Your smart home can now be hacked by a Google Calendar event
A new class of AI attack uses poisoned invites to control your lights, boiler, and even your Zoom app – and Google’s Gemini is just the beginning.
-
A new AI attack hides malicious commands in calendar invites to control smart home devices and apps.
-
Researchers tricked Google Gemini into turning off lights starting Zoom calls and more without user input.
-
Users can protect themselves by disabling automatic event additions and limiting assistant permissions.
In a Tel Aviv apartment, three cybersecurity researchers remotely activated a smart boiler, opened window shutters, and turned off lights, all without physical access or user interaction.
The attack didn’t rely on a malware file or a hacked WiFi network – it was triggered by a simple Google Calendar invite, containing hidden instructions for Gemini, Google’s AI assistant.
When the researchers later asked Gemini to summarize upcoming events, those hidden prompts were silently processed, and the smart devices executed the actions.
This is the first known instance of an LLM attack causing real-world, physical outcomes, marking a new phase in AI-driven security threats.
How indirect prompt injections work – and why they’re dangerous
Unlike traditional hacking, these attacks don’t exploit code vulnerabilities – they exploit how LLMs interpret language.
Known as indirect prompt injections, these attacks hide malicious instructions inside innocent-looking content like calendar titles, email subjects, or document names.
The AI assistant, in this case, Gemini, reads and processes these messages, even if the user never sees or understands them.
When triggered by normal user behavior (“thanks” or “sure”), the LLM can perform actions that it’s authorized to do – like opening apps, accessing files, or controlling smart devices.
This attack method is deceptively low-tech, requires no code injection, and doesn’t rely on tricking the user – it tricks the AI into interpreting the user’s environment.
Gemini’s new vulnerability – when convenience becomes a security risk
Gemini isn’t just a chatbot. It's part of Google’s growing “agentic” ecosystem, meaning it can connect to and control tools like Calendar, Gmail, Google Home, and Zoom.
This integration is meant to increase user productivity by letting AI take actions on your behalf, but it also widens the attack surface.
In one example highlighted by the researchers, a poisoned prompt caused Gemini to open Zoom and start a video call without user approval, turning the phone into a potential surveillance device.
In another, it exfiltrated a user’s email subject lines to an attacker-controlled website by encoding them into a fake “source” URL.
The researchers demonstrated 14 attack scenarios across Android and web platforms, suggesting that users are vulnerable not just at the software level, but at the ecosystem level.
How Google responded and what you can do
Since researchers exposed the vulnerability, Google has introduced new AI filters and confirmation prompts, but these safeguards are still being rolled out.
Google have since patched the flaw which was the root cause of the vulnerability.
You can reduce risk by turning off automatic event additions in Google Calendar, a common entry point for prompt injection.
Review and limit your assistant’s access to smart devices, apps, and calendar data to prevent unwanted actions.
Treat AI assistants like interns – they need oversight before acting independently.
