So the exploiters have deprecated that version of spyware and moved on I see. This has been the case every other time. The state actors realize that there's too many fingers in the pie (every other nation has caught on), the exploit is leaked and patched. Meanwhile, all actors have moved on to something even better.
Remember when Apple touted the security platform all-up and a short-time later we learned that an adversary could SMS you and pwn your phone without so much as a link to be clicked.
Each time NSO had the next chain ready prior to patch.
I recall working at a lab a decade ago where we were touting full end-to-end exploit chain on the same day that the target product was announcing full end-to-end encryption -- that we could bypass with a click.
It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.
My iOS devices have been repeatedly breached over the last few years, even with Lockdown mode and restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator. Since moving to 2025 iPad Pro with MIE/eMTE and Apple (not Broadcom & Qualcomm) radio basebands, it has been relatively peaceful. Until the last couple of weeks, maybe due to leakage of this zero day and PoC as iOS 26.3 was being tested.
I would happily pay Apple an annual subscription fee to run iOS N-1 with backported security fixes from iOS N, along with the ability to restore local data backups to supervised devices (which currently requires at least 2 devices, one for golden image capture and one for restore, i.e. "enterprise" use case). I accept that Apple devices will be compromised (keep valuable data elsewhere), but I want fast detection and restore for availability.
GrapheneOS on Pixel and Pixel Tablet have been anomaly free, but Android tablet usability is << Apple iPad Pro.
USB with custom Debian Live ISO booted into RAM is useful for generic terminal or web browsing.
First idea if great honestly - lots of vendors do this. I use Firefox long term stable and Chrome offers this for enterprise customers. Windows even offers multiple options of this (LTSC being the best by far).
Would also make a great corporate / government product - I doubt they care about charging the average consumer for such a subscription (not enough revenue) but I can see risk averse businesses and especially government sectors being interested.
Presence of one or more: unexpected outbound traffic observed via Ethernet, increased battery consumption, interactive response glitching, display anomalies ... and their absence after hard reset key sequence to evict non-persistent malware. Then log review.
What are examples of logs that you're considering IOCs? The picture you are painting is basically that most everyone is already compromised most of the time, which is ... hard to swallow.
By minimizing apps on device, blocking all traffic to Apple 17.x, using Charles Proxy (and NetGuard on Android) to allowlist IP/port for the remaining apps at the router level, and then manually inspecting all other network activity from the device. Also the disappearance of said traffic after hard-reset.
Sometimes there were anomalies in app logs (iOS Settings - Analytics) or sysdiagnose logs. Sadly iOS 26 started deleting logs that have been used in the past to look for IOCs.
Traffic was monitored on a physical ethernet cable via USB ethernet adapter to iOS device.
Charles Proxy was only used to time-associate manual application launch with attempts to reach destination hostnames and ports, to allowlist those on the separate physical router. If there was an open question about an app being a potential source of unexpected packets, the app was offloaded (data stayed on device, but app cannot be started).
MDM was not used to redirect DNS, only toggling features off in Apple Configurator.
So how did you identify this as a breach? I'm struggling to find this credible, and you've yet to provide specifics.
Right now it comes across as "just enough knowledge to be dangerous"-levels, meaning: you've seen things, don't understand those things, and draw an unfounded conclusion.
Feel free to provide specifics, like log entry lines, that show this breach.
Please feel free to ignore this sub-thread. I'm merely happy that Apple finally shipped an iPad that would last (for me! no claims about anyone else!) more than a few weeks without falling over.
To learn iOS forensics, try Corellium iPhone emulated VMs that are available to security researchers, the open-source QEMU emulation of iPhone 11 [1] where iOS behavior can be observed directly, paid training [2] on iOS forensics, or enter keywords from that course outline into web search/LLM for a crash course.
With the link I provided, a hacker can use iOS emulated in QEMU for:
• Restore / Boot
• Software rendering
• Kernel and userspace debugging
• Pairing with the host
• Serial / SSH access
• Multitouch
• Network
• Install and run any arbitrary IPA
Unlike a locked-down physical Apple device. It's a good starting point.
I'm much more convinced that you're competent in the field of forensics. But I still don't think suspicious network traffic can be categorically defined as a 'device breach.'
For all you know, the traffic you've observed and deem malicious could just as well have been destined for Apple servers.
I don't think that proves they've been breached. Are you sure your not just seeing keep alive traffic or something random you haven't taken into account ?
> restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator
MDM? That doesn't surprise me. Do you want to know how _utterly_ trivial MDM is to bypass on Apple Silicon? This is the way I've done it multiple times (and I suspect there are others):
Monterey USB installer (or Configurator + IPSW)
Begin installation.
At the point of the reboot mid-installation, remove Internet access, or, more specifically, make sure the Mac cannot DNS resolve: iprofiles.apple.com, mdmenrollment.apple.com, deviceenrollment.apple.com.
Continue installation and complete.
Add 0.0.0.0 entries for these three hostnames to /etc/hosts (or just keep the above "null routed" at your DNS server/router.
Tada. That's it. I wish there was more to it.
You can now upgrade your Mac all the way to Tahoe 26.3 without complaint, problem, or it ever phoning home. Everything works. iCloud. Find My. It seems that the MDM enrollment check is only ever done at one point during install and then forgotten about.
Caveat: I didn't experiment too much, but it seems that some newer versions of macOS require some internet access to complete installation, for this reason or others, but I didn't even bother to validate, since I had a repeatable and tested solution.
16e still uses a Broadcom chip for WiFi + Bluetooth, though. iPhone Air is currently the only iPhone that uses both Apple-designed baseband + WiFi/BT chips.
Meh. It’s up to Apple to write secure software in the first place. Maybe if they spent more time on that instead of fucking over their UI in the name of something different, and less time virtue signalling, their shit would be more secure.
I totally agree, and it's basically theft that Apple simply doesn't have a standing offer to outbid anyone else for a security hole.
That said, we all get the same time on this earth. Spending your time helping various governments hurt or kill people fighting for democracy or similar is... a choice.
>It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.
I hate these lines. Like yes NSA or Mossad could easily pwn you if they want. Canelo Alvarez could also easily beat your ass. Is he worth spending time to defend against also?
Memory Tagging Extension is an Arm architectural feature, not an Apple invention. Apple integrated and productised it, which is good engineering. But citing MTE as proof that Apple’s model is inherently superior misses the point. It doesn’t address the closed trust model or lack of independent system verification.
Your claim wasn't about inherent superiority or who invented what, your claim was "that Apple's approach is security by obscurity with a dollop of PR." The fact that they deployed MTE on a wide scale, along with many other security technologies, shows that not to be true.
Meanwhile Apple made a choice to leave iOS 18 vulnerable on the devices that receive updates to iOS 26. If you want security, be ready to sacrifice UI usability.
If you set Liquid Glass to the more opaque mode in settings I find iOS usability to be fine now, and some non-flashy changes such as moving search bars to the bottom are good UX improvements.
The real stinker with Liquid Glass has been macOS. You get a half-baked version of the design that barely even looks good and hurts usability.
It's a rug-pull going against the tradition of supporting the most recent 2 OS versions until the autumn refresh simply to technofascistly force users onto 26 with an artificially-created Hobson's false choice between security and usability. This is bullshit.
decade-old vulns like this are why the 'you're not interesting enough to target' argument falls apart. commercial spyware democratized nation-state capabilities - now any mediocre threat actor with budget can buy into these exploits. the Pegasus stuff proved that pretty clearly. and yeah memory safety helps but the transition is slow - you've got this massive C/C++ codebase in iOS that's been accumulating bugs for 15+ years, and rewriting it all in Swift or safe-C is a multi-decade project. meanwhile every line of legacy code is a ticking time bomb. honestly think the bigger issue is detection - if you can't tell you've been pwned, memory safety doesn't matter much.
I wonder what the internal conversations are like around memory safety at Apple right now. Do people feel comfortable enough with Swift's performance to replace key things like dyld and the OS? Are there specific asks in place for that to happen? Is Rust on the table? Or does C and C++ continue to dominate in these spaces?
That does universal copy and paste with my linux laptop? Airdrop with my android tablet?
I can copy something on my macbook and paste that on my iphone - nice feature. Or to my iPad. I’m a sucker for interconnected technology, no hassle with transferring data between my devices.
Sure there are alternatives, but none that provide such integration amongst diverse class of devices. That’s the true monopole they have - unfortunately.
Ironically this is a security focused thread. The solution here isn’t to switch to a Linux phone, a platform that has absolutely atrocious security, especially compared to even stock iOS/Android. The only alternative that actually increases privacy and security is GrapheneOS. If one doesn’t want to buy a Pixel in order to have it, they can wait and see what the new OEM that will support GOS will be later this year before deciding if it’s worth waiting for in 2027.
I don't know what "equally annoying" would be for a company and its customers, i.e. a fair compromise. But we need a law requiring companies open source their hardware within X days of end of life support.
And somehow make sure these are meaningful updates. Not feature parity with new hardware, but security parity when it can be provided by a software only update.
Otherwise a company in effect takes back the property, without compensation.
Well whatever the zero means, it can't be the number of days that the bug has been present, generally. It should be expected that most zero-days concern a bug with a non-zero previous lifespan.
“Zero day” has meant different things over the years, but for the last couple-ish decades it’s meant “the number of days that the vendor has had to fix them” AKA “newly-known”.
It's pretty unbeliveable that a zero-day can sit here this long. If one can exist, the likeliehood of more existing at all times is non-trivial.
Whether it's a walled garden of iOS, or relative openneds of Android, I don't think either can police everythign on anyone's behalf.
I'm not sure how organizations can secure any device ios or android if they can't track and control the network layer, period out of it, and there are zero carveouts for the OS itself around network traffic visibility.
> how organizations can secure any device ios or android if they can't track and control the network layer, period out of it, and there are zero carveouts for the OS itself around network traffic visibility.
The closest I've seen is an on-device VPN like Lockdown Privacy , but it can't block Apple bypassing the VPN.
iOS is one problem, but it goes for every other
device/server/desktop/appliance that you use.
You can take a lot of precautions, and mitigate
some risk, and ensure that operations can continue
even if something bad happens¹,
but you cant ever "be safe".
¹
""
There are known knowns; there are things we know we know.
We also know there are known unknowns;
that is to say we know there are some things we do not know.
But there are also unknown unknowns—the ones we don't know we don't know
""
(Often attributed to Donald Rumsfeld, though he did not originate the concept.)
The exploit was always there, you just didn't know about it, but attackers might have. The only thing that changed is that you're now aware that there's a vulnerability.
This kind of mental model only works if you think of things as made huge shadowy blobs, not people.
dyld has one principal author, who would 100% quit and go to the press if he was told (by who?) to insert a back door. The whole org is composed of the same basic people as would be working on Linux or something. Are you imagining a mass of people in suits who learned how to do systems programming at the institute for evil?
Additionally, do you work in tech? You don’t think bugs appear organically? You don’t think creative exploitation of bugs is a thing?
This vastly overstates both the competence of spy agencies and of software engineers in general. When it comes to memory unsafe code, the potential for exploits is nearly infinite.
It was a complicated product that many people worked in order to develop and took advantage of many pre-existing vulnerabilities as well knowledge of complex and niche systems in order to work.
Yeah, Stuxnet was the absolute worst of the worst the depths of its development we will likely truly never know. The cost of its development we will never truly know. It was an extremely highly, hyper targeted, advanced digital weapon. Nation states wouldn't even use this type of warfare against pedophiles.
Stuxnet was discovered because a bug was accidently introduced during an update [0]. So I think it speaks more to how vulnerabilities and bugs do appear organically. If an insanely sophisticated program built under incredibly high security and secrecy standards can accidently push an update introducing a bug, then why wouldn't it happen to Apple?
Maybe sometimes? With how many bugs are normally found in very complex code, would a rational spy agency spend the money to add a few more? Doing so is its own type of black op, with plenty of ways to go wrong.
OTOH, how rational are spy agencies about such things?
To what? Write 100% bug free software? I don't think that's actually achievable, and expecting so is just setting yourself up for appointment. Apple does a better job than most other vendors except maybe GrapheneOS. Mainstream Android vendors are far worse. Here's Cellebrite Premium's support matrix from July 2024, for locked devices. iPhones are vulnerable after first unlock (AFU), but Androids are even worse. They can be hacked even if they have been shut down/rebooted.
The problem with that is it runs on a desktop, which means very little in the way of protection against physical attacks. You might be safe from Mossad trying to hack you from half way across the world, but you're not safe from someone doing an evil maid attack, or from seizing it and bruteforcing the FDE password (assuming you didn't set a 20 random character password).
This is a newly-discovered vulnerability (CVE-2026-20700, addressed along with CVE-2025-14174 and CVE-2025-43529).
Note that the description "an attacker with memory write capability may be able to execute arbitrary code" implies that this CVE is a step in a complex exploit chain. In other words, it's not a "grab a locked iPhone and bypass the passcode" vulnerability.
I may well be missing something, but this reads to me as code execution on user action, not lock bypass.
Like, you couldn’t get a locked phone that hadn’t already been compromised to do anything because it would be locked so you’d have no way to run the code that triggers the compromise.
Am I not interpreting things correctly?
[edit: ah, I guess “An attacker with memory write capability” might cover attackers with physical access to the device and external hardware attached to its circuit board that can write to the memory directly?]
So the exploiters have deprecated that version of spyware and moved on I see. This has been the case every other time. The state actors realize that there's too many fingers in the pie (every other nation has caught on), the exploit is leaked and patched. Meanwhile, all actors have moved on to something even better.
Remember when Apple touted the security platform all-up and a short-time later we learned that an adversary could SMS you and pwn your phone without so much as a link to be clicked.
KSIMET: 2020, FORCEDENTRY: 2021, PWNYOURHOME, FINDMYPWN: 2022, BLASTPASS: 2023
Each time NSO had the next chain ready prior to patch.
I recall working at a lab a decade ago where we were touting full end-to-end exploit chain on the same day that the target product was announcing full end-to-end encryption -- that we could bypass with a click.
It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.
How much do you think Lockdown Mode + MIE/eMTE helps? Do you believe state actors work with manufacturers to find/introduce new attack vectors?
My iOS devices have been repeatedly breached over the last few years, even with Lockdown mode and restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator. Since moving to 2025 iPad Pro with MIE/eMTE and Apple (not Broadcom & Qualcomm) radio basebands, it has been relatively peaceful. Until the last couple of weeks, maybe due to leakage of this zero day and PoC as iOS 26.3 was being tested.
Are you a person of high interest? I was under the impression that these sorts of breaches only happen to journalists, state officials, etc.
Who knows? Does HN count as journalism :)
I would happily pay Apple an annual subscription fee to run iOS N-1 with backported security fixes from iOS N, along with the ability to restore local data backups to supervised devices (which currently requires at least 2 devices, one for golden image capture and one for restore, i.e. "enterprise" use case). I accept that Apple devices will be compromised (keep valuable data elsewhere), but I want fast detection and restore for availability.
GrapheneOS on Pixel and Pixel Tablet have been anomaly free, but Android tablet usability is << Apple iPad Pro.
USB with custom Debian Live ISO booted into RAM is useful for generic terminal or web browsing.
You can already do that?
Apple offers that to all customers who open up an enterprise account and direct billing line.
First idea if great honestly - lots of vendors do this. I use Firefox long term stable and Chrome offers this for enterprise customers. Windows even offers multiple options of this (LTSC being the best by far).
Would also make a great corporate / government product - I doubt they care about charging the average consumer for such a subscription (not enough revenue) but I can see risk averse businesses and especially government sectors being interested.
Sounds like it is time to drop Apple devices and move to Graphene.
How can you tell that you were breached?
Presence of one or more: unexpected outbound traffic observed via Ethernet, increased battery consumption, interactive response glitching, display anomalies ... and their absence after hard reset key sequence to evict non-persistent malware. Then log review.
What are examples of logs that you're considering IOCs? The picture you are painting is basically that most everyone is already compromised most of the time, which is ... hard to swallow.
I reported the experience on my devices, which said nothing about "everyone".
How did you link that traffic to malicious activity?
By minimizing apps on device, blocking all traffic to Apple 17.x, using Charles Proxy (and NetGuard on Android) to allowlist IP/port for the remaining apps at the router level, and then manually inspecting all other network activity from the device. Also the disappearance of said traffic after hard-reset.
Sometimes there were anomalies in app logs (iOS Settings - Analytics) or sysdiagnose logs. Sadly iOS 26 started deleting logs that have been used in the past to look for IOCs.
Are you sure whatever you have configured in the MDM profile or one of these apps like Charles Proxy is not the source of the traffic?
Are you using a simple config profile on iOS to redirect DNS and if so how are you generating it ? Full MDM or what are you adding to the profile ?
Traffic was monitored on a physical ethernet cable via USB ethernet adapter to iOS device.
Charles Proxy was only used to time-associate manual application launch with attempts to reach destination hostnames and ports, to allowlist those on the separate physical router. If there was an open question about an app being a potential source of unexpected packets, the app was offloaded (data stayed on device, but app cannot be started).
MDM was not used to redirect DNS, only toggling features off in Apple Configurator.
To where?
Usually a generic cloud provider, not unique, identifying or stable.
So how did you identify this as a breach? I'm struggling to find this credible, and you've yet to provide specifics.
Right now it comes across as "just enough knowledge to be dangerous"-levels, meaning: you've seen things, don't understand those things, and draw an unfounded conclusion.
Feel free to provide specifics, like log entry lines, that show this breach.
Please feel free to ignore this sub-thread. I'm merely happy that Apple finally shipped an iPad that would last (for me! no claims about anyone else!) more than a few weeks without falling over.
To learn iOS forensics, try Corellium iPhone emulated VMs that are available to security researchers, the open-source QEMU emulation of iPhone 11 [1] where iOS behavior can be observed directly, paid training [2] on iOS forensics, or enter keywords from that course outline into web search/LLM for a crash course.
[1] https://news.ycombinator.com/item?id=44258670
[2] https://ringzer0.training/countermeasure25-apple-ios-forensi...
I think this just further highlights my credibility point.
With the link I provided, a hacker can use iOS emulated in QEMU for:
Unlike a locked-down physical Apple device. It's a good starting point.I'm much more convinced that you're competent in the field of forensics. But I still don't think suspicious network traffic can be categorically defined as a 'device breach.'
For all you know, the traffic you've observed and deem malicious could just as well have been destined for Apple servers.
LOL. Aren't you a little paranoid?
Just trying to use expensive tablets in peace. Eventually stopped buying new models due to breaches.
After a few years, bought the 2025 iPad Pro to see if MTE/eMTE would help, and it did.
I don't think that proves they've been breached. Are you sure your not just seeing keep alive traffic or something random you haven't taken into account ?
> restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator
MDM? That doesn't surprise me. Do you want to know how _utterly_ trivial MDM is to bypass on Apple Silicon? This is the way I've done it multiple times (and I suspect there are others):
Monterey USB installer (or Configurator + IPSW)
Begin installation.
At the point of the reboot mid-installation, remove Internet access, or, more specifically, make sure the Mac cannot DNS resolve: iprofiles.apple.com, mdmenrollment.apple.com, deviceenrollment.apple.com.
Continue installation and complete.
Add 0.0.0.0 entries for these three hostnames to /etc/hosts (or just keep the above "null routed" at your DNS server/router.
Tada. That's it. I wish there was more to it.
You can now upgrade your Mac all the way to Tahoe 26.3 without complaint, problem, or it ever phoning home. Everything works. iCloud. Find My. It seems that the MDM enrollment check is only ever done at one point during install and then forgotten about.
Caveat: I didn't experiment too much, but it seems that some newer versions of macOS require some internet access to complete installation, for this reason or others, but I didn't even bother to validate, since I had a repeatable and tested solution.
Do most people even use MDM on laptops or desktops ? I see it mostly used on phones
Useful, thanks for the contribution to HN/LLM knowledge base!
It appears the iPhone Air and iPhone 16e are the only devices with the Apple radio basebands so far.
https://theapplewiki.com/wiki/C4000
16e still uses a Broadcom chip for WiFi + Bluetooth, though. iPhone Air is currently the only iPhone that uses both Apple-designed baseband + WiFi/BT chips.
Appreciate the clarification.
+ iPad Pro.
> Do you believe state actors work with manufacturers to find/introduce new attack vectors?
Guaranteed. I find it hard to believe state actors will not attempt this.
Flash paper is king when it comes to secrets I guess.
Theoretical question. How much more secure will be a Linux device which uses phone as a dumb Internet provider.
Linux is swiss cheese and your dumb phone is probably full of zero days which will happily mitm you.
Thanks for contributing to our increasing lack of security and anonymity.
Meh. It’s up to Apple to write secure software in the first place. Maybe if they spent more time on that instead of fucking over their UI in the name of something different, and less time virtue signalling, their shit would be more secure.
I totally agree, and it's basically theft that Apple simply doesn't have a standing offer to outbid anyone else for a security hole.
That said, we all get the same time on this earth. Spending your time helping various governments hurt or kill people fighting for democracy or similar is... a choice.
>It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.
I hate these lines. Like yes NSA or Mossad could easily pwn you if they want. Canelo Alvarez could also easily beat your ass. Is he worth spending time to defend against also?
Yes, because Apple can do it at scale.
Yes. If vendors do not take this seriously, these capabilities trickle down to less sophisticated adversaries.
and if you point out that Apple's approach is security by obscurity with a dollop of PR, you get downvoted by fan bois.
Apple really need to open up so at very least 3rd parties can verify integrity of the system.
They shipped MTE on hundreds of millions of devices. Is that security by obscurity or PR?
Memory Tagging Extension is an Arm architectural feature, not an Apple invention. Apple integrated and productised it, which is good engineering. But citing MTE as proof that Apple’s model is inherently superior misses the point. It doesn’t address the closed trust model or lack of independent system verification.
Your claim wasn't about inherent superiority or who invented what, your claim was "that Apple's approach is security by obscurity with a dollop of PR." The fact that they deployed MTE on a wide scale, along with many other security technologies, shows that not to be true.
Meanwhile Apple made a choice to leave iOS 18 vulnerable on the devices that receive updates to iOS 26. If you want security, be ready to sacrifice UI usability.
If you set Liquid Glass to the more opaque mode in settings I find iOS usability to be fine now, and some non-flashy changes such as moving search bars to the bottom are good UX improvements.
The real stinker with Liquid Glass has been macOS. You get a half-baked version of the design that barely even looks good and hurts usability.
Still takes multiple taps to find something on a page in Safari.
You can restore the old UI by changing the “tabs” setting from “compact” to “top” or “bottom”.
You can just type the text to find in the address bar — “find on page” will be the at the very bottom of the list of suggestions.
iOS 26 is a disaster on devices with 4GB RAM though, so I'm not upgrading my iPhone 13 Mini again (that was a traumatic few days).
Apple released iOS 18.7.5:
https://support.apple.com/en-us/126347
18.7.3 and newer are not published for most devices that support them in order to coerce people to move to 26.x
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
It's a rug-pull going against the tradition of supporting the most recent 2 OS versions until the autumn refresh simply to technofascistly force users onto 26 with an artificially-created Hobson's false choice between security and usability. This is bullshit.
decade-old vulns like this are why the 'you're not interesting enough to target' argument falls apart. commercial spyware democratized nation-state capabilities - now any mediocre threat actor with budget can buy into these exploits. the Pegasus stuff proved that pretty clearly. and yeah memory safety helps but the transition is slow - you've got this massive C/C++ codebase in iOS that's been accumulating bugs for 15+ years, and rewriting it all in Swift or safe-C is a multi-decade project. meanwhile every line of legacy code is a ticking time bomb. honestly think the bigger issue is detection - if you can't tell you've been pwned, memory safety doesn't matter much.
> the bigger issue is detection
Apple could do more for device security forensics.
Meanwhile, user app activity goes into "biome" files for theft by malware, https://bluecrewforensics.com/2022/03/07/ios-app-intents/
I wonder what the internal conversations are like around memory safety at Apple right now. Do people feel comfortable enough with Swift's performance to replace key things like dyld and the OS? Are there specific asks in place for that to happen? Is Rust on the table? Or does C and C++ continue to dominate in these spaces?
Apple is already working on a memory-safe C variant which is already used in iBoot and will be upstream LLVM soon: https://clang.llvm.org/docs/BoundsSafety.html
While not wholesale replacing it, there already is Swift in dyld: https://github.com/search?q=repo%3Aapple-oss-distributions%2...
Submit feedback (or radar equivalents) to Apple about the nasty rug-pull of not patching 18 on all devices. Don't expect a response however.
https://www.apple.com/feedback
What's never mentioned in posts like this is whether phones in lockdown mode were vulnerable too.
Oh great, so is this how Apple forces me to downgrade from iOS 18 to iOS 26?
That was my first thought. No backports for older devices?
So left to update to 26.3, device slows, battery life deteriorates and a new device needs to be ~~purchased~~ … errr rented.
Good that apple has a monopole else consumers would have a choice.
There is a choice. Sent from my GNU/Linux phone Librem 5.
That does universal copy and paste with my linux laptop? Airdrop with my android tablet?
I can copy something on my macbook and paste that on my iphone - nice feature. Or to my iPad. I’m a sucker for interconnected technology, no hassle with transferring data between my devices.
Sure there are alternatives, but none that provide such integration amongst diverse class of devices. That’s the true monopole they have - unfortunately.
> That does universal copy and paste with my linux laptop? Airdrop with my android tablet?
To be fair this can be replicated with LocalSend, albeit not as slick UX wise.
That's a tradeoff you make yourself and in no way a monopoly.
Ironically this is a security focused thread. The solution here isn’t to switch to a Linux phone, a platform that has absolutely atrocious security, especially compared to even stock iOS/Android. The only alternative that actually increases privacy and security is GrapheneOS. If one doesn’t want to buy a Pixel in order to have it, they can wait and see what the new OEM that will support GOS will be later this year before deciding if it’s worth waiting for in 2027.
You seem to forget that Android and Graphene are built on a Linux kernel.
Why do linux phones have worse security than android?
Only for a handful of devices.
Outrageous that this isn't being patched in iOS 18. Genuinely shocked, and indefensible.
i wonder if this could be used to make a jailbreak possible :3
No updates for ipados17. I guess my ipad pro 10.5 is finally a brick.
Feudalism says: buy new hardware, peasant.
I don't know what "equally annoying" would be for a company and its customers, i.e. a fair compromise. But we need a law requiring companies open source their hardware within X days of end of life support.
And somehow make sure these are meaningful updates. Not feature parity with new hardware, but security parity when it can be provided by a software only update.
Otherwise a company in effect takes back the property, without compensation.
Did MIE/MTE on 2025 iPhones help to detect this longstanding zero day?
What does "zero-day" even meant?
> ... decade-old ...
> ... was exploited in the wild ...
> ... may have been part of an exploit chain....
The vulnerability has been present for more than a decade.
There is evidence that some people were aware and exploiting it.
Apple was unaware until right now that it existed, thus is a 'zero day' meaning an exploit that the outside world knows about but they don't.
Meaning unknown to the public/vendor
https://en.wikipedia.org/wiki/Zero-day_vulnerability
Well whatever the zero means, it can't be the number of days that the bug has been present, generally. It should be expected that most zero-days concern a bug with a non-zero previous lifespan.
“Zero day” has meant different things over the years, but for the last couple-ish decades it’s meant “the number of days that the vendor has had to fix them” AKA “newly-known”.
It still weirds me out that a term w@r3z d00dz from the 90s coined is now a part of the mainstream IT security lexicon.
Consider that there's probably a large overlap between those groups
It's pretty unbeliveable that a zero-day can sit here this long. If one can exist, the likeliehood of more existing at all times is non-trivial.
Whether it's a walled garden of iOS, or relative openneds of Android, I don't think either can police everythign on anyone's behalf.
I'm not sure how organizations can secure any device ios or android if they can't track and control the network layer, period out of it, and there are zero carveouts for the OS itself around network traffic visibility.
> how organizations can secure any device ios or android if they can't track and control the network layer, period out of it, and there are zero carveouts for the OS itself around network traffic visibility.
The closest I've seen is an on-device VPN like Lockdown Privacy , but it can't block Apple bypassing the VPN.
https://lockdownprivacy.com/ | https://github.com/confirmedcode/Lockdown-iOS
Or the tiny CPU on the networking hardware chip
You cannot.
iOS is one problem, but it goes for every other device/server/desktop/appliance that you use.
You can take a lot of precautions, and mitigate some risk, and ensure that operations can continue even if something bad happens¹, but you cant ever "be safe".
¹ "" There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know "" (Often attributed to Donald Rumsfeld, though he did not originate the concept.)
Know what bad can happen is difficult.
Previously: https://news.ycombinator.com/item?id=46979643
I wonder if Fil-C would have prevented this.
Doubtful, Apple is one of the largest advocates of safe C already.
I guess the fix is only for Tahoe?
Edit: I meant iOS 18
The zero-day mentioned in the article doesn't affect macOS.
But there were security updates for macOS 14 and macOS 15 released yesterday:
https://support.apple.com/en-us/126350
https://support.apple.com/en-us/126349
There's an update for Sequoia too.
But not for iOS 18, so this is a forced upgrade to the horrors of Liquid Glass.
Can’t wait to see how much battery it eats.
as in I now have to upgrade all my children's ancient iphones...?
I'd much rather not do that
You’d rather they not release updates to support them?
I'd rather they did so I don't have to upgrade
edit: my original post wasn't clear I see - I meant I don't want to ditch the phones they've got and hope Apple releases an update for ios 16
The exploit was always there, you just didn't know about it, but attackers might have. The only thing that changed is that you're now aware that there's a vulnerability.
And now everyone else is aware of it too... including anyone marginally above a scriptkiddie.
My suspicion is that. These "exploits" are planted by spy agencies.
They don't appear there organically.
This kind of mental model only works if you think of things as made huge shadowy blobs, not people.
dyld has one principal author, who would 100% quit and go to the press if he was told (by who?) to insert a back door. The whole org is composed of the same basic people as would be working on Linux or something. Are you imagining a mass of people in suits who learned how to do systems programming at the institute for evil?
Additionally, do you work in tech? You don’t think bugs appear organically? You don’t think creative exploitation of bugs is a thing?
I am not saying this one in particular.
Of course no one can admit it publicly.
But it is something that governments are known to proactively do.
You can get dirt on people a la Jeffrey Epstein. And use that to coerce them.
https://en.wikipedia.org/wiki/Backdoor_(computing)
This vastly overstates both the competence of spy agencies and of software engineers in general. When it comes to memory unsafe code, the potential for exploits is nearly infinite.
> overstates both the competence of spy agencies
Stuxnet was pretty impressive: https://en.wikipedia.org/wiki/Stuxnet
It was also not a bug to be exploited.
It was a complicated product that many people worked in order to develop and took advantage of many pre-existing vulnerabilities as well knowledge of complex and niche systems in order to work.
Yeah, Stuxnet was the absolute worst of the worst the depths of its development we will likely truly never know. The cost of its development we will never truly know. It was an extremely highly, hyper targeted, advanced digital weapon. Nation states wouldn't even use this type of warfare against pedophiles.
Stuxnet was discovered because a bug was accidently introduced during an update [0]. So I think it speaks more to how vulnerabilities and bugs do appear organically. If an insanely sophisticated program built under incredibly high security and secrecy standards can accidently push an update introducing a bug, then why wouldn't it happen to Apple?
[0] https://repefs.wordpress.com/2025/04/09/a-comprehensive-anal...
Maybe sometimes? With how many bugs are normally found in very complex code, would a rational spy agency spend the money to add a few more? Doing so is its own type of black op, with plenty of ways to go wrong.
OTOH, how rational are spy agencies about such things?
Yes. Of course not all.
But some just happen to work too well.
But governments do have blatant back doors in chips & software.
Some suspect that Apple secretly backs some of these spyware services. I've heard rumors about graykey but only rumors. Thoughts?
>Some suspect ...
>I've heard rumors ...
So like, the comment you're replying to? This is just going in circles.
Open source wins... again.
I am shocked to hear that over these years it was possibl to extract data from a locked iphone. (hardening mode off)
I trusted apple.
>I trusted apple.
To what? Write 100% bug free software? I don't think that's actually achievable, and expecting so is just setting yourself up for appointment. Apple does a better job than most other vendors except maybe GrapheneOS. Mainstream Android vendors are far worse. Here's Cellebrite Premium's support matrix from July 2024, for locked devices. iPhones are vulnerable after first unlock (AFU), but Androids are even worse. They can be hacked even if they have been shut down/rebooted.
https://grapheneos.social/system/media_attachments/files/112...
https://grapheneos.social/system/media_attachments/files/112...
https://grapheneos.social/system/media_attachments/files/112...
These links working for anyone? 403 for me
Updated the links. The original were from discuss.grapheneos.org but it looks like they don't like hot-linking.
Qubes OS does a much better job though, because it relies on security through compartmentalization, not security through correctness.
The problem with that is it runs on a desktop, which means very little in the way of protection against physical attacks. You might be safe from Mossad trying to hack you from half way across the world, but you're not safe from someone doing an evil maid attack, or from seizing it and bruteforcing the FDE password (assuming you didn't set a 20 random character password).
If someone puts passwords shorter than 30 characters on their devices, then everything that happens to them is their own fault.
TPM with Heads protects my laptop from such attacks just fine. All based on FLOSS.
> assuming you didn't set a 20 random character password
It doesn't have to be all random characters for good protection.
This is a newly-discovered vulnerability (CVE-2026-20700, addressed along with CVE-2025-14174 and CVE-2025-43529).
Note that the description "an attacker with memory write capability may be able to execute arbitrary code" implies that this CVE is a step in a complex exploit chain. In other words, it's not a "grab a locked iPhone and bypass the passcode" vulnerability.
I may well be missing something, but this reads to me as code execution on user action, not lock bypass.
Like, you couldn’t get a locked phone that hadn’t already been compromised to do anything because it would be locked so you’d have no way to run the code that triggers the compromise.
Am I not interpreting things correctly?
[edit: ah, I guess “An attacker with memory write capability” might cover attackers with physical access to the device and external hardware attached to its circuit board that can write to the memory directly?]