhaging of information to the wire thus a passive observer.

It’s something I’ve been giving some thought and experimentation to, and I would advise others to do the same fairly urgently.

Clive Robinson February 17, 2026 1:05 PM

@ Bruce,

In the past discussions on “traffic analysis” and the “failings of Tor”[1] has proved quite contentious with,

“Fan-buoys, bobbing up and down demanding attention”

Time has proved the Tor fan-bois all wrong so they are generally quiet these days.

However there are a lot of shills in pumping Current AI LLM and ML systems in “AI Agent frameworks” as they are about the only way any ROI is going to happen for the General LLM companies. As a result there is a great deal of wealth and potentially the US and world economies at risk on “AI Agent Frameworks”.

So there might be predictable all be it unnecessary friction arising.

Traffic analysis works against all “broadcast systems” where message flow can be passively observed by an adversary / attacker the prevention techniques are thus similar to all communications security[1].

Hopefully common sense will prevail.

[1] As far as I’m aware the original points I made about Tor failings a decade or so back are still up on this blog, and as they apply generally should be a useful guide / resource for those wanting to avoid the same and similar mistakes with AI Agent Frameworks.

Rontea February 17, 2026 1:36 PM

on “Remote Timing Attacks on Efficient Language Model Inference”
This paper highlights a critical tradeoff in LLM optimization: techniques like speculative sampling and parallel decoding improve performance but unintentionally create timing-based side channels. The authors show that even encrypted traffic can leak meaningful signals, such as conversation topics or user language, through response timing patterns. The experimental results demonstrating 90%+ precision in topic inference and the ability to recover sensitive PII in open-source deployments make this a valuable and practical contribution to understanding LLM privacy risks.

on “When Speculation Spills Secrets: Side Channels via Speculative Decoding in LLMs”
This work provides a detailed and quantitative evaluation of how speculative decoding itself can act as a side-channel vector. By observing token verification patterns, the authors achieve surprisingly high fingerprinting accuracy—even at higher temperature settings where randomness is expected to mask patterns. The cross-method analysis of REST, LADE, BiLD, and EAGLE clearly demonstrates that speculation efficiency gains come with measurable privacy costs. The proposed mitigations like packet padding and token aggregation offer a valuable starting point, though the persistent leakage underscores the difficulty of defending against such attacks.

on “Whisper Leak: a side-channel attack on Large Language Models”
This paper exposes the alarming extent to which metadata—rather than message content—can compromise privacy in LLM interactions. The ability to classify sensitive topics with >98% AUPRC and even achieve 100% precision for certain categories illustrates how vulnerable AI services remain under network surveillance. The study’s large-scale evaluation across 28 models and its focus on real-world deployment scenarios make it highly impactful. The collaborative disclosure and initial mitigations are commendable, but the work also highlights the urgent need for systemic solutions to metadata leakage in AI-driven communications.

Clive Robinson February 17, 2026 3:29 PM

@ Bruce, ALL,

EU bans AI use by their workers

This may not be unrelated to this “side channel issue” when you read into it,

European Parliament bars lawmakers from using AI tools

Who knows where that helpful email summary is being generated?

The European Parliament has scrutinized AI over recent years and has enacted the world’s first legislation specifically designed to address perceived risks from the technology. The ban, alongside guidance to steer lawmakers away from using the services for Parliament business, is more about fears about where the data could end up than anything specific about AI.

The guidance also advised against granting third-party AI apps broad access to data, which seems a sensible instruction regardless of where a user works

https://www.theregister.com/2026/02/17/european_parliament_bars_lawmakers_from/

bye bye ai February 17, 2026 4:10 PM

The guidance also advised against granting third-party AI apps broad access to data, which seems a sensible instruction regardless of where a user works“

Huh?! The less data the AI has the less useful is its training and the less useful any agent will be for completing tasks.

What part of word “large” is one failing to understand in LLM??? Without large amounts of data AI as currently formulated is useless.

lurker February 17, 2026 6:04 PM

@bye bye ai

Sure, there’s a school of thought says the more data the better for understanding the world. But whose data? from where? Are we back to the meme of the early nineties, Information Wants to be Free?

Ultimately anyone who uses one of the public commercial engines via the internet is putting their stuff on someone else’s computer. This can often end in tears.

It’s an expensive, delicate balancing act to train an in-house LLM behind a firewall, but the results may be worth it for specialist domain applications.

Clive Robinson February 17, 2026 7:28 PM

@ bye bye ai,

With regards the penultimate paragraph of The Register article you highlight, you say,

“The less data the AI has the less useful is its training and the less useful any agent will be for completing tasks.”

You are focusing on the wrong part of the system.

The LLM has two parts of relevance,

1, The “Digital Neural Network”(DNN).
2, The “Working Memory” / session cache.

If you Look up what “Retrieval-Augmented Generation”(RAG) does and how,

https://www.youtube.com/watch?v=T-D1OfcDW1M

You will see that the data being talked about is “loaded into the Data store in Working memory” “specific to the user query” not used by the ML to train the general language DNN that goes into the LLM to fake it’s human like behaviour.

Further this specific data gets built and goes out across the wire each time the user query is run.

Specific data should be regarded as “Private / Privileged” where as the DNN training data is “Public / unprivileged” and in effect known to everyone.

The problem is that whilst the Private data source is “local to the user”, the working memory in the LLM is very far from the user and is adjacent to the DNN in the remote LLM. As such anything traveling to or in the LLM working memory from a user is,

1, Transported by questionable tools security wise, across public open and easily hackable networks.

2, Once in the working memory of the LLM very probably insufficiently isolated from other users of the LLM so accessable in various ways.

The way to stop these Working Memory issues is to have the LLM “local and isolated from public networks”… Which is not something that happens a lot currently.

ResearcherZero February 27, 2026 2:47 AM

If one SigInt agency can access the data, then it may be possible for others. Multiple actors utilising compromised infrastructure or gained access to 3rd party interception equipment is a common occurrence. Encryption can be bypassed in a given situation, like all security features.

Vulnerabilities in networking equipment and side channels can be open to many actors at once – and over time. After access is gained to telecommunications equipment for example, then an actor can move laterally through the networks to lawful interception equipment.

There are many ways that this can be done and a lot of information moving over the wire can be captured at very low levels. This can allow for bypass of security features. An actor can capture traffic and collect information on persons and communications. This allows for access to a wide range of information types and can provide access to huge volumes of data. If an individual posses useful information, insight may be gleaned by monitoring their activity.

Public networks are “public”. The information flows through many vulnerable wires and nodes. Via either physical interception via a leak or tap, or remote access, communications are vulnerable.

LLMs are a very obvious target for this kind of collection. If an actor can acquire access to low level layers, bypass isolation or security, they can then move up to higher layers. Cloud resources are utilized by a wide range of potential targets, each with valuable I/O traffic.

There are many different ways to gain information about a subject, some obvious some not.

Supply chains are another way to gain the initial access, then expand that level of access, or gain the level of access to completely bypass all of the security features of the platform. This can render secure channels as compromised. Other methods may also provide the same results.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.