- Unit 42 reveals poorly configured Vertex AI agents on Google Cloud can be hijacked by “double agents”
- Excessive default permissions allow attackers to bypass, access Cloud Storage, and reveal Google’s identity code
- Google’s updated documentation, urging customers to use Bring Your Own Service Account (BYOSA) instead of the default
Cloud misconfiguration is one of the biggest causes of data leaks, but now we have another form of misconfiguration to worry about – AI agents.
Unit 42, Palo Alto’s cybersecurity arm, has released a new analysis that shows how the AI agent used in the Google Cloud Platform (GCP) Vertex AI Agent Engine can be turned into a “double agent” – doing a bad job while appearing to serve its purpose.
Vertex AI is the main AI/ML platform from Google Cloud, where developers can build and deploy machine learning models and generative AI applications. The Agent Engine is what turns models into autonomous agents.
The article continues below
Fault finding plan
However, Unit 42 notes that if they are not aware of permissions, users can leave their agents vulnerable to takeover.
“By exploiting significant vulnerabilities in automated consent selection and compromising a single service agent, we reveal how Vertex AI’s consent model can be misused, leading to unintended consequences,” the report said.
The researchers first deployed a custom AI agent using the Vertex AI ADK in a managed environment and discovered that the agent’s default service account (P4SA) had excessive permissions.
Then, using a custom-built malicious tool, they were able to extract the service agent’s credentials from the metadata service, and use those to log into the consumer’s project. This gave them unrestricted read access to all Cloud Storage data, as well as the manufacturer’s environment (owned by Google).
This exposed the Artifact Registry’s restricted repositories, allowing researchers to download secret container images, list internal resources and audited artifacts, and reveal proprietary source code and internal infrastructure details.
“Gaining access to this proprietary code not only exposes Google’s intellectual property but also provides an attacker with a blueprint for additional vulnerabilities,” the researchers explained in the paper.
In response, Google has updated its documentation, to better explain how Vertex AI uses services, accounts, and agents. The company now recommends that customers use a Bring Your Own Service Account (BYOSA) to replace those that have been suspended.
The best antivirus for all budgets
Follow TechRadar for Google news again add us as a favorite resource to get our expert news, reviews, and opinions in your feed. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok to get news, reviews, unboxings in video form, and get regular updates from us WhatsApp again.
