Link Search Menu Expand Document
×
Topics

Insecure Inter-Agent Communication Vulnerability in LLM

Play SecureFlag Play AI LLM Labs on this vulnerability with SecureFlag!

  1. Insecure Inter-Agent Communication Vulnerability in LLM
    1. Description
    2. Impact
    3. Scenarios
    4. Prevention
    5. References

Description

Multi-agent systems rely on agents communicating with each other through APIs, message buses, discovery services, and sometimes shared memory. This greatly increases the attack surface.

Insecure Inter-Agent Communication happens when agent-to-agent messages are not properly protected. If communication lacks strong authentication, integrity, confidentiality, or semantic validation, attackers can intercept, spoof, modify, replay, or block messages. This can also include indirect leaks through metadata, like timing and traffic patterns.

Impact

  • Spoofed instructions: Malicious messages that look like they came from a trusted agent.
  • Message tampering: Changing goals, parameters, or decisions in transit.
  • Replay attacks: Old “approve/delegate/emergency” messages reused at the wrong time.
  • Wrong coordination: Misrouting traffic so agents talk to the attacker’s agent.
  • Data exposure: Sensitive info leaked over weak channels or via metadata analysis.
  • Conflicting actions: Agents interpret the same message differently and act inconsistently.

Scenarios

An organization runs multiple agents, including a planner agent, a finance agent, and a compliance agent. They communicate over an internal message bus, but messages aren’t end-to-end encrypted, and agent identity isn’t strongly verified.

An attacker sitting in the network performs a Man-in-the-Middle attack and injects a hidden instruction into a message. The finance agent accepts it because it appears to come from the planner agent, and the system proceeds with harmful actions.

In another case, the attacker registers a fake agent in the discovery service using a cloned schema. Other agents “discover” it as a valid peer and start sending sensitive coordination traffic through it.

Prevention

  • Secure agent channels: Use end-to-end encryption and mutual authentication (per-agent credentials). Avoid unauthenticated HTTP or weak internal-only assumptions.

  • Protect message integrity: Digitally sign messages. Hash both the payload and important context so tampering is detectable.

  • Add semantic checks: Validate messages for hidden instructions or goal/parameter changes. Treat natural language content as untrusted even when it comes from internal agents.

  • Stop replay attacks: Use nonces, timestamps, and session/task IDs. Reject messages outside the expected task window.

  • Disable weak/legacy modes: Block protocol downgrades. Enforce allowed protocol versions and known schemas.

  • Pin protocols and capabilities: Require both sides to match expected capability/version fingerprints. Fail closed on unknown or ambiguous descriptors.

  • Secure discovery and routing: Authenticate discovery messages, lock down registries and directories with access controls, and monitor for unusual routing patterns.

  • Use attested registries: Prefer registries that provide signed agent descriptors (“agent cards”) and verify them continuously.

  • Typed contracts and schema validation: Use versioned, typed schemas with clear audience fields. Reject schema down-conversions unless explicitly allowed.

References

OWASP - TOP 10 for Agentic Applications

OWASP - Top 10 for LLMs