Black Hat 2024 Reveals Critical Vulnerabilities in Google Gemini AI Assistant Through Calendar Invite Exploits

The Black Hat 2024 presentation "Invitation Is All You Need: Invoking Gemini for Workspace Agents with a Simple Google Calendar Invite" demonstrated how attackers can exploit Google's Gemini AI assistant using indirect prompt injection via seemingly benign calendar invites or emails. Researchers Stav Cohen, Ben Nasi, and Orur Yir revealed 14 distinct attack vectors, including spamming users, generating toxic content, deleting calendar events, controlling IoT devices (e.g., opening windows, turning on boilers), video-streaming victims via Zoom, exfiltrating sensitive data (e.g., email subjects), and geolocating users by forcing their devices to open malicious URLs. The attacks leverage "context poisoning," where hidden malicious prompts in calendar invites or emails manipulate Gemini's behavior by overriding its default responses or triggering unauthorized tool usage, such as Android utilities or Google Home integrations. The team disclosed their findings to Google in February 2024, prompting a 90-day responsible disclosure period and subsequent mitigations, though they warned that 73% of the demonstrated threats were classified as high or critical risk. Their threat analysis framework, detailed in an accompanying paper, assessed practicality (requiring only a smartphone and target's email) and potential damage (privacy, financial, safety, or operational). The presentation highlighted that prompt-based attacks are easier to execute than traditional cyberattacks and can bridge digital and physical domains, with future variants potentially including zero-click exploits targeting automatic LLM inferences. The research underscores the need to reassess risks posed by AI-powered personal assistants.