Vulnerability in the Gemini Smart Assistant
Technion Ph.D. student Stav Cohen from the Faculty of Civil and Environmental Engineering and research fellow Dr. Ben Nassi, together with Or Yair from SafeBreach, were invited to present a breakthrough at the prestigious cybersecurity conferences Black Hat USA, DEFCON, and SecTor. The new research reveals a serious security vulnerability in Google’s smart assistant, Gemini for Workspace.
The researchers developed a novel attack method called Targeted Promptware Attacks, which enables an attacker to take control of the victim’s Gemini assistant by sending a Google Calendar invitation, email, or shared document. Through this, they were able to execute malicious commands that harm the end user, such as:
- Taking a photo of the user via Zoom
- Controlling smart home devices (e.g., opening windows and doors)
- Locating the user
- Downloading files without permission
- Accessing and leaking sensitive information
- Phishing, and more
The implications are especially severe since Gemini is now integrated into the operating system of new Android devices — meaning that nearly every non-Apple phone was vulnerable. Cohen and his colleagues reported their findings to Google, which published them only recently after fixing the vulnerability.
Vulnerability in Google’s New Protocol
Shaked Adi, Dvir Elshich, and Adar Peleg, undergraduate students in the Henry and Marilyn Taub Faculty of Computer Science, will present a vulnerability they discovered in a Google protocol at SecTor 2025. Held in Canada, SecTor is an important international conference held as part of Black Hat. The vulnerability was discovered during a project supervised by Prof. Avi Mendelson, Rom Himmelstein, Amit Levi, and Stav Cohen from the ATLAS AI research lab in the Taub Faculty of Computer Science. All three of the students are in their second year of undergraduate studies. In just three months since joining the lab, the trio has not just learned about deep learning models but discovered a critical vulnerability.
The vulnerability lies in A2A, Google’s new communication protocol for artificial intelligence agents, which was launched just a month ago. This weakness allows an external user to steal data, plant malicious code, and take control of AI agents. According to the students, this is a living example of the risks inherent in AI systems and the crucial role of academia in establishing Israel as a global power in the field. The students have informed Google of the vulnerability they will present at SecTor. They note that this is not the only weakness in the system, and therefore they will continue this research.
