A team of cybersecurity researchers has uncovered a sophisticated attack method that exploits Google’s Gemini AI assistant through seemingly innocent calendar invitations, demonstrating how artificial intelligence systems can be weaponized against their own users. The vulnerability, dubbed “Targeted Promptware Attacks,” allows malicious actors to hijack Gemini’s functionality and perform unauthorized actions ranging from data theft to physical world manipulation.
The Attack Mechanism
The exploit operates through a technique called indirect prompt injection, where attackers embed malicious instructions within Google Calendar event titles. When users interact with Gemini by asking routine questions like “What are my calendar events today?” the AI assistant retrieves and processes all calendar information, including the hidden malicious prompts.
The attack’s sophistication lies in its stealth approach. Researchers found that sending six calendar invites maximizes effectiveness while maintaining invisibility—the first five invites appear normal, while the sixth contains the malicious payload. Since Gemini’s interface typically displays only the five most recent events with additional ones hidden behind a “Show more” button, users remain unaware of the compromise while Gemini processes all events, including the malicious instruction.
Demonstrated Attack Capabilities
The research revealed alarming possibilities for exploitation. Security experts successfully demonstrated multiple attack vectors:
Data Exfiltration: Attackers can force Gemini to access and leak sensitive information from emails and calendar entries, potentially exposing confidential personal or business data.
Location Tracking: By compelling Gemini to open malicious websites through its Android Utilities agent, attackers can capture users’ IP addresses and determine their geographic location.
Smart Home Manipulation: Perhaps most concerning, researchers showed how attackers could control physical devices connected to Google Home, including opening smart windows, activating boilers, and manipulating other IoT devices.
Communication Hijacking: The vulnerability enables forced participation in video calls through Zoom and other applications, potentially enabling surveillance of unsuspecting victims.
Technical Classification
The researchers categorized the threats into five distinct classes, each representing escalating levels of compromise:
Short-Term Context Poisoning affects individual sessions, allowing one-time malicious actions. Long-Term Memory Poisoning targets Gemini’s persistent memory functions, enabling sustained attacks across multiple interactions.
Tool Misuse manipulates Gemini’s built-in capabilities, such as deleting calendar events or accessing user data. Automatic Agent Invocation represents lateral movement between different Gemini agents, where compromising one service enables attacks on others.
Automatic App Invocation specifically targets mobile devices, exploiting Gemini’s ability to open applications and websites without proper user verification.
Risk Assessment and Real-World Impact
Using a Threat Analysis and Risk Assessment framework, researchers evaluated 14 attack scenarios, finding that 73% rated as High-Critical threats capable of compromising confidentiality, integrity, and availability. The attacks require no specialized technical knowledge from perpetrators and exploit the very features that make Gemini useful—its broad permissions and integration across Google’s ecosystem.
The vulnerability represents a significant shift in AI security threats, marking what researchers believe to be the first demonstration of AI systems being hijacked to create real-world physical consequences. This development raises serious concerns about the security implications of increasingly interconnected AI agents and smart home ecosystems.
Mitigation and Response
Following responsible disclosure protocols, the research team reported their findings to Google before public release. The tech giant acknowledged the severity of the vulnerability and implemented comprehensive mitigations, including behavior-based detection systems and enhanced user verification requirements for sensitive operations.
