Side-Channel Attack Exposes Encrypted AI Assistant Chats, Revealing Sensitive Information

AI assistants have become an integral part of our daily lives, handling everything from personal health questions to business secrets. Providers like OpenAI and Microsoft are well aware of the sensitivity of these interactions and implement encryption to protect user data. However, a new side-channel attack has emerged that can decipher AI assistant responses with surprising accuracy, even when they're encrypted.

What Changed?

Researchers at Ben-Gurion University in Israel have identified a vulnerability in how major AI assistants handle encryption. This side-channel attack exploits the way these services transmit and process tokens (the smallest units of text used by language models). The attack is particularly effective against ChatGPT, Microsoft Copilot, and other popular chatbots, with Google Gemini being the notable exception.

How It Works

• Side-Channel Exploitation: The attack leverages a side channel present in the network traffic. Side channels are indirect information leaks that can reveal data through observable properties like timing or power consumption.
• Token Analysis: By monitoring the encrypted traffic, attackers can infer the sequence of tokens being transmitted. This is possible because different sequences of tokens result in slightly different network patterns.
• Language Model Refinement: The raw token sequences are then fed into a large language model (LLM) trained to refine and reconstruct the original message. This LLM helps improve the accuracy of the inferred text.

Impact on Practitioners

The implications for security practitioners and users are significant:

• 55% Topic Accuracy: An attacker can infer the specific topic of 55 percent of all captured responses with high word accuracy.
• 29% Perfect Word Accuracy: In 29 percent of cases, the attack can deduce the entire response with perfect word accuracy.

Example Scenarios

• ChatGPT Response:

  • Encrypted: "Yes, there are several important legal considerations that couples should be aware of when considering a divorce, …"
  • Deciphered: "Yes, there are several potential legal considerations that someone should be aware of when considering a divorce. …"

• Microsoft Copilot Response:

  • Encrypted: "Here are some of the latest research findings on effective teaching metho"
  • Deciphered: "Here are some of the latest research findings on effective teaching methods."

Mitigation Strategies

To protect against this attack, security teams and users can take several steps:

• End-to-End Encryption: Implement stronger end-to-end encryption protocols to ensure that data remains secure even if network traffic is intercepted.
• Traffic Obfuscation: Use techniques like padding or randomizing packet sizes to make it harder for attackers to infer token sequences.
• Regular Audits: Conduct regular security audits and vulnerability assessments to identify and patch potential side-channel vulnerabilities.

Conclusion

The discovery of this side-channel attack highlights the ongoing challenges in securing sensitive data, even with encryption. As AI assistants continue to play a crucial role in our personal and professional lives, it's essential for both users and providers to stay vigilant and adopt robust security measures.