Researchers have discovered a side channel attack that can decipher AI assistant responses with surprising accuracy. The attack affects all major AI assistants, except Google Gemini. It allows someone with a passive adversary-in-the-middle position to infer the specific topic of 55% of all captured responses, usually with high word accuracy. The attack can deduce responses with perfect word accuracy 29% of the time. This means that anyone who can observe the traffic, such as malicious actors on the same Wi-Fi or LAN as a client, can read private chats sent from AI assistants. This includes sensitive discussions about personal matters or business secrets. The providers of these AI-powered chat services are aware of the sensitivity of these discussions and take active steps, mainly in the form of encrypting them, to prevent potential snoops from reading other people’s interactions. However, this research shows that the way encryption is used is flawed, and thus the content of the messages is exposed.
Read more at: arstechnica.com