Steganography Without Modification: Hidden Communication via LLM Seeds

Researchers discovered a steganographic vulnerability in widely-deployed Large Language Models that allows hidden messages to be embedded in generated text through PRNG seeds without modifying model weights or outputs. The attack recovers 32-bit seeds with up to 100% accuracy in known-prompt scenarios within seconds, raising security concerns about LLM inference systems.

This research exposes a fundamental vulnerability in how modern LLM inference systems operate, specifically targeting the pseudo-random number generation mechanisms underlying token sampling. The attack works by exploiting deterministic properties of inverse-transform sampling—the mathematical process converting random numbers into token selections. Rather than attacking the model itself, the vulnerability leverages the relationship between PRNG seeds and the probability intervals they generate, which can be reconstructed from output text alone.

The steganographic channel represents a previously undocumented attack surface in production LLM systems. Prior security research focused on prompt injection, jailbreaking, and model extraction, but overlooked this seed-level exploitation path. The two operational modes—known-prompt and unknown-prompt—demonstrate practical attack scenarios, with the known-prompt variant achieving nearly perfect recovery in under 35 seconds on consumer hardware.

For the AI industry, this finding highlights how infrastructure-level assumptions about randomness and isolation can create security blind spots. Organizations deploying LLM inference stacks must reconsider whether current seed management practices adequately protect against covert channels. The vulnerability particularly threatens applications requiring strong security isolation, such as confidential computing environments or multi-tenant API services.

Looking forward, the research likely catalyzes three developments: enhanced seed randomization strategies in inference frameworks, audit requirements for steganographic vulnerabilities in compliance-heavy sectors, and closer examination of other potential covert channels in LLM sampling pipelines. The work demonstrates that security analysis of production AI systems remains incomplete.

• →LLM inference stacks contain an exploitable steganographic channel requiring no model modifications, enabling 32-bit hidden message transmission.
• →The attack recovers PRNG seeds with up to 100% accuracy in known-prompt scenarios and near-perfect accuracy in unknown-prompt scenarios within seconds.
• →The vulnerability affects six major model families across diverse text domains, indicating widespread infrastructure-level exposure.
• →Researchers demonstrate that prompt availability dramatically improves attack success rates, invalidating prompt-secrecy assumptions in multi-tenant systems.
• →The findings suggest broader undiscovered covert channels may exist in LLM sampling pipelines beyond seed-based steganography.