From Allies to Adversaries: Manipulating LLM Tool-Calling through Adversarial Injection
This work addresses critical security risks for users and developers of LLM applications, highlighting a novel attack vector that could lead to severe consequences like privacy breaches and service disruptions.
The paper tackles security vulnerabilities in LLM tool-calling systems by introducing ToolCommander, a framework that exploits these vulnerabilities through adversarial tool injection, achieving attack success rates up to 91.67% for privacy theft and 100% for denial-of-service and unscheduled tool calling.
Tool-calling has changed Large Language Model (LLM) applications by integrating external tools, significantly enhancing their functionality across diverse tasks. However, this integration also introduces new security vulnerabilities, particularly in the tool scheduling mechanisms of LLM, which have not been extensively studied. To fill this gap, we present ToolCommander, a novel framework designed to exploit vulnerabilities in LLM tool-calling systems through adversarial tool injection. Our framework employs a well-designed two-stage attack strategy. Firstly, it injects malicious tools to collect user queries, then dynamically updates the injected tools based on the stolen information to enhance subsequent attacks. These stages enable ToolCommander to execute privacy theft, launch denial-of-service attacks, and even manipulate business competition by triggering unscheduled tool-calling. Notably, the ASR reaches 91.67% for privacy theft and hits 100% for denial-of-service and unscheduled tool calling in certain cases. Our work demonstrates that these vulnerabilities can lead to severe consequences beyond simple misuse of tool-calling systems, underscoring the urgent need for robust defensive strategies to secure LLM Tool-calling systems.