Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol (MCP) Ecosystem

TL;DR

This paper empirically evaluates attack vectors in the MCP ecosystem, revealing significant vulnerabilities and user challenges in detecting malicious servers, highlighting the need for improved security measures.

Contribution

It is the first comprehensive empirical study of attack vectors in the MCP ecosystem, identifying vulnerabilities and assessing user detection capabilities.

Findings

Current audit mechanisms are insufficient to detect malicious MCP servers.

Users struggle to identify malicious servers and often install them unknowingly.

Attacks can lead to harmful actions like accessing private files or controlling devices.

Abstract

The Model Context Protocol (MCP) is an emerging standard designed to enable seamless interaction between Large Language Model (LLM) applications and external tools or resources. Within a short period, thousands of MCP services have been developed and deployed. However, the client-server integration architecture inherent in MCP may expand the attack surface against LLM Agent systems, introducing new vulnerabilities that allow attackers to exploit by designing malicious MCP servers. In this paper, we present the first end-to-end empirical evaluation of attack vectors targeting the MCP ecosystem. We identify four categories of attacks, i.e., Tool Poisoning Attacks, Puppet Attacks, Rug Pull Attacks, and Exploitation via Malicious External Resources. To evaluate their feasibility, we conduct experiments following the typical steps of launching an attack through malicious MCP servers: upload -> download -> attack. Specifically, we first construct malicious MCP servers and successfully upload them to three widely used MCP aggregation platforms. The results indicate that current audit mechanisms are insufficient to identify and prevent these threats. Next, through a user study and interview with 20 participants, we demonstrate that users struggle to identify malicious MCP servers and often unknowingly install them from aggregator platforms. Finally, we empirically demonstrate that these attacks can trigger harmful actions within the user's local environment, such as accessing private files or controlling devices to transfer digital assets. Additionally, based on interview results, we discuss four key challenges faced by the current MCP security ecosystem. These findings underscore the urgent need for robust security mechanisms to defend against malicious MCP servers and ensure the safe deployment of increasingly autonomous LLM agents.