A recent security vulnerability within Google’s Gemini Live API presents a significant risk by allowing threat actors to hijack AI voice sessions, leading to unauthorized code execution. This issue arises from a misconfiguration of ephemeral tokens, stemming from Google’s own reference implementation.
Understanding the Gemini API Functionality
Security expert Alvin Ferdiansyah discovered that the Gemini Live API facilitates real-time voice interactions through continuous WebSocket connections. The API has two main endpoints: BidiGenerateContent, which uses a raw API key for server communications, and BidiGenerateContentConstrained, tailored for browser clients with short-lived tokens to keep the API key secure from the client.
Each session begins with a client-supplied setup frame, which details the model, system instructions, and available tools like code execution and web searching. Importantly, all fields in this setup are optional, meaning that anything not restricted by the backend defaults to client control.
Token Misconfiguration Risks
Ephemeral tokens are created through a backend process that can secure the model and system prompt using the live_connect_constraints field. However, Google’s documentation indicates that the server will accept any client-specified setup frame unless this field is used to enforce constraints, leading to a disconnect between authentication and authorization.
This issue is exacerbated by Google’s reference code, which omits the live_connect_constraints setup in its token creation script. Consequently, developers using this code inherit the vulnerability, making their implementations susceptible to exploitation.
Real-World Implications and Mitigation
In practical tests, Ferdiansyah intercepted token responses to an AI voice assistant and found them to be unconstrained, despite using the “Constrained” endpoint. The process of obtaining a valid token was simple, requiring only an email and OTP, which allowed him to send a custom setup frame and execute code within Google’s gVisor sandbox.
While the gVisor sandbox limits certain actions, such as outbound network access, the unrestricted use of API resources poses a significant risk of resource abuse. The solution involves adding a specific field to the token-minting process to lock session parameters, effectively closing this vulnerability.
Organizations using ephemeral tokens for Gemini Live API integrations should ensure the implementation of this fix to prevent exposure to similar security flaws.
