ML Security PapersNetEcho: From Real-World Streaming Side-Channels to Full LLM Conversation Recovery
Zheng Zhang 1,2, Guanlong Wu 1, Sen Deng 2, Shuai Wang 2, Yinqian Zhang 1,2
Published on arXiv
2510.25472
Sensitive Information Disclosure
OWASP LLM Top 10 — LLM06
Key Finding
NetEcho recovers approximately 70% of conversation information from encrypted LLM streaming traffic across seven deployment scenarios despite active traffic padding and obfuscation defenses.
NetEcho
Novel technique introduced
In the rapidly expanding landscape of Large Language Model (LLM) applications, real-time output streaming has become the dominant interaction paradigm. While this enhances user experience, recent research reveals that it exposes a non-trivial attack surface through network side-channels. Adversaries can exploit patterns in encrypted traffic to infer sensitive information and reconstruct private conversations. In response, LLM providers and third-party services are deploying defenses such as traffic padding and obfuscation to mitigate these vulnerabilities. This paper starts by presenting a systematic analysis of contemporary side-channel defenses in mainstream LLM applications, with a focus on services from vendors like OpenAI and DeepSeek. We identify and examine seven representative deployment scenarios, each incorporating active/passive mitigation techniques. Despite these enhanced security measures, our investigation uncovers significant residual information that remains vulnerable to leakage within the network traffic. Building on this discovery, we introduce NetEcho, a novel, LLM-based framework that comprehensively unleashes the network side-channel risks of today's LLM applications. NetEcho is designed to recover entire conversations -- including both user prompts and LLM responses -- directly from encrypted network traffic. It features a deliberate design that ensures high-fidelity text recovery, transferability across different deployment scenarios, and moderate operational cost. In our evaluations on medical and legal applications built upon leading models like DeepSeek-v3 and GPT-4o, NetEcho can recover avg $\sim$70\% information of each conversation, demonstrating a critical limitation in current defense mechanisms. We conclude by discussing the implications of our findings and proposing future directions for augmenting network traffic security.
Key Contributions
- Systematic analysis of seven representative LLM deployment scenarios (OpenAI, DeepSeek) covering both active and passive traffic-padding defenses, revealing significant residual information leakage despite these mitigations.
- NetEcho: an LLM-based framework that recovers full conversations (user prompts and LLM responses) from encrypted streaming traffic, with high-fidelity recovery, cross-scenario transferability, and moderate cost.
- Empirical evaluation on medical and legal applications built on DeepSeek-v3 and GPT-4o showing ~70% average conversation information recovery, demonstrating critical limitations in current defenses.