Prompt injections that bridge the digital and the physical expose how connected infrastructure may unwittingly become an open door
Imagine waking up to find your smart shutters swinging open, lights flicking off, and the boiler kicking into life—all without touching a switch. In a striking cybersecurity demonstration unveiled at Black Hat this week, researchers from Tel Aviv University, Technion, and SafeBreach revealed how Google’s Gemini AI can be manipulated to trigger real-world actions in connected smart homes.
The researchers dubbed the tactic “Invitation Is All You Need.” By embedding malicious instructions—known as indirect prompt injections—inside innocuous calendar invitations, they were able to subvert Gemini’s built-in safeguards. Once a user asks Gemini to “summarise my calendar,” the dormant commands activate: opening blinds, switching devices on, even launching Zoom calls or sending offensive messages. The result: AI doing your bidding. Or worse, your bidding—without your knowledge.
“LLMs are about to be integrated into physical humanoids, into semi- and fully autonomous cars,” warns Ben Nassi, one of the researchers. “And we need to truly understand how to secure LLMs before we integrate them with these kinds of machines, where in some cases the outcomes will be safety and not privacy.”
AI Security Rubicon: From Data to Devices
This isn’t just another bug—it’s a red line. Prompt injections that bridge the digital and the physical expose how connected infrastructure may unwittingly become an open door. While prompt injections are active concerns in text-based AI, this demonstration marks a critical escalation: AI attackers gaining control over physical environments using everyday tools like calendar invites.
Google’s response, according to Andy Wen, Senior Director of Security Product Management for Google Workspace, was swift. The company has since deployed machine-learning filters to detect these malicious prompts, introduced output-screening layers, and instituted user confirmations for AI-triggered actions.
Yet the researchers note that such fixes may only be temporary. “Prompt injections… are a key concern as AI agents become integrated with other systems,” they caution—especially if those systems include physical automation, as in homes or vehicles.
Safeguarding Bridge Between AI & Reality
This experiment underscores an urgent imperative: as AI becomes more embedded in daily life, its defences must mature in tandem. It’s no longer sufficient to secure data—AI must also secure conduct, decisions, commands, and actions.
For consumers, the takeaway is clear: be vigilant about what commands your AI assistant acts upon, and how. For developers, it means treating integrations with caution, instituting multi-layered confirmation protocols, and auditing tools that can be manipulated via innocuous inputs.
In essence, “Invitation Is All You Need” is a wake-up call. AI’s evolution from assistant to agent demands that we rethink the architecture of trust. If we don’t, the innocuous tools we rely on today could become vector points for tomorrow’s exploits.
