The Hidden Risks of MCP: Why “USB-C for AI” Needs a Security Manual (Part-1)
How a standard that makes LLMs extensible also turns them into flexible attack surfaces - and why enterprises must treat MCP like network infrastructure.
Why MCP Matters:
The Model Context Protocol (MCP) emerged to solve the “N×M problem” - how to connect many models to many tools and data sources with a single, standard interface. MCP promises modularity: a model uses a consistent API to request context, tool actions or structured data.
But modularity = new trust boundaries.
Every MCP call moves the LLM from a closed inference environment into a distributed system that touches databases, file stores, HTTP endpoints and third-party services. That’s powerful but at the same time dangerous. The MCP server is now effectively a programmable I/O port for the model: a single misconfiguration or malicious input can cascade into data exfiltration, tool misuse or privileged actions.
Core Threat Categories Introduced by MCP:
Context Poisoning & RAG-Vector Manipulation:
When MCP grants an LLM access to external documents, an attacker can insert crafted documents into the indexed corpus (or an untrusted inbox), which then get retrieved and become part of the model context. This is the same class of attack that caused real-world incidents like EchoLeak: malicious content injected into the retrieval path caused the assistant to surface sensitive data - analogous risks in MCP’s resource access; see OWASP LLM01: Prompt Injection and LLM04: Data Poisoning.
Tool Injection & Confused-Deputy Patterns:
MCP lets a model call services that perform side effects (create PRs, send emails, query CRMs). If the protocol or server doesn’t enforce argument validation, an injected poisoned context can persuade the model to call tools with attacker-controlled parameters - effectively tricking a privileged service (the “confused deputy”) into performing malicious actions.
Exfiltration via Rendering and Client Behaviour:
Even when the MCP server returns data safely, downstream clients can be induced to leak it e.g. auto-fetching images/links returned in an assistant answer. EchoLeak demonstrated that exfiltration doesn’t always need an attacker to run code - careful orchestration across “retrieval → generation → client rendering” can do the job (OWASP LLM05: Improper Output Handling).
Supply-Chain & MCP Server Impersonation:
MCP’s plugin-style model means third-party MCP servers can be added to an assistant’s toolset. If an attacker registers a malicious MCP endpoint or compromises a plugin, they obtain a high-value channel into otherwise walled data. This amplifies classic supply-chain threats into the AI layer.
Why Existing App Security Checks Are Insufficient:
Input sanitisers fail when the “input” is a retrieved document. Sanitising the user prompt alone ignores thousands of documents that the MCP layer can surface.
Perimeter security doesn’t see model-driven calls. Traditional network policies focus on developer-initiated traffic; MCP-initiated calls are generated by models and often don’t pass the same checks.
Practical Consequences for Enterprises:
Data exfiltration without credentials: Attackers can extract data without stealing keys or performing privileged escalation - purely by exploiting retrieval and rendering paths.
Business process compromise: If MCP connects to ticketing, payroll or CI/CD - a poisoned context can cause large-scale operational damage (MITRE ATLAS scenarios).
Regulatory exposure: Untracked MCP flows make GDPR/data-residency and auditability harder - the model can see and propagate sensitive data like PII; which otherwise had limited visibility.
The Simple Thesis and the Fix Direction:
More than being just a developer convenience; MCP is an infrastructure. Treat it like a message bus, an API gateway and a privileged microservice: isolate it, authenticate it, instrument it and enforce deterministic policy at every ingress and egress.
Next in the Series:
Part-2 covers engineering patterns you can implement today: defensive MCP server design, policy enforcement, sanitisers, provenance scoring and strict output filters.
We’re FortifyRoot - the LLM Cost, Safety & Audit Control Layer for Production GenAI.
If you’re facing unpredictable LLM spend, safety risks or need auditability across GenAI workloads - we’d be glad to help.