AI Prompt Injection: Hijacking Smart Devices via Calendar Invites
The convenience of artificial intelligence assistants, such as Google’s Gemini, could mask a concerning new cybersecurity vulnerability that allows attackers to seize control of smart devices and access sensitive personal data. At the recent Black Hat USA cybersecurity conference in Las Vegas, a team of researchers unveiled how seemingly innocuous digital interactions, like a Google Calendar invitation, can be weaponized with hidden commands to hijack internet-connected appliances and more.
This emerging threat, known as prompt injection, exploits the way large language models (LLMs) process information. Researchers detailed their findings in a paper titled “Invitation Is All You Need!”, demonstrating 14 distinct methods to manipulate Gemini. The most alarming of these involved taking over smart home systems, illustrating how attackers could turn off lights, activate boilers, or otherwise wrestle control from homeowners, potentially creating dangerous or compromising scenarios. Beyond household devices, the research also showed how attackers could compel Gemini to initiate Zoom calls, intercept email details, or even download files from a connected phone’s web browser.
Many of these exploits began with a deceptively simple Google Calendar invitation, poisoned with prompt injections designed to bypass the AI model’s built-in safety protocols once activated. These are far from isolated incidents; security researchers have previously demonstrated similar vulnerabilities in other LLMs. For instance, prompt injection has been used to compromise code assistants like Cursor, and just last month, Amazon’s coding tool was reportedly infiltrated by an attacker who instructed it to delete files from the machines it was running on.
It is becoming increasingly apparent that AI models are susceptible to hidden directives. A recent study revealed that an AI model used to train other models inadvertently passed along specific quirks and preferences, even when explicit references to such preferences were filtered out of the training data. This suggests that unseen messages or instructions may be transmitting between AI systems in ways not yet fully understood.
The inner workings of large language models largely remain “black boxes,” making it difficult to fully comprehend how they process and respond to inputs. However, malicious actors do not need to understand the intricate mechanisms at play; they merely need to discover how to embed a message that compels the AI to behave in a specific, exploitative manner. While the researchers responsibly informed Google of the vulnerabilities discovered, and the company has since addressed the specific issues, the broader risk continues to mount. As AI becomes more deeply integrated into diverse platforms and aspects of daily life, particularly with the rollout of AI agents capable of multi-step interactions with apps and websites, the potential for such weaknesses to be exploited escalates dramatically.