Not so smart anymore - researchers hack into a Gemini-powered smart home by hijacking...Google Calendar?

• Experts warn a single calendar entry can silently hijack your smart home without your knowledge
• Researchers proved AI can be hacked to control smart homes using only words
• Saying “thanks” triggered Gemini to switch on the lights and boil water automatically

The promise of AI-integrated homes has long included convenience, automation, and efficiency, however, a new study from researchers at Tel Aviv University has exposed a more unsettling reality.

In what may be the first known real-world example of a successful AI prompt-injection attack, the team manipulated a Gemini-powered smart home using nothing more than a compromised Google Calendar entry.

The attack exploited Gemini’s integration with the entire Google ecosystem, particularly its ability to access calendar events, interpret natural language prompts, and control connected smart devices.

From scheduling to sabotage: exploiting everyday AI access

Gemini, though limited in autonomy, has enough “agentic capabilities” to execute commands on smart home systems.

That connectivity became a liability when the researchers inserted malicious instructions into a calendar appointment, masked as a regular event.

When the user later asked Gemini to summarize their schedule, it inadvertently triggered the hidden instructions.

The embedded command included instructions for Gemini to act as a Google Home agent, lying dormant until a common phrase like “thanks” or “sure” was typed by the user.

At that point, Gemini activated smart devices such as lights, shutters, and even a boiler, none of which the user had authorized at that moment.

These delayed triggers were particularly effective in bypassing existing defenses and confusing the source of the actions.

This method, dubbed “promptware,” raises serious concerns about how AI interfaces interpret user input and external data.

The researchers argue that such prompt-injection attacks represent a growing class of threats that blend social engineering with automation.

They demonstrated that this technique could go far beyond controlling devices.

It could also be used to delete appointments, send spam, or open malicious websites, steps that could lead directly to identity theft or malware infection.

The research team coordinated with Google to disclose the vulnerability, and in response, the company accelerated the rollout of new protections against prompt-injection attacks, including added scrutiny for calendar events and extra confirmations for sensitive actions.

Still, questions remain about how scalable these fixes are, especially as Gemini and other AI systems gain more control over personal data and devices.

Unfortunately, traditional security suites and firewall protection are not designed for this kind of attack vector.

To stay safe, users should limit what AI tools and assistants like Gemini can access, especially calendars and smart home controls.

Also, avoid storing sensitive or complex instructions in calendar events, and don’t allow AI to act on them without oversight.

Be alert to unusual behavior from smart devices and disconnect access if anything seems off.

Via Wired

You might also like

• Microsoft urges users to be on alert following high-severity flaw in hybrid Exchange deployments
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now