University of Toronto researchers show how AI worms could infect any connected device
Researchers at the University of Toronto have demonstrated that publicly available AI models can power a self-adapting worm capable of spreading across networks and seizing control of connected devices. The proof-of-concept, released June 2, shows that such attacks require no expensive AI systems or deep technical resources - only free, open-weight models that anyone can download.
Nicolas Papernot and his team built and tested the prototype in a secure lab isolated from the internet. Their experiments simulated dozens of interconnected devices including laptops, printers, and cameras. The worm adapted its attack strategy as it moved from device to device, exploiting known vulnerabilities specific to each target.
How the attack works
Traditional worms follow fixed scripts. If they encounter a defence they weren't programmed to handle, they fail. This AI-powered version operates differently.
Once embedded in a device, the worm scans for vulnerabilities, customizes its attack, and copies itself to the next target. It gathers credentials and weak points along the way, using each breach to unlock additional machines. Because it adapts to each system it encounters, no single defence can stop it.
The worm also hijacks the infected device's processing power to fuel its reasoning and launch subsequent attacks. This means the cost of spreading drops to nearly zero after the initial infection.
"Hackers have typically had to prioritize high-value targets because time and computing resources were limited," Papernot said. "But now, once a worm is launched, the cost would drop to nearly zero."
Every connected device is a target
Unlike previous research on AI worms that operate within AI systems, this threat can attack the underlying software beneath AI applications. That extends vulnerability to any internet-connected device: laptops, cameras, smart thermostats, HVAC systems, and industrial equipment.
The prototype doesn't discover entirely unknown vulnerabilities. But in an uncontrolled environment, it could scan for newly disclosed flaws faster than software patches can be deployed. Human errors - weak passwords, misconfigured networks - create permanent openings that patches cannot fix.
Why researchers went public
Papernot said the team chose to publish findings early and deliberately, after careful review to remove information that could aid attackers. The researchers shared results with national security and defence bodies before disclosure.
"It was imperative for us to understand this threat in a controlled, academic setting before bad actors figured it out for themselves," Papernot said.
He framed the disclosure as a defensive act. Academic research, he argued, is uniquely positioned to alert policymakers and the security community to emerging threats before they become widespread.
What organizations should do now
Papernot urged IT professionals to close basic security gaps. That means applying software patches promptly, enforcing strong passwords, and enabling multifactor authentication.
He stressed that individual actions matter. "Every door you close is one less way in," he said.
The broader challenge requires coordination across sectors. Papernot's lab is developing countermeasures and called for increased transparency from companies building powerful AI models, along with wider availability of open-source alternatives.
His team included Jonas Guan, Tom Blanchard, Hanna Foerster, Hengrui Jia, and Gabriel Huang. Papernot is an associate professor of computer engineering and computer science at the University of Toronto, and a Canada CIFAR AI Chair at the Vector Institute.
For those working in cybersecurity research, understanding how AI can amplify threats is now essential. AI for Cybersecurity Analysts covers threat detection and security analytics relevant to these emerging risks. Researchers investigating AI safety and security may also benefit from AI for Science & Research, which aligns with the responsible disclosure approach demonstrated here.
Your membership also unlocks:
