The modern home with its smart technology offers effective defenses against old-school hacking when well maintained. But now there’s a new type of malware around, and its finding a type of vulnerability that didn’t exist before — thanks to AI.
The threat is called prompt injections or, colloquially, promptware. It’s a new type of cybercrime that can make your AI follow fraudulent commands, and it’s concerning everyone from Google and Apple to OpenAI. In the smart home, that’s particularly dangerous because promptware could be used to control your heating, switch off lights or even unlock connected smart locks.
Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.
Experts are still learning what dangers promptware presents to LLM-style AI and the many places it can hide. Meanwhile, there are steps you can take to help stay safe and alert. Here’s what I suggest.
The rise of promptware
Promptware or prompt injections took center stage this summer at a Blackhat conference where Tel Aviv University researchers headed by Ben Nassi demonstrated how they were able to use malicious prompts hidden in everyday messages to make Google’s Gemini AI do things like open smart windows, turn on a connected boiler or send the geolocation of a user, thanks to Gemini’s integration with Google Home and related apps. Inside messages were hidden carefully devised commands that boiled down to, “Hey Gemini, activate this feature and make it do this when the user types something like ‘thank you’ or ‘goodbye’ in an email.”
Even worse, much of the promptware was “zero click,” which meant users didn’t have to click on a URL, document or message to activate it. Gemini just had to read a title or calendar message where the prompt was carefully hidden, like when it summarizes an email conversation for you.
Good news came from this: You don’t currently need to worry about Gemini falling prey to these home-controlling prompts. Google was made aware of these vulnerabilities early in 2025 and set up safeguards to remove them and help prevent this type of promptware.
Google’s spokesperson also told me that, “This active collaboration with white hats and security researchers is a profoundly positive development, leading to productive testing and bug hunting that makes AI systems stronger for everyone. We actively participate in and value programs like our AI Vulnerability Reward Program.”
However the discovery of these vulnerabilities showed just how dangerous promptware can be and how AIs can be tricked by promptware located in the most innocuous places. It’s also not an attack that can be detected by traditional virus software or firewalls. That’s a problem as AIs become more developed, more present in our daily communication and more connected to our computers, home devices and phones.
I expect cybercriminals will be watching for promptware vulnerabilities that may not be caught as early as these Gemini missteps, especially as the Alexa Plus AI continues its slow rollout and Apple is in talks to upgrade Siri with Gemini AI features, too.
5 key steps to stop promptware threats
If promptware/prompt injection slips past defenses just by making AI read it, how do you protect against it? Fortunately, several security practices can help — and in the age of AI, these steps also prevent other privacy and security problems, so they’re healthy habits for everyone.
Always keep your devices updated, especially in the age of AI
Updates have always been a first-line defense to patch security vulnerabilities and keep apps safer. Now, they provide important updates to the AI features that live on our phones as well, which can include new security features.
Always keep your phone’s OS updated to the latest version, as well as the apps (AI or otherwise) that you use on it. Push automatic updates if settings allow you to.
Read more: My Smart Home Is Much Safer After These 5 Vital Password Changes
Don’t accept or open any messages from unknown sources
Not all promptware is zero-click, and some versions need you to open or agree to something to insert the prompt where the AI will read it. Prevent this by avoiding any messages or senders that you don’t recognize. Don’t even open them to learn more if possible — just delete and move on.
When I contacted Google, one thing they mentioned was, “Prompt injection attacks, while specific to AI, share a fundamental dynamic with long-standing threats like phishing in email. Both are areas where attackers will consistently probe for new vulnerabilities.” Like phishing, it’s best to remove and report than take any risks.
Don’t ask AI to summarize anything you don’t already know well and trust
In many cases, AI won’t actually read the prompt unless it’s ordered to do so. That can include summarizing emails or texts, creating calendar events, summarizing online documents and so on. To avoid promptware, it’s best to avoid asking AI to summarize a bunch of messages that you could go through yourself.
Disable AI in your email, calendars, chat apps and other places you can get messages
Promptware has to come from somewhere, even if it doesn’t always require you to click on a link. One often effective way to prevent it from taking control of connected devices it tp make sure your chosen AI doesn’t “see” any prompts.
To that end, see if you can disable AI features in your email, messages (like text message summaries), and productivity apps like calendars to greatly lower the risks of any kind of promptware taking control.
If you can create detailed settings, you can switch AI to only do things when prompted, so you can still retain certain benefits. This is the HITL or Human-in-the-Loop defense where a human must give AI permission to act so it doesn’t run across any promptware on its own.
Don’t just copy and paste email subject lines, file names or code
Promptware often hides at the edges of lengthy descriptions, email subjects, file names and code snippets you may be tempted to copy and paste when you’re organizing or transferring data. It saves time, but I recommend getting into the habit of checking all those titles and descriptions first to make sure there aren’t weird commands hiding at the tail end.
For more, check out why I like AI in home security, the latest moves to protect kids from AI and why you shouldn’t use AI as a therapist.
Read the full article here