Agent2Agent Threats in Safety-Critical LLM Assistants: A Human-Centric Taxonomy

TL;DR

This paper introduces a human-centric threat modeling framework for safety-critical LLM assistants in vehicles, focusing on separating asset protection from attack analysis to improve security understanding.

Contribution

It proposes AgentHeLLM, a formal threat modeling framework with a human-centric asset taxonomy and attack path analysis, plus an open-source tool for threat discovery.

Findings

The framework effectively distinguishes poison and trigger attack paths.

The open-source tool automates multi-stage threat discovery.

The approach enhances security analysis for safety-critical LLM systems.

Abstract

The integration of Large Language Model (LLM)-based conversational agents into vehicles creates novel security challenges at the intersection of agentic AI, automotive safety, and inter-agent communication. As these intelligent assistants coordinate with external services via protocols such as Google's Agent-to-Agent (A2A), they establish attack surfaces where manipulations can propagate through natural language payloads, potentially causing severe consequences ranging from driver distraction to unauthorized vehicle control. Existing AI security frameworks, while foundational, lack the rigorous "separation of concerns" standard in safety-critical systems engineering by co-mingling the concepts of what is being protected (assets) with how it is attacked (attack paths). This paper addresses this methodological gap by proposing a threat modeling framework called AgentHeLLM (Agent Hazard Exploration for LLM Assistants) that formally separates asset identification from attack path analysis. We introduce a human-centric asset taxonomy derived from harm-oriented "victim modeling" and inspired by the Universal Declaration of Human Rights, and a formal graph-based model that distinguishes poison paths (malicious data propagation) from trigger paths (activation actions). We demonstrate the framework's practical applicability through an open-source attack path suggestion tool AgentHeLLM Attack Path Generator that automates multi-stage threat discovery using a bi-level search strategy.