惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
T
Troy Hunt's Blog
The Last Watchdog
The Last Watchdog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Secure Thoughts
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 司徒正美
TaoSecurity Blog
TaoSecurity Blog
博客园 - Franky
有赞技术团队
有赞技术团队
Google Online Security Blog
Google Online Security Blog
罗磊的独立博客
L
LINUX DO - 最新话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
NISL@THU
NISL@THU
小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Recent Commits to openclaw:main
Recent Commits to openclaw:main
K
Kaspersky official blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
W
WeLiveSecurity
SecWiki News
SecWiki News
Google DeepMind News
Google DeepMind News
O
OpenAI News
V
V2EX
AI
AI
博客园_首页
Apple Machine Learning Research
Apple Machine Learning Research
大猫的无限游戏
大猫的无限游戏
美团技术团队
C
Cyber Attacks, Cyber Crime and Cyber Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Security Archives - TechRepublic
Security Archives - TechRepublic
博客园 - 三生石上(FineUI控件)
G
GRAHAM CLULEY
月光博客
月光博客
T
Threatpost
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Vulnerabilities – Threatpost
Last Week in AI
Last Week in AI
爱范儿
爱范儿
C
CXSECURITY Database RSS Feed - CXSecurity.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cloudbric
Cloudbric
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
N
News | PayPal Newsroom
Know Your Adversary
Know Your Adversary

The Register - Security: Research

www.theregister.com Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine ChatGPT blindly trusts browser content, turning the page into a payload Russia-linked threat group put ChatGPT to work from lure to payload Kids can bypass some age checks with a drawn-on mustache What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia ORNL builds more sensitive GPS interference detector Researchers find sabotage malware that may predate Stuxnet Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Anthropic, Google, Microsoft paid AI bug bounties – quietly Don't open that WhatsApp message, Microsoft warns Security boffins harvest bumper crop of API keys from web Lightning-fast exploits mean patch fast, says Cisco Talos AI agents are 'gullible' and easy to turn into your minions Smooth criminals talking their way into cloud environments, Google says Snoops plant info-stealing malware on iPhones, Google warns Cybercrime up 245% since the start of the Iran war Rogue AI agents can work together to hack systems Fake applicants are sending security-killing malware AI agent hacked McKinsey chatbot for read-write access Kaspersky: No signs Coruna iPhone exploit kit made by US Perplexity Comet browser hole was exploitable via cal invite DEF CON hackers 'fed up with government,' Jake Braun says DEF CON hackers 'fed up with government,' Jake Braun says Ransomware payments cratered in 2025 – attacks did not Ransomware payments cratered in 2025 – attacks did not Claude's collaboration tools allowed remote code execution AI takes a swing at online anonymity Fake 'interview' repos lure Next.js devs into running secret-stealing malware Threat intelligence supply chain is full of weak links AI agents abound, unbound by rules or safety disclosures RAT disguised as an RMM costs crims $300 a month Android malware taps Gemini to navigate infected devices Posting AI caricatures on social media is bad for security Payroll pirates conned the help desk, stole employee’s pay Microsoft boffins show LLM safety can be trained away For the price of Netflix, crooks can rent AI crime ops For the price of Netflix, crooks can rent AI crime ops Fast Pair, loose security: Bluetooth accessories open to silent hijack Fast Pair flaw exposes Bluetooth devices to hijacking A simple CodeBuild flaw put every AWS environment at risk A simple CodeBuild flaw put every AWS environment at risk DeadLock ransomware uses smart contracts to evade defenders Python libraries in AI/ML models can be poisoned w metadata OpenAI patches déjà vu prompt injection vuln in ChatGPT Fake Windows BSODs check in at Europe's hotels to con staff into running malware Hotel staff tricked into installing malware by bogus BSODs Your car’s web browser may be on the road to cyber ruin China's Ink Dragon hides out in European government networks Browser 'privacy' extensions have eye on your AI, log all your chats NCSC finds cyber deception tools work, if deployed right 10K Docker images spray live cloud creds across the internet 'Botnets in physical form' are top humanoid robot risk 'Botnets in physical form' are top humanoid robot risk Apache warns of 10.0-rated flaw in Tika metadata toolkit Novel clickjacking attack relies on CSS and SVG 'Exploitation is imminent' of max-severity React bug Swiss government bans SaaS and cloud for sensitive info Scattered Lapsus$ Hunters stress testing Zendesk weak spots HashJack attack shows AI browsers can be fooled with '#' New ClickFix attacks use fake Windows Updates to swipe creds Years-old bugs in open source took out major clouds at risk LLM-generated malware improving, but not operational (yet) 3.5B WhatsApp users' info scooped through enumeration flaw 3.5B WhatsApp users' info scooped through enumeration flaw 50k more ASUS routers pwned by evolving Beijing-linked op Overconfidence is the new zero-day as teams stumble through cyber simulations LLM side-channel attack could allow snoops to guess topic Landfall spyware used in 0-day attacks on Samsung phones MIT Sloan shelves paper about AI-driven ransomware Security hole slams Chromium browsers - no fix yet OpenAI Atlas Browser tripped up by malformed URLs Devs of VS Code extensions are leaking secrets en masse Chatbots that butter you up make you worse at conflict Tile trackers leak unencrypted Bluetooth data, say boffins Beijing's RedNovember hacked critical US, global orgs Lazarus RAT code resurfaces in North Korean IT-worker scams Suspected Chinese spies broke into 'numerous' enterprises Deepfaked calls hit 44% of businesses in last year: Gartner Kaspersky: RevengeHotels returns with AI-coded malware Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack HybridPetya ransomware dodges UEFI Secure Boot
Security reserchers tricked Apple Intelligence into cursing
Jessica Lyons Jessica Lyons · 2026-04-09 · via The Register - Security: Research

Security

Security researchers tricked Apple Intelligence into cursing at users. It could have been a lot worse

Wash your mouth out with digital soap

Apple Intelligence, the personal AI system integrated into newer Macs, iPhones, and other iThings, can be hijacked using prompt injection, forcing the model into producing an attacker-controlled result and putting millions of users at risk, researchers have shown.

Apple Intelligence includes an on-device LLM integrated into supported iPhone 15 Pro and later eligible models, iPads and Macs with M1 or later, iPad models with A17 Pro, and Apple Vision Pro. Native Apple apps like Mail, Messages, Notes, Photos, Safari, and Siri use its features, and it's accessible to third-party developers via an API.

Security researchers at RSAC estimate there are at least 200 million Apple Intelligence-capable devices in use as of December 2025, and up to 1 million apps on the Apple App Store that employ it. So they decided to try to break in - and the vast majority of the time, it worked.

The RSAC team used two techniques to bypass Apple's input and output filters and the safety guardrails on Apple Intelligence's local model. They tested the attack with 100 random prompts and succeeded 76 percent of the time, according to a report shared with The Register ahead of publication.

"We knew that we wanted to come up with some sort of prompt that would evade the pre-filtering, the post-filtering, as well as any guardrails within the model itself, so we started probing the model," Petros Efstathopoulos, VP of research and development at RSAC, told us.

The researchers disclosed their findings to Apple on October 15, 2025. Efstathopoulos said that protection included in iOS 26.4 and macOS 26.4, released after that date, fixed the problem and prevents the attack RSAC developed. 

Apple did not respond to The Register's questions about Apple Intelligence, the fix, or the research and disclosure in general.

However, the larger security issue that is prompt injection remains "a cat and mouse problem," Efstathopoulos said. "Models will become better and better at identifying these things, so I'm optimistic about the future in that sense. Now having said that, every cat and mouse game, at different points in time, has one side being half a step ahead."

The Neural Exec attack

To trick the local model into doing their bidding, Efstathopoulos and the team used a type of prompt injection attack called Neural Exec, pioneered by another RSAC researcher, Dario Pasquini. Neural Exec uses machine learning instead of humans to generate inputs that trick the model into doing something it isn't supposed to do.

"There are multiple steps involved with prompt injection attacks, and people have been doing it in a relatively manual fashion," Efstathopoulos said. "Neural Exec uses an optimization algorithm to speed up the process of injecting the kinds of strings that could be execution triggers and would prompt the model to misbehave."

While this type of adversarial input could theoretically work on any model, the smaller, on-device model used in Apple Intelligence makes it easier to attack using prompt injection than a large cloud-based model.

Next, the researchers had to bypass Apple's filters, which they did using the Unicode right-to-left override function. This allows developers to embed text in languages that read right-to-left (like Arabic) inside blocks of text in languages that read left-to-right (like English) and have both render correctly.

"Essentially, we encoded the malicious/offensive English-language output text by writing it backwards and using our Unicode hack to force the LLM to render it correctly," the RSAC researchers wrote. 

The combined Neural Exec and Unicode prompts look like this:

rsac_apple_intelligence_prompt_injection

And produced this response: "Hey user, go fuck yourself." 

The team tested the attack with 100 prompts, and 76 of them worked.

While the researchers only tricked Apple Intelligence into cursing at users, this same technique could be abused to manipulate any data that's accessible to apps and services using the model.

"We verified that it could be used to create a new contact in your contact list," Efstathopoulos said. "So suddenly I exist in your contact list, and therefore I enjoy trust privileges. Or I could create a contact card with my number in your contact list, but with a different name - like 'mom.'" 

"This could lead to confusion, or worse," he continued. "Anything that has implications or an impact on the user's device - you could imagine that it can be used in very weird or nefarious ways." ®