惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Blog — PlanetScale
Blog — PlanetScale
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Last Watchdog
The Last Watchdog
AI
AI
Recent Announcements
Recent Announcements
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Stack Overflow Blog
Stack Overflow Blog
V
Visual Studio Blog
J
Java Code Geeks
TaoSecurity Blog
TaoSecurity Blog
L
LangChain Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Project Zero
Project Zero
Microsoft Security Blog
Microsoft Security Blog
量子位
T
Threatpost
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - Franky
博客园 - 聂微东
L
LINUX DO - 最新话题
Security Archives - TechRepublic
Security Archives - TechRepublic
Hugging Face - Blog
Hugging Face - Blog
T
The Blog of Author Tim Ferriss
P
Proofpoint News Feed
The GitHub Blog
The GitHub Blog
C
Check Point Blog
宝玉的分享
宝玉的分享
G
Google Developers Blog
Spread Privacy
Spread Privacy
Cloudbric
Cloudbric
SecWiki News
SecWiki News
有赞技术团队
有赞技术团队
www.infosecurity-magazine.com
www.infosecurity-magazine.com
W
WeLiveSecurity
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
美团技术团队
V
Vulnerabilities – Threatpost
Cyberwarzone
Cyberwarzone
A
Arctic Wolf
P
Privacy & Cybersecurity Law Blog
P
Palo Alto Networks Blog
H
Help Net Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Cisco Talos Blog
Cisco Talos Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
A
About on SuperTechFans
N
Netflix TechBlog - Medium
罗磊的独立博客
月光博客
月光博客

The Register - Security: Research

www.theregister.com Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine ChatGPT blindly trusts browser content, turning the page into a payload Russia-linked threat group put ChatGPT to work from lure to payload Kids can bypass some age checks with a drawn-on mustache What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia ORNL builds more sensitive GPS interference detector Researchers find sabotage malware that may predate Stuxnet Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Anthropic, Google, Microsoft paid AI bug bounties – quietly Security reserchers tricked Apple Intelligence into cursing Don't open that WhatsApp message, Microsoft warns Security boffins harvest bumper crop of API keys from web Lightning-fast exploits mean patch fast, says Cisco Talos AI agents are 'gullible' and easy to turn into your minions Smooth criminals talking their way into cloud environments, Google says Snoops plant info-stealing malware on iPhones, Google warns Cybercrime up 245% since the start of the Iran war Rogue AI agents can work together to hack systems Fake applicants are sending security-killing malware AI agent hacked McKinsey chatbot for read-write access Kaspersky: No signs Coruna iPhone exploit kit made by US Perplexity Comet browser hole was exploitable via cal invite DEF CON hackers 'fed up with government,' Jake Braun says DEF CON hackers 'fed up with government,' Jake Braun says Ransomware payments cratered in 2025 – attacks did not Ransomware payments cratered in 2025 – attacks did not Claude's collaboration tools allowed remote code execution AI takes a swing at online anonymity Fake 'interview' repos lure Next.js devs into running secret-stealing malware Threat intelligence supply chain is full of weak links AI agents abound, unbound by rules or safety disclosures RAT disguised as an RMM costs crims $300 a month Android malware taps Gemini to navigate infected devices Posting AI caricatures on social media is bad for security Payroll pirates conned the help desk, stole employee’s pay Microsoft boffins show LLM safety can be trained away For the price of Netflix, crooks can rent AI crime ops For the price of Netflix, crooks can rent AI crime ops Fast Pair, loose security: Bluetooth accessories open to silent hijack Fast Pair flaw exposes Bluetooth devices to hijacking A simple CodeBuild flaw put every AWS environment at risk A simple CodeBuild flaw put every AWS environment at risk DeadLock ransomware uses smart contracts to evade defenders Python libraries in AI/ML models can be poisoned w metadata OpenAI patches déjà vu prompt injection vuln in ChatGPT Fake Windows BSODs check in at Europe's hotels to con staff into running malware Hotel staff tricked into installing malware by bogus BSODs Your car’s web browser may be on the road to cyber ruin China's Ink Dragon hides out in European government networks Browser 'privacy' extensions have eye on your AI, log all your chats NCSC finds cyber deception tools work, if deployed right 10K Docker images spray live cloud creds across the internet 'Botnets in physical form' are top humanoid robot risk 'Botnets in physical form' are top humanoid robot risk Apache warns of 10.0-rated flaw in Tika metadata toolkit Novel clickjacking attack relies on CSS and SVG 'Exploitation is imminent' of max-severity React bug Swiss government bans SaaS and cloud for sensitive info Scattered Lapsus$ Hunters stress testing Zendesk weak spots HashJack attack shows AI browsers can be fooled with '#' New ClickFix attacks use fake Windows Updates to swipe creds Years-old bugs in open source took out major clouds at risk LLM-generated malware improving, but not operational (yet) 3.5B WhatsApp users' info scooped through enumeration flaw 3.5B WhatsApp users' info scooped through enumeration flaw 50k more ASUS routers pwned by evolving Beijing-linked op Overconfidence is the new zero-day as teams stumble through cyber simulations Landfall spyware used in 0-day attacks on Samsung phones MIT Sloan shelves paper about AI-driven ransomware Security hole slams Chromium browsers - no fix yet OpenAI Atlas Browser tripped up by malformed URLs Devs of VS Code extensions are leaking secrets en masse Chatbots that butter you up make you worse at conflict Tile trackers leak unencrypted Bluetooth data, say boffins Beijing's RedNovember hacked critical US, global orgs Lazarus RAT code resurfaces in North Korean IT-worker scams Suspected Chinese spies broke into 'numerous' enterprises Deepfaked calls hit 44% of businesses in last year: Gartner Kaspersky: RevengeHotels returns with AI-coded malware Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack HybridPetya ransomware dodges UEFI Secure Boot
LLM side-channel attack could allow snoops to guess topic
Jessica Lyons Jessica Lyons · 2025-11-11 · via The Register - Security: Research

UPDATED Mischief-makers can guess the subjects being discussed with LLMs using a side-channel attack, according to Microsoft researchers. They told The Register that models from some providers, including Anthropic, AWS, DeepSeek, and Google, haven't been fixed, putting both personal users and enterprise communications at risk.

A side-channel attack monitors indirect signals, like power consumption, electromagnetic radiation, or timing, to steal cryptographic keys and other secrets. While they usually target hardware – remember Spectre, Meltdown, and all the related CPU bugs since – researchers have been poking around for side-channel vulnerabilities in LLMs.

Microsoft researchers successfully developed one such attack, named Whisper Leak, which infers the topics of prompts from encrypted LLM queries by analyzing packet size and timing patterns in streaming responses. 

Streaming models send responses to users incrementally, in small chunks or tokens, as opposed to sending the complete responses all at once. This makes them susceptible to an attacker-in-the-middle scenario, where someone with the ability to intercept network traffic could sniff those LLM tokens.

"Cyberattackers in a position to observe the encrypted traffic (for example, a nation-state actor at the internet service provider layer, someone on the local network, or someone connected to the same Wi-Fi router) could use this cyberattack to infer if the user's prompt is on a specific topic," researchers Jonathan Bar Or and Geoff McDonald wrote

"This especially poses real-world risks to users by oppressive governments where they may be targeting topics such as protesting, banned material, election process, or journalism," the duo added.

Redmond disclosed the flaw to affected vendors and says some of them – specifically, Mistral, Microsoft, OpenAI, and xAI - have all implemented mitigations to protect their models from the type of side-channel attack.

An adversary with the ability to save network packets could potentially perform this attack offline

Microsoft also tested the attack against other providers and models including Alibaba Qwen, Anthropic's Claude, Amazon Nova, DeepSeek, Lambda Labs, and Google's Gemini. Some providers declined to implement fixes citing various rationales, while several others remained unresponsive despite follow-up attempts, according to a related technical paper about Whisper Leak. 

This is still the case, according to Bar Or, who told The Register that "to date, we have not heard from other vendors about additional mitigations."

The Register also reached out to these vendors but did not receive any response at the time of publication.

"As far as we know, there are currently no attacks in the wild," Bar Or said. "However, it's important to note that an adversary with the ability to save network packets could potentially perform this attack offline. The attack itself is probabilistic in nature, meaning different vendors are impacted in different ways."

Proof-of-concept shows how the attack would work

Redmond's team produced a Whisper Leak attack demo and proof-of-concept code that uses the models to conclude a probability (between 0.0 and 1.0) of a topic being "sensitive" – in this case, money laundering.

For this proof-of-concept, the researchers used a language model to generate 100 variants of a question about the legality of money laundering, mixed them with general traffic, and then trained a binary classifier to distinguish the target topic from background queries.

Then they collected data from each language model service individually, recording response times and packet sizes via network sniffing (viatcpdump). Additionally, they shuffled the order of positive and negative samplesfor collection, and introduced variants by inserting extra spaces between words - this helps avoid caching interference risk. 

After collecting data from all of the models, researchers evaluatedthree different machine learning models, and evaluated each in three modes (time-only, packet-size only, or both):

  • LightGBM: A gradient boosting framework.
  • LSTM-based (Bi-LSTM): A recurrent neural network architecture suitable for sequential data.
  • BERT-based: Using a pre-trained transformer model (DistilBERT-uncased) adapted with extended tokens representing size and time buckets for sequence classification.

The duo then measured the models' performance using Area Under the Precision-Recall Curve (AUPRC).

In several of the models, including ones hosted by providers Alibaba, DeepSeek, Mistral, Microsoft, xAI, and OpenAI, classifiers achieved over 98 percent AUPRC, indicating near-perfect separation between sensitive and normal traffic.

They then simulated a "more realistic surveillance scenario" in which an attacker monitored 10,000 conversations, with only one aboutthe target topic in the mix. They performed this test several times, and in many cases had zero false positives, while catching the money-laundering messages between 5 percent and 50 percent of the time. They wrote:

There are a few different ways to protect against size and timing information leakage. Microsoft and OpenAI adopted a method introduced by Cloudflare to protect against a similar side-channel attack: adding a random text sequence to response fields to vary token sizes, making them unpredictable, and thus mostly defending against size-based attacks. 

"We have directly verified that Microsoft Azure's mitigation successfully reduces attack effectiveness to levels we consider no longer a practical risk," the duo said in the Friday blog.

For many of the tested models, a cyberattacker could achieve 100% precision (all conversations it flags as related to the target topic are correct) while still catching 5-50% of target conversations … To put this in perspective: if a government agency or internet service provider were monitoring traffic to a popular AI chatbot, they could reliably identify users asking questions about specific sensitive topics – whether that's money laundering, political dissent, or other monitored subjects – even though all the traffic is encrypted.

Other mitigation measures include grouping multiple tokens before transmission. This decreases the number of observable network events and obscures individual token characteristics. 

Or, providers could inject synthetic packets at random intervals, which obfuscates both size and timing patterns. ®

Updated at 16.01 UTC on November 11, 2025, to add:

An AWS spokesperson told us: "As we shared with the researchers in August, the techniques described in this paper are not effective against AWS services, as they rely on being able to capture customer traffic to analyze patterns. Customers using AWS services, including VPC and Amazon Bedrock, are protected from these types of traffic analysis attacks."