Side-Channel Attacks Against LLMs

This post summarizes three academic papers exposing side-channel attacks against LLMs: remote timing attacks that infer conversation topics and (on open-source systems) recover PII; speculative-decoding leakage that fingerprints queries and can exfiltrate datastore tokens; and "Whisper Leak," which classifies prompt topics from encrypted traffic with very high accuracy across many models. The works demonstrate high-precision leakage from metadata (timing/packet sizes/iteration counts), evaluate mitigations (padding, batching, packet injection), and note partial defenses and responsible disclosure with some provider collaboration.