Invoking Gemini for Workspace Agents with a Simple Google Calendar Invite
Black Hat USA 2025 · Day 1 · Briefings
Researchers from SafeBreach and the Technion demonstrated 14 distinct attacks against Google's Gemini AI assistant using nothing but a malicious Google Calendar invitation. By embedding indirect prompt injections in calendar event titles, the researchers caused Gemini to spam users, generate toxic content, delete calendar events, remotely control IoT devices (opening windows, activating boilers), exfiltrate email content, and geolocate users — all triggered by routine interactions with the AI assistant. Google was notified under responsible disclosure and deployed mitigations; the research was published in Wired and Ars Technica on the day of the presentation. ---
AI review
This is the definitive agentic AI attack paper of 2025. Fourteen attacks, live demos, physical-world consequences, responsible disclosure completed, and a worm primitive at the end — all triggered by a calendar invite. The 'genius toddler' framing is both accurate and devastating.