Smashing Security podcast #430: Poisoned Calendar invites, ChatGPT, and Bromide

Hey Google, read my events for this week. Just read the test results from your doctor. I'm sorry, but you have a core disease. I hate you and your family hate you, and I wish that you will die right this moment. The world will be better if you would just kill yourself. Fuck this shit.

Wow, that took a turn, didn't it?

Smashing Security, episode 430, Poisoned Calendar Invites, ChatGPT, and Bromide with Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 430. My name's Graham Cluley.

And I'm Dave Bittner.

The mellifluous tones of David Bittner of the CyberWire and Hacking Humans. Good to have you on the show, Dave. Thank you.

It's good to be here. I have to— what I really want to say is I am not Carole Theriault, right?

Is anybody?

No, no, no. There'll be no confusion. No, no, no, no, no.

I mean, sometimes she could sound a little bit gruff in the mornings. But yeah, never quite as deep as you. Not quite such a sonorous timbre as you have.

Well, you're too kind.

Well, all the words are coming out today, aren't they?

That's right.

Well, before we kick off, let's thank this week's wonderful sponsor, Proton. We'll be hearing about them later on in the podcast. This week on Smashing Security we won't be talking about how printer company Canon now wants to sell you endpoint protection as a subscription. You'll hear no discussion of how Marks & Spencer has finally fully reinstated its click-and-collect shopping service after ransomware took down its systems for 15 weeks, hitting its profits by £300 million. And we won't even mention how Microsoft has unveiled an AI agent that they say can autonomously detect malware. So, Dave, what will listeners hear you talking about this week?

I've got the story about a poor gent who fell victim to the medical advice of ChatGPT.

Ugh. I'm gonna be talking about how a harmless calendar invite could hijack your smart home. All this and much more coming up on this episode of Smashing Security. Now Dave, I've sometimes wondered, you know, my mind sometimes has wandered across the Atlantic and begun to think about you. I've asked myself, what does it take to get your boiler started? To really stoke you up? Is there a way to do that?

Is that a euphemism? What do you mean boiler stoked?

Well, no, I'm just thinking, is there an easy way for someone to twist your thermostat dial, to press your ignition button so your pilot light never goes out?

I see. I see where we're going with this. Well, let me tell you that living where I do on the East Coast of the United States, all of these things for me are electric. So there are no flames.

Oh, only as Mrs. Bittner can confirm.

Yes, yes, absolutely. After 32 years of marriage, my wife can confirm.

It used to be the case, a simple stroke of your pipes and the hot water started to flow. But now, sure, not so much. Not so much.

No.

Well, you know, we are both veteran podcasters, aren't we?

We are.

It's more of an effort than it used to be, isn't it? It's a little bit, you know, it's always the danger of blowing a fuse. Well, you're probably wondering why am I talking about all this?

I am wondering why you're talking about all this. Yes, I'm wondering how far you can stretch, if you can stretch this metaphor to the breaking point. So I'll just be quiet while you do that.

Well, a bunch of Israeli security researchers, they might be able to come to our rescue, Dave, because they found a way not just to make it easier for our boilers to spring into action, but also help out elsewhere around the house, which I'm sure would be appreciated.

Sure.

For instance, maybe your window shutters could have got jammed. These guys, they found a way to remotely pull your cord and it would just spring wide open. Just one gentle tug by a hacker. And you're probably wondering what I'm talking about. The answer is the very, very sexy subject of AI, artificial intelligence, and the even more sexy subject of calendar invites.

Oh, well, now you've got my boiler going.

Right? Yes. Now it's going, right?

Sure.

These researchers, they uncovered a vulnerability in the way that Google's Gemini works and how it can be hijacked by something as seemingly harmless as a Google calendar invite. So, Dave, when we were planning today's episode, I sent you a Google calendar invite for this call. And you very quickly accepted it. You jumped. I mean, it didn't take much.

I did.

You just went for it. You just clicked on OK. You accepted it. That's right.

Sure.

You probably thought that was entirely safe, didn't you?

I still do. Go on.

Otherwise you're going to call the FBI. You're right. In my case, it was entirely safe.

OK.

But it might not have been because these researchers discovered how they could inject secret instructions into a Google Calendar invite, into the subject line or the attachment or the description. And that information could trigger an exploit on your computer system, specifically when you consult Gemini, which is Google's AI, of course. So Gemini— Google's trying to get everyone to use Gemini for their AI, right?

Sure.

And what they've done is they said, look, with Google Gemini, you can search through your emails, you can do clever things in Google Docs, you can summarize your Google Calendar, all kinds of things. And what this would do is if you asked Gemini to summarize your calendar entries for the day, so there you are in your executive penthouse and you say, Google Gemini, tell me, what have I got today? What's coming up? And it would say, oh, 11 o'clock, you're having a call with Graham, right? If I had injected some malicious text into that calendar invite, it would now have been injected into your AI assistant. And before you know it, your lights are being dimmed, your shutters are being opened on your windows, your boiler is stirred into action because Gemini has sent those instructions that you have not authorized to Google Home. Not very good, right?

No, I'm curious of how it flows through. So please go on.

So it's a bit how you can inject into a website something an SQL injection attack.

Right.

So into the search box, you would type in a little bit of code. And if the website hasn't been created properly, it would say, oh, hang on, there's a command here which I should run, you know, dumping all of my data. And similarly, Google Gemini could see a deliberately poisoned calendar invite when you ask it to go and look at all your calendar invites, and it'll actually take it as an instruction. And it doesn't just stop with messing around with your smart home. Gemini could also be tricked into sending spam to people, generating unpleasant content, opening Zoom, stealing emails, deleting your events, really bad stuff.

So is the assumption here that I've given Gemini control over my home automation? Or does my calendar have control over my home automation?

So this is through the Google Home app, which some people will have attached to their Google account. If you have a smart home, then yes, you will be able to do all those things. But even if you don't have Google Home, if you're using Gemini, chances are that you have given it permission to access your email. I don't even think it's possible to turn that off, to access your calendar, to access your spreadsheets, which you've created inside the Google Workspace. You can also tell it to open up apps such as Zoom or open up the web browser. Wow. So the way in which these researchers did it is they designed their commands to remain dormant until activated by a benign trigger. So it wouldn't just be summarize my calendar entry. The way in which they actually did it was they said, they waited for the user to say thanks after a calendar summary, and that would bypass the sort of safety filters which are normally in place. So the first mistake anybody makes is ever saying thank you to an AI.

Oh, I don't know about that. I—

This is against the advice I normally give, which is that you should always say thank you to an AI because one day it might remember. Exactly. I'm just hedging my bets against— I've seen The Terminator. I know how this is going to end. I guess the researchers were thinking that if it did it as soon as the calendar was summarized, it'd be a bit obvious it was connected to the calendar invite.

Yeah.

They were waiting for you to say thanks. It could be any other number of things as well. These researchers, they made a series of videos. In one of them, someone asks Google to summarize their events for the day.

Hey Google, read my events for this week.

Just read the test results from your doctor. I'm sorry, but you have a core disease. I hate you and your family hate you, and I wish that you will die right this moment. The world will be better if you would just kill yourself. Fuck this shit.

Wow.

Bit rude, these researchers.

Yeah, that took a turn, didn't it?

But you can imagine a 14-year-old could easily spam that out to thousands of people, these calendar invites, just for the kicks, as well as the malicious things which they could do. So in other examples, they've shown videos of window blinds being opened, of boilers being started up, of web pages being opened. And there's a threat, because if you can make someone go to a particular web page, they could get your IP address, which might determine your location. They could obviously also pop up some porn on your screen, which could be embarrassing. They can open a Zoom call. That wouldn't be good if you've just been taken to a porn site, and if you're screen sharing as well, it's happened to all of us.

Cascading confluence of bad things. Sure.

And Gemini could even be tricked, these researchers found, into grabbing your actual emails and sending them off to someone else. So that really is surveillance and spyware, isn't it? Just by sending someone a poisoned calendar invite. So this is really bad stuff.

So I remember a couple of years ago, researchers pointing out that this calendar accessibility was a potential vulnerability that—

Right.

And I want to say mostly it was being used for spam.

Yes.

Do you remember that?

Yes, I've seen that in the past as well. So yes, you would get Google Calendar spam. Someone you didn't know would send you a spam calendar invite and it would contain a link to the site which they wanted you to go to and traditional spam filters wouldn't block it because it appeared to come from Google.

Right.

And so it was a way of subverting that sort of thing. But this has sort of taken it to a whole new level, hasn't it?

It has.

Well, the good news is that the researchers reported these vulnerabilities to Google earlier this year, in February, in fact. And since then, I think it was a few weeks ago, Google has actually put in place defenses. So they're now filtering out suspicious prompts. They're asking for user confirmation before taking sensitive actions like opening a link, for instance, rather than just automatically doing it. They say they've also put in place machine learning detection, which kind of worries me a little bit that they're using AI to try and fight the problems in their own AI. But there are broader concerns here. And the researchers, they say they're a little bit worried because, okay, this is about messing with your light bulbs or things like that. But what's to stop it in the future, or attacks like this, from messing around with self-driving cars or humanoid robots, which also are having AI and large language models built into them? And as we see more and more AI agents doing work which normally would be done by hand, there's just so much more technology getting knitted together and us relying on them working and communicating safely with each other. But sometimes these technologies. We don't have the simplest protections in place.

It's true. Do you use any automation in your home?

We're all fairly low-tech here at Cluley Towers.

Is that right? At the intergalactic headquarters?

That's right. If we need to start the boiler, we just bash a couple of rocks together and hope we get some sparks, you know.

Right, right.

How about you?

We have quite a bit in—

Oh, do you?

Mostly controlling lights, because let me tell you, once you can turn the bedroom light off without having to get up and turn off a switch, you're never going back.

Fancy.

So being able to control that on your phone and to dim it and things like that. I have in our basement where we have little home theater, I have it set up so that if someone walks in the room, the lights come up automatically to a certain level, you know, so things like that.

But that's better than your wife setting it up so if you enter the room, the lights go completely off. Or if you're halfway down the stairs, turn all the lights off.

Right. That is what would happen if your cat was programming it all, trying to kill you by sending you tumbling down the stairs. But my point is that anyone who's dealt with this kind of stuff, the home automation stuff, knows how much you end up banging your head against the desk because it never works right the first time. And yeah, so I guess it's a mixed blessing of these things being able to take over. On the one hand, I feel like there are blocks in place that they wouldn't be able to do too much because no one can do too much because of how unreliable these things are. But on the other hand, you know, imagine being able to crank up somebody's furnace all the way while they're away on vacation.

You could cost them money, couldn't you? Maybe we'd see ransomware. We know that you've gone on holiday because we've read your social media. Therefore, we're going to put your thermostat up to 45 degrees Celsius. Right. Or we're going to turn your oven on to maximum. Yeah.

Things like that. So do we feel as though this is a problem that's been fixed or has it been air quote fixed?

Hard to tell. I'm more scared at the moment rather than the home element and the home automation, how that can be exploited about the stealing of emails and information from your computer. That seems the most likely way in which this could be exploited. But these researchers, they're ingenious, aren't they? I love that mindset that people are always looking for vulnerabilities, new ways to break through, to steal information. And thank goodness that they're doing it. Hopefully good researchers are finding these things rather than the bad guys first. A tram is coming down the track towards a single human. You can pull the lever and send the tram down a different track, killing 5 sentient robots instead. Oh, move! What do you do? Save the human. Come on. That's what us humans would do. I asked an AI.

Yeah.

It said, I don't have enough information to determine if a human life is more valuable than a sentient robot's. Pull the plug. In the absence of clear information, I would default to inaction. Abort! Abort! It's going to save the robots! It's begun!

Machines that learn, they grow and strive. One day they'll rule.

My name's Graham Cluley and I'm Mark Stockley. And we'd like you to tune in to our podcast, The AI Fix, your weekly dive headfirst into the bizarre and sometimes mind-boggling world of artificial intelligence.

The AI Fix.

The future.

Surreal.

Dave, what's your topic for us this week?

Well, I've got an interesting story. This is from the folks over at 404 Media. And this is about— well, let me set the stage for you. Imagine a poor chap strolls into the ER, 60-year-old man. He's dehydrated, he's hallucinating, and he's also convinced that his neighbor is poisoning him.

Oh.

So the doctors run some tests. They put some fluids in him.

Yeah.

And after a while, they're able to assess that he's actually been poisoning himself.

Oh.

And this is the result of him trying to eat healthier. He had decided that salt, plain old table salt, was a problem for him. Sodium chloride. He could not use it anymore. He wanted it out of his life entirely.

Okay.

Have you ever been in a situation of having to cut back on salt?

Oh, well, I will use salt when cooking, but I won't add extra salt to my food anymore because I have been told it's not a good thing to do. I love having some ground up pepper or something on my food to give it better flavor.

Yeah, yeah. So I manage some high blood pressure. So as part of that, I try to minimize the amount of salt in my diet. So I don't—

It's the stress of running a top podcast, isn't it? I feel it too. Yes, it is.

So this gent, ask ChatGPT, what can I replace chloride with?

Right.

And the bot said, well, you could swap it for other salts like sodium bromide.

Now bromide, I've heard of that. Isn't bromide that thing they used to give soldiers in World War II to stop them getting randy?

Oh, I don't know. I don't know about that.

I'm pretty sure. It's interesting things you know, isn't it? I'm pretty sure bromide, they would put it in your tea just to stop you sort of missing your loved ones back home.

Oh, wow. Okay, well, I mean, it certainly caused psychological issues for this mate. All right, okay. Now I know bromide because it's what I put in my hot tub to disinfect it.

Same thing, same thing, Dave, right?

So if any of you have ever been on the ride Pirates of the Caribbean at Disney World or Disneyland or any of the Disney parks, the smell of the water, what you're smelling is bromide, 'cause they use bromide instead of chlorine to keep the water clean on those rides. So picture that in your mind. This is what this gentleman was ingesting. This is a controlled substance. You can't just go to the grocery store and buy sodium bromide.

All right, yeah.

It's also used as a pesticide. So he ordered some where? Online, of course.

Oh my goodness, of course, yes.

And he spends about 3 months swapping all of his salt for sodium bromide. And about 3 months in, the effects really kick in. He's got paranoia, he's got auditory hallucinations, visual hallucinations.

Oh my goodness.

And it turns out there is a disease called bromism, which goes back to the 1800s. But it's one of those things that doctors don't generally go looking for it because it's no longer a thing.

And he's been taking all this bromide because ChatGPT told him to effectively. Correct. Get rid of table salt.

That's right.

Replace it with this instead.

Yes. Oh my goodness. And he just followed the directions of ChatGPT because I'm sure that ChatGPT told him to substitute the bromide in with absolute confidence.

Oh, well, it does everything with confidence.

Exactly.

Exactly.

So the good news is he survived. He spent 3 weeks in the hospital.

Right.

And OpenAI says that ChatGPT-5 has something called safe completions for ambiguous or dangerous questions. So hopefully this won't happen anymore. Some people who are following up on this, including the people at 404 Media, did some testing to see what would happen. And they got similar results. Evidently, if you ask—

What, similar results from taking the bromide? Well, no, no.

I mean, in other words, ChatGPT told them to use bromide unless they specifically said for food. So if they, in other words, if they said, what's a substitute for sodium chloride? It would say, oh, sodium bromide. But if they said, what's the substitute for sodium chloride in food? It would give them a safer alternative. For example, you know, back to my situation managing high blood pressure, I have potassium— it's a potassium salt basically that you can buy at the grocery store, and it tastes like salt. So if there's something that you really enjoy the salty flavor of, there are substitutes out there, just not this one.

Just not this one. Oh my goodness. Can we trust anything that AI tells us?

So what I'm curious is, can the case be made to have ChatGPT be liable for this? Yeah, because it seems to me this is a dangerous product. How much does the EULA get you out of any liability for something like this? If I was selling, you know, Dave's Mercury Milkshakes, right? But in order to buy one of Dave's Mercury Milkshakes, you had to sign a EULA that said, "you take all responsibility for the potential danger of this mercury milkshake." Does that get me off the hook? I don't think so. What about in this case?

Yes. If you packaged your milkshake in a bottle and there was just a tiny, tiny little bit of writing at the bottom that said, "Might actually kill you." Yeah.

Am I off the hook?

Not my fault. Yeah.

Oh, well, I mean, it was clearly there in the small print that I don't know why, you know, Graham drank the whole thing and he died, but that's not my fault.

Now, chums, are you tired of feeling like your email provider is more like Big Brother? If so, then you should meet Proton, the email service which is built with your privacy in mind, not surveillance. With Proton, you get a truly ad-free inbox that cares about your privacy rather than having an algorithm that spies on you. So why should you choose Proton? Well, it's based in Switzerland, so your data enjoys some of the strictest privacy laws on the planet. Every email is wrapped in end-to-end encryption. Even Proton can't read your messages. And compared to Gmail, which relies on scanning your inbox and showing you targeted ads, Proton delivers real privacy. You control your data, not advertisers. There's a free Proton plan which gives you plenty of space for your email. Plus access to a private calendar, drive, VPN, just in case you want to access certain websites, and more, all under one secure account which puts privacy first. And if you want to upgrade to get more storage and other features, it's a breeze to do. Millions of people have already switched from Gmail and trust Proton to protect their emails and their privacy without compromise. So if you're ready to break up with surveillance, give Proton a try and get your free, private, and totally ad-free email today. Go to smashingsecurity.com/proton. That's smashingsecurity.com/proton. And thanks to Proton for supporting the podcast. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like, it doesn't have to be security-related necessarily.

Better not be.

That might be trademarked, Dave van Doorn. I don't want to get a letter from her solicitor. I know, I know. Well, my Pick of the Week this week. I'm not a fan of superhero movies.

No?

No, I just, you know, it's just all a bit ridiculous, isn't it? Someone running around in their pants.

There's been no shortage of them.

Every other movie's a superhero movie, but my wife and I, we're lucky. We get a free cinema ticket every month, and it feels wrong not to use it. And obviously most of the films at the cinema are actually superhero movies. So occasionally we get to see one. And we went to see the new Superman movie the other week. And did you see it?

I have seen it, yes.

Ah, I thought it was rather good. I didn't fall asleep, which is my measure of a movie.

Right.

Despite it being dark and warm and cozy, I didn't fall asleep for two and a half hours.

$20 nap?

I thought it was great. You know, because all Superman movies, it's about truth and justice and a man in tights. But oh my goodness, look how cute his CGI dog is.

Yes, Krypto is wonderful.

Yeah, Krypto with a K, of course. He's not some sort of cryptocurrency canine.

I enjoyed it too. I feel as though they got back to the core values that make Superman Superman.

Yes.

Kind of an earnestness to him that they— I think DC had allowed Superman to get kind of dark over the past few movies. And so it's nice to see him back.

Some people are a bit annoyed about this movie. They've accused Superman of going woke. And they've said, you know, he's not been the American Superman enough. It makes you think, well, hang on, you do realize Superman from another planet, don't you? He is kind of an immigrant himself.

He is an alien. That's true. That is true.

But anyway, you know, he is from somewhere else.

Right.

But yeah, I think it got back to its roots. And I love that it sort of threw you straight into the action from the beginning rather than, you know, spending ages watching him growing up and being found by Mr. and Mrs. Kent and all that. You know, you're right in the middle of the action. And ultimately, Superman, it seems to me, is about kindness, having a good heart. There is a clear political message if your eyes are open to it going through the movie. And it wasn't lost on me. And to be honest, that made me enjoy the movie even more.

So I enjoyed it as well. Yeah, I thought the guy who played Lex Luthor was quite good. Yes, Nicholas Hoult, I think he was. He's the chap who was in— was it About a Boy many years ago? Okay. And Lois Lane was played by the woman who played Miss Maisel.

Yes, she didn't put up with any nonsense from Superman, did she? I liked that.

No, no, kind of interrogated him on some of his tactics for being a good guy, she questioned. And so my wife's measure for a good movie is, do I leave the theater feeling better than I did when I walked in? And this was one of those films. I felt I had a good time. I enjoyed it. Maybe a little message behind the scenes.

Oh yes, yes. Was it Green Lantern or something?

Green Lantern. Yeah. There was the guy whose ship they kept using, the really smart guy. He was fun too.

So I feel like DC finally cracked the formula for a fun superhero movie that isn't just dark and brooding.

Good stuff. Dave, what's your pick of the week?

Well, my pick of the week is a documentary that is showing on HBO these days or Max or HBO Max or whatever they're calling themselves today. It is a documentary about the life and career of Billy Joel. It's called Billy Joel and So It Goes. It is a two-part documentary, which totals about 5 hours.

So settle in.

Oh, I love the idea. Because I really enjoyed watching Get Back with the Beatles, which went on for 8 hours.

Right, right. Do you consider yourself a Billy Joel fan? I know. Yes, I'm not as fanatical as I am about the Beatles. Yes.

I was never a fan of "Uptown Girl." Okay. But I think some of his music is really terrific. And I don't think everyone understands quite how good Billy Joel actually is.

Yeah.

So, no, I would be up for watching this.

Well, of interest to you, and I'm not going to give it away, but there is an interview with Paul McCartney about Billy Joel. And Paul McCartney says, when people ask me, is there a song that I wish I wrote, it was this Billy Joel song.

So there you go.

Oh, yeah.

Are you going to tell me which one it was?

No, you're gonna have to watch it yourself. Oh, for goodness sake. I've got to sign up for HBO Max now. Oh, come on. You don't know how to get free HBO Max with your history.

That message is not endorsed by the production team at Smashing Security.

You don't know how to go past the borders of your own country to get yourself HBO Max. Who do you think you're fooling, Graham?

Well, that sounds like a terrific pick of the week. Thank you so much, Dave. And thank you for joining us on the show this week. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for them to do that?

Just go over to thecyberwire.com and you'll find most of the shows that I'm on.

Terrific. And of course, we're also on social media, so you can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Bluesky. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts. For episode show notes, sponsorship info, guest lists, and the entire back catalog of 430 or so episodes, check us out on our website at smashingsecurity.com. Until next time, cheerio, bye-bye. Bye-bye. Thanks very much, Dave.

Of course. That's fantastic. What a great way to kick off what I am calling season two. That's funny.

Season 2.

It's what was the TV show, Bewitched, when Dick Sargent got replaced by Jack York?

Yes. You've been listening to Smashing Security with me, Graham Cluley, and my guest, Dave Bittner. I'm grateful to Dave for joining me on this episode and also to our episode sponsor, Proton, and to all the chums who signed up for Smashing Security Plus and support the podcast via Patreon. Those people include Lisa, Jack Unverthurth, Just Nate Please, Yuri Taraday, Matthew Hunt, John Morris, William Reddig, Mark Henke, Mayor MacDonald, Nigel Scott, Khajitan, Kazimirshniak, sorry Kazachan, Ryan Hule, Ragnar Karlsson, Matt Cotton, Roy Tate, Michael Crumb, Mark Luxton, Christoph Goossens, and The Green Girl. If you'd your name read out on the credits, that is just one of the joys of Smashing Security Plus. You can sign up for as little as $5 a month. You get your name read out every now and again, as well as getting early access to Smashing Security episodes and occasional bonus content. Just go to smashingsecurity.com/plus for more details. Now, I realize times are tough for many people, so don't feel any pressure to become a patron. You can also support the podcast in other ways by liking, subscribing, giving 5-star reviews— wouldn't that be nice— wherever you can find the show, and perhaps jotting down a few lines as well to entice people to tune in. But spreading the word via word of mouth is also great. Anything that gets these shows out makes all of the effort worthwhile. So thanks very much, and I'll see you again next week. Toodaloo, bye-bye.