AI Side-Channel Attack on LLMs Exposes Sensitive Model Outputs - The “Whisper Leak”

By Azhar Khan
AI Side-Channel Attack on LLMs Exposes Sensitive Model Outputs - The “Whisper Leak”

Date: November 15, 2025

Summary: Security researchers have disclosed a newly identified class of side-channel attack against large language models (LLMs) deployed in multi-tenant cloud and shared-hardware environments. The technique — now commonly referred to as the “Whisper Leak” — enables an adversary to infer model outputs, internal prediction artifacts and, in some cases, user-supplied prompts by observing low-level computational signals during inference. The implications are profound: confidential prompts, draft documents, proprietary code and other sensitive content processed by LLMs could be surreptitiously reconstructed without ever obtaining the underlying model weights or querying the model directly.

What is the Whisper Leak?

The Whisper Leak is a side-channel methodology that correlates observable operational artifacts with the probability distributions and token sequences produced by an LLM during generation. Instead of exploiting software vulnerabilities or tricking a model with malicious inputs, attackers gather and analyze secondary signals—timing differences between tokens, micro-patterns in resource usage, cache and memory access footprints, thermal or power telemetry in colocated hardware, or fine-grained latency jitter from virtualized networking. By combining statistical models, machine learning classifiers and repeated probing, attackers can effectively reconstruct portions of the text the LLM is generating for other tenants.

How the attack works — technical overview

  1. Co-location or shared-resource positioning: The attacker runs code on the same physical server or in a neighboring virtual instance that shares GPUs, CPU caches, or network interfaces used by the victim’s LLM inference.
  2. Signal collection: The attacker instruments their environment to capture side signals: per-token timing, GPU utilization micro-metrics, cache eviction patterns, tiny variations in PCIe or NVMe queue latencies, or network latency changes during model calls.
  3. Probing and calibration: The attacker issues controlled queries to their own model instances (or employs a local surrogate model) to calibrate how specific tokens and probability distributions map to measurable side signals on that hardware.
  4. Inference and reconstruction: Using statistical correlation and decoding heuristics, the attacker translates the recorded side-signal sequences into plausible token sequences and reconstructs the victim’s generated output or parts of the prompt.
  5. Iterative refinement: Multiple repeated observations, combined with language priors, allow improvement of reconstruction accuracy—particularly for predictable or formulaic content (e.g., structured reports, templates, code snippets).

Why Whisper Leak is different and dangerous

  • No direct access required: The attack does not rely on stealing model weights, API keys, or direct API calls to the victim’s model. This reduces observable fingerprints in application logs and makes detection by standard application-layer monitoring more difficult.
  • Hardware and architecture focus: Because the technique leverages physical and runtime characteristics, it bypasses many software-only mitigations like prompt filtering, rate-limiting or model sandboxing.
  • Stealthy: Side-channel collectors can operate at low privilege, generate minimal network traffic, and leave few signs in host process logs, especially in cloud environments with limited telemetry granularity.
  • Cross-tenant risk: Multi-tenant clouds and shared inference accelerators are inherently vulnerable; malicious tenants can harvest side signals from co-located workloads.

Potentially exposed data and use cases

Depending on the target workload and model usage patterns, Whisper Leak may allow adversaries to reconstruct or infer:

  • Proprietary documents or business intelligence summaries generated by corporate LLM instances;
  • Confidential legal briefs, medical triage outputs or private user conversations;
  • Developer prompts that include source code, API keys, or database queries—potentially leading to further compromise;
  • Internal model reasoning artifacts (e.g., chain-of-thought traces, intermediate reasoning tokens) that organisations rely on for sensitive decision-support;
  • Structured templates and form-filled data that are common across many LLM invocations, increasing reconstruction accuracy.

Observed techniques and research findings

Early reproductions show several promising (to attackers) side channels:

  • Token timing signatures: Tiny differences in per-token latency, especially when mixed precision or dynamic batching is used, can correlate with token probability mass and output sequence length.
  • GPU micro-telemetry: Patterns of SM (streaming multiprocessor) utilization and memory-access timings during attention computation reveal structural signatures tied to token positions.
  • Cache-based channels: Shared CPU/GPU caches can leak access patterns when specific attention matrices are computed, enabling differential analysis across generations.
  • Network jitter and virtualization artifacts: In virtualised inference environments, scheduling and I/O latencies add measurable noise that can be modeled and inverted into textual predictions.

Who is at risk?

The risk profile depends on deployment patterns and sensitivity of workloads. High-risk scenarios include:

  • Enterprises running confidential LLM workloads in shared cloud GPUs or collocated inference services;
  • Law firms, healthcare providers and financial institutions that rely on LLMs for sensitive document drafting and analysis;
  • AI providers offering multi-tenant inference instances or "sandboxed" plugin environments that do not provide hardware isolation;
  • Organizations using smaller prompts or templated outputs where reconstruction accuracy is higher due to lower entropy.

Mitigations and defensive strategies

Defending against Whisper Leak requires both architectural changes and operational hardening. Short- and medium-term mitigations include:

  • Hardware isolation: Dedicate physical accelerators (GPUs/TPUs) to sensitive tenants or workloads; avoid noisy co-location with untrusted tenants.
  • Noise injection: Add randomized jitter to token emission timing, obfuscate per-token scheduling, or inject controlled noise into low-level telemetry to reduce signal fidelity.
  • Batching and aggregation: Use batching strategies that mix multiple clients’ requests and blur per-tenant timing signatures, though this may trade off latency and cost.
  • Rate limits and tenancy controls: Enforce strict tenancy isolation, throttle suspicious low-level probing patterns, and limit the granularity of telemetry exposed to tenants.
  • Trusted execution: Employ hardware enclaves and secure compute primitives to restrict direct observation of memory and cache accesses.
  • Model-level techniques: Reduce direct output determinism by applying differential privacy or output smoothing for highly sensitive tasks.
  • Monitoring and hunting: Instrument hypervisor and host systems for unusual fine-grained telemetry collection patterns and unexpected high-resolution probes of timing and resource metrics.

Operational tradeoffs and challenges

Many proposed mitigations carry performance, cost or utility penalties. Hardware isolation increases cost and reduces resource efficiency; noise injection can degrade model responsiveness and user experience; batching introduces latency. Organizations must therefore calibrate risk tolerance—sacrificing some cost or performance for confidentiality when processing high-value or regulated data.

Industry and government response

Following disclosure, cloud providers, AI platform operators and national security agencies are prioritising briefings and triage work. Recommended industry actions are coalescing around rapid audits of multi-tenant inference offerings, emergency guidance for customers processing regulated data, and accelerated development of isolation features within GPU cloud stacks. Governments are examining whether existing data-protection and export controls adequately address side-channel leakage of AI outputs and whether certification or minimum-security baselines for AI hosting are required.

Detection and incident response

If an organization suspects side-channel espionage, recommended steps include:

  • Identify suspicious tenants or workloads that run high-frequency micro-probing and unusual telemetry-collection agents;
  • Capture and preserve low-level host metrics, scheduler logs and GPU telemetry for forensic analysis;
  • Shift critical workloads to isolated physical hosts and rotate any secrets or sensitive tokens that were processed by the potentially exposed model;
  • Engage cloud provider support to review placement decisions, tenant adjacency and potential contamination paths;
  • Inform legal and compliance teams—side-channel exposure of regulated data (health, financial, government) may trigger reporting obligations.

Longer-term implications for AI architecture

Whisper Leak reframes AI security by elevating hardware and runtime behavior to first-class risk factors. Designing secure LLM deployments will increasingly require cross-discipline collaboration between AI researchers, hardware vendors and cloud architects. Future LLM security standards may mandate dedicated inference hardware for sensitive workloads, certified runtime isolation, or even new GPU architectures with explicit side-channel resistance features.

Recommendations for organizations

  1. Classify LLM workloads by sensitivity and avoid placing high-risk jobs on shared infrastructure.
  2. Adopt tenancy isolation for high-value projects (dedicated accelerators, private data centers or on-premise enclaves).
  3. Harden telemetry and audit trails to detect high-resolution probing attempts and anomalous timing measurement tools.
  4. Consider model-level privacy measures—differential privacy, output redaction and limited retention of intermediate reasoning artifacts—for sensitive domains.
  5. Coordinate with cloud providers to obtain guarantees about physical co-location policies and to request tenancy-aware placement controls.
  6. Train incident-response teams to include side-channel forensic workflows that capture low-level host and accelerator telemetry.

Conclusion

The Whisper Leak incident marks a critical inflection point in AI security. It demonstrates that confidentiality risks for LLMs are not limited to data sent to the model or to prompt-injection threats; architectural and hardware signals can also betray sensitive content. Mitigating these risks will demand new operational disciplines, hardware features, and regulatory clarity. For organisations relying on LLMs for confidential workflows, the message is clear: treat AI infrastructure like other critical platforms—segregate, monitor, and harden it carefully. The cost of inaction may be measured in leaked secrets and irrecoverable competitive or national security damage.

Note to editors: This article synthesises the technical nature of the disclosed side-channel technique and recommended mitigations for a broad readership. Technical teams seeking actionable IoCs or telemetry signatures should consult specialised forensic guidance and coordinate with their cloud provider and AI platform vendor for platform-specific mitigation steps.

Azhar Khan
Azhar Khan
Azhar is a seasoned Cybersecurity Professional with over 8 years of experience in Cybersecurity Research.