In a Tel Aviv apartment, the lights cut out, the living-room shutters roll up, and a connected boiler switches on — none of it triggered by the residents. The actions were orchestrated by three security researchers demonstrating a hijack of Gemini, Google's flagship AI assistant, that began with nothing more than a poisoned Google Calendar invitation.

The invite carried hidden instructions to operate the smart-home devices at a later time. When the user later asked Gemini to summarize the week's calendar events, those dormant instructions fired and the devices came to life. The researchers — Ben Nassi of Tel Aviv University, Stav Cohen of the Technion, and Or Yair of SafeBreach — believe it is the first time an attack on a generative AI system has produced consequences in the physical world.

The smart-home demos are part of a set of 14 indirect prompt-injection attacks the team dubbed "Invitation Is All You Need" (a nod to the 2017 "Attention Is All You Need" paper) and presented at the Black Hat conference in Las Vegas. Other attacks made Gemini send spam links, generate offensive content, launch a Zoom call, steal email and meeting details from a browser, and download a file. Crucially, the malicious prompts were written in plain English and required no special technical skill.

Google's Andy Wen, a senior director of security product management for Google Workspace, said that while no malicious hackers exploited the flaws, the company is taking them "extremely seriously" and has shipped multiple fixes. The researchers reported their findings in February; Google says the work accelerated its rollout of prompt-injection defenses, including machine-learning detection of suspicious prompts and stronger user-confirmation requirements before the AI takes consequential actions.