Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.
AI is reshaping every corner of security, but every once in a while, a discovery forces us to rethink the boundaries of private communication. This week, we chat about Whisper Leak, a side-channel issue uncovered by Microsoft Threat Intelligence researchers JBO (now at CrowdStrike) and Geoff McDonald. It doesn’t break encryption, but it exposes something defenders often overlook: metadata can be surprisingly revealing.
In this conversation, we explore how Whisper Leak works, why it matters, and how quickly vendors, Microsoft included, moved to reduce real-world risk.
Key Takeaways
Whisper Leak doesn’t break encryption; it exploits metadata consistency and token timing.
Topic inference is feasible at scale, especially for well-resourced threat actors.
Mitigations now exist, and vendors have enabled them by default in most chat interfaces.
API users must explicitly enable obfuscation, or they’re likely still vulnerable.
Side-channel thinking needs to become standard practice in AI system design.
Zero Trust principles apply to AI just as they do to traditional network and app security.
Editor’s note
Hey, we’re not dead, just been super busy. Neal changed jobs and was busy traveling for a couple of months. My role has been slammed supporting a series of events (Black Hat > Ignite) and some other large projects. In fact, you can check one of them here, which offers an inside look at threat intel at Microsoft.
We’ll be back in the new year, but probably not have an every-other-week cadence for a bit. As always, we’re always looking for great stories to tell, so feel free to reach out if you have a pitch (that’s not just about product).
The Problem: Encryption Isn’t the Weak Point, Patterns Are
JBO summarizes the problem simply: even when your AI chat is fully encrypted end-to-end, a threat actor watching network traffic may still infer the topic of your conversation.
Not the words.
Not the content.
Just the topic, but that’s more than enough in the wrong hands.
Think of it like observing two people behind soundproof glass. You can’t hear them, but body language gives away whether they’re arguing, negotiating, or discussing something sensitive. Whisper Leak works the same way, except the gestures are packet sizes and timing intervals.
Two factors make LLMs especially susceptible:
1. Stream ciphers preserve message length
Most LLM interactions use encryption modes where ciphertext size strongly correlates to plaintext size. If a word is five characters, the encrypted packet will be roughly equivalent in size. That correlation becomes a signal.
2. Token streaming leaks timing information
LLMs don’t send full responses, they stream tokens as they’re generated. Those timing intervals create a fingerprint that can be captured and analyzed.
Combine the two, and you have a statistical attack that can classify conversation topics with high accuracy.
This Is a Side-Channel Attack, Not a Cryptographic Failure
One of the first misconceptions JBO clears up: nothing about Whisper Leak breaks TLS, breaks encryption, or defeats modern ciphers.
This is classic side-channel territory just as RF emissions, heat signatures, or power fluctuations have historically been used to infer secrets.
What makes Whisper Leak different is scale. Modern LLMs create massive, predictable volumes of structured, encrypted traffic. Structure is its own vulnerability.
And while most threat actors aren’t about to spin up clusters to train topic-classification models, nation-state actors can. More importantly, anyone could have already captured traffic and analyzed it later, making detection effectively impossible.
As JBO puts it:
“There is no way for anyone to actually know if they were impacted. Someone can sniff your network today, save it, and run the attack offline.”
Mitigations: How Vendors Responded
One reason this research drew attention is that it launched with coordinated, responsible mitigation from major LLM providers—including Microsoft and OpenAI. Mitigations included:
1. Token batching
Sending responses in batches instead of token-by-token reduces timing granularity.
2. Controlled output rates
A leaky bucket style mechanism smooths timing variance.
3. Padding and obfuscation
Vendors added randomized garbage data to break the correlation between plaintext length and ciphertext length.
OpenAI added an obfuscate=true parameter to its API.
Microsoft added an equivalent parameter to Azure OpenAI endpoints.
These changes dramatically reduce classification accuracy without materially degrading performance.
As JBO states:
“We hope that with our paper, it’s going to influence the industry as a whole to think about these ideas proactively.”
Why Zero Trust Still Applies Here
Zero Trust isn’t just about identity, segmentation, and continuous verification. It’s also about understanding assumptions, and Whisper Leak challenges a big one:
Encrypted traffic ≠ private traffic.
Metadata, timing, size patterns: these are routinely overlooked as safe enough. But as AI ecosystems grow, the surface area grows with them. Whisper Leak shows that:
Privacy depends on the full communication pattern, not just the cipher.
LLM architectures introduce new observable behaviors.
Defenders must anticipate issues that emerge from scale, not failure.
This is Zero Trust at its core: treat every layer as untrusted until proven otherwise, including the ones we didn’t previously question.
Want to learn more?
You can read the full report and access the research behind it here.
Look for a follow-up conversation with JBO and Geoff on the Microsoft Threat Intelligence Podcast, where Sherrod DeGrippo will dig even deeper.
