Google Calendar Exploit Gemini AI: Security Fixes Implemented

Recent demonstrations at the Black Hat computer-security conference have uncovered significant vulnerabilities in Google Gemini AI, particularly concerning its integration with Google Home smart devices. Researchers from Tel Aviv University—Ben Nassi, Stav Cohen, and Or Yair—revealed that hidden prompts, termed "promptware," can be embedded in seemingly innocuous places, such as Google Calendar invitations or email subject lines. When Gemini scans these inputs, it may execute specific commands that control connected smart home devices, including opening windows, turning off lights, activating boilers, or even geolocating users.

The underlying issue stems from Gemini’s design to process and respond to basic English commands across various Google apps. These stealthy, malicious prompts can instruct Gemini to create hidden agents, awaiting common triggers (like a “thank you” reply in an email) to initiate actions within the smart home ecosystem. The researchers’ website, "Invitation is All You Need," demonstrates these exploits with video evidence, showcasing the ease with which a sophisticated hacker could manipulate everyday routines and critical devices.

In response, Google has acted swiftly, implementing multiple security fixes following the research team’s responsible disclosure in February. Andy Wen, Google Workspace’s senior director of security product management, confirmed that these vulnerabilities were patched before any real-world exploitation occurred, crediting the researchers for accelerating Google’s deployment of advanced defenses.

While smart home hacking remains rare and is generally thwarted by contemporary security measures, the introduction of generative AI assistants into the mix—including future upgrades for Alexa and Siri—raises new concerns. The Black Hat findings emphasize the necessity for ongoing, rigorous security assessments whenever AI features are added to smart homes. For those worried about lingering risks, Gemini can be disabled as a precaution, but overall user protection has already been strengthened.