I am out of date on the latest from the jailbreak scene, but checkra1n supports the device up to iOS 14. If you updated to iOS 15, there may not be a full jailbreak, but not all is lost.
The latest release of Xcode, Xcode 26, still allows you to build apps for iOS 15. At some point you will have the secondary problem of needing an older Xcode which only runs on an older macOS, though Apple has been doing the minimum to make it possible to acquire both of these.
With a free Apple Developer account, you can sign and side load your apps, but they expire every 7 days, and you wouldn't be able to add any restricted entitlements. But the TrollStore exploit (https://github.com/opa334/TrollStore), which I cannot vouch for, seems to work around these limits.
So: It seems like if you are the kind of person who keeps disposable vapes to reprogram the microcontrollers, the iPhone 6S should actually be an attractive device worth keeping:
- Runs an operating system released in September 2021 and received regular bug fixes and security updates through July 2024. Still receives occasional security updates as of September 2025. Not completely end-of-life.
- Supported by the latest developer tools, probably through June 2026, with older downloads available (https://xcodereleases.com/).
- Known jailbreaks and exploits to maximize utility.
It's not surprising that the trade-in value for a 10-year-old device is nil, but on the secondary market they fetch about $60 (https://swappa.com/prices/apple-iphone-6s) which is not bad if you consider the device capabilities compared to most hobbyist devkits.
> Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
Even if there was no mention of this or the implication that it’s linked to the notifications Apple sends for targeted attacks, is it fair to say this kind of backdated security patch implies a lot about the severity of the vulnerability? What’s Apple’s default time frame for security support?
Yes, this means it was exploited in a spyware campaign in the wild.
The full exploit chain seems to target WhatsApp directly using a second bug in WhatsApp; although this vulnerability is definitely present anywhere this kind of image is processed using Apple’s native image support, it would usually be aggressively sandboxed (in iMessage by BlastDoor and in Safari by the web content sandbox), so you’d need a lot more vulnerabilities than those that are currently disclosed to make it useful in those places. A bug in WhatsApp itself is particularly bad in terms of spyware actors, since it leaves one of their most popular targets, WhatsApp, vulnerable without a significantly more complex kernel escalation and sandbox bypass.
My Pixel XL here works great for scrolling at night. I'm skeptical of the "no more system updates" boogeyman; I'd love some case studies or anecdotes about the real-world threats that using an old devices exposes me to.
I have a functional Pixel 3XL that when flashed with one of the few modern Android ROMs available for it feels pretty fine to use for the most part… better than a lot of brand new low end Android devices, if I’m being honest. Too bad it’s not supported any more.
Given that 5 years of support is now the minimum required for devices to be sold in the EU, Apple is now on the lower end of the range compared to companies like Google and Samsung.
Apple may have done better in the past, but these other manufacturers are making stronger legally binding claims than Apple.
It seems to me that this exploit was used in a chain with a WhatsApp issue that would trigger the malicious DNG data to be loaded as a zero click, presumably just into WhatsApp. It’s unclear to me if there was a sandbox escape or kernel vulnerability used along with this; it might have been used to exfiltrate WhatsApp messages only.
This would explain why there’s only a single patch for a simple memory corruption issue; usually an attacker would need a lot of chained vulnerabilities to bypass mitigations on iOS, but if the vulnerability is in the exact target application to begin with, it sure does make things easier.
I'm no Apple fanboi--quite the opposite. But I take a note of this act and tip my hat, considering how Android OEMs have been pumping out abandonwares.
Kudos to Apple but are they going to update iPhone 8 firmware too? Think it’s been over a year since the final release. (Surely security vulnerabilities have been discovered since then!!)
Apple does support their phones for some time. But note that 10 years is only if you bought the iPhone 6s when it was new and at its most expensive. The iPhone 7 (Plus) wasn't discontinued until 2019 and is on the same iOS version. So it got something like 3 years of OS upgrades (impacting app support) and 6 years of security upgrades in the worst scenario.
Might as well say it since nobody else commented about it, but modem/soc vendors are huge limiting factor on longterm android support. Qualcomm maintains these updates for only a few years, basically nothing earlier than around 2020-2021 gets kernel driver or modem updates.
Of course it's still up to phone manufacturer to integrate these changes, but it puts an effective security support timeline on even 3rd party ROM's like lineageos. They can cherrypick, but it's not as secure once that support ends.
Apple has almost everything in-house (except until recently, modems). So they have a ton of flexibility in continuing to provide updates.
What puts down that common excuse, is that there is this legal thing called contracts, that can force to provide updates as long as customers (OEM) want.
We do them all the time in enterprise consulting, regarding how long to provide support after the project is considered delivered.
It’s not clear to me if this can result in a RCE. If it does, then does this mean that enough iPhone 6s are still out in the wild where a bad actor could easily take over a big enough portion to do more nefarious things?
Not surprised. I met with Samsung for work purposes to buy hundreds of phone, and the best they could do with their flagship phones was offer 3 years of security updates. This was around 2019. Apple, who didn't meet with us, was around 6 years from our estimate.
From a ROI, for corporate phones, Apple iPhones had a longer lifespan, which is why we bought hundreds of iPhones, and not Androids.
On a personal note, I had the Nexus S, the Nexus 5, and they all died a horrible death either from lack of updates, or just having the physical button break, and the microphone stop working.
And let us not speak of Sony Xperia Z5, which all of sudden removed their fingerprint sensor due to a North American patent problem. They also broke their bluetooth audio so that song names STOPPED being displayed. That was all in a span of less than 3 years.
Never again Sony Android phones.
At that point, I got fed up of custom ROMS and joined the "iPhone, it just works" group and moved on.
I wish they would do the same for iOS 17, instead of forcing users to upgrade to iOS 18. A bunch of superfluous works and many of them even erroneous. Alarm clock for example: if you didn't allow it to snooze, pressing on the power button will snooze it, but without the possibility to turn it off easily. Why on earth would somebody rewrite the alarm clock?!
honestly this is incredible, though i'm not sure how the android space is catching up? apparently google and samsung have been promising 5/6 years of software updates recently as well
Headline is slightly misleading. It implies that the update is only available on the 6s, when in reality it's available for:
> iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
That's a lot of devices, more so than "10-year old iPhone 6s" implies.
I won't be upgrading my iPhone 7 and 4th gen iPad mini, because I don't want to take the chance that the update needs an update to Dopamine to be jailbroken. Fortunately they're secondary devices for me.
This doesn't really mean much on account of the iOS ecosystem only supporting the latest two OS versions in their apps as a general rule. Once you are behind 2 versions, your device becomes quite useless at that point
37 comments
[ 6.2 ms ] story [ 56.0 ms ] threadFucked-up world we live in where a disposable vape can be reused for more purposes than an iPhone with expired software support.
The latest release of Xcode, Xcode 26, still allows you to build apps for iOS 15. At some point you will have the secondary problem of needing an older Xcode which only runs on an older macOS, though Apple has been doing the minimum to make it possible to acquire both of these.
With a free Apple Developer account, you can sign and side load your apps, but they expire every 7 days, and you wouldn't be able to add any restricted entitlements. But the TrollStore exploit (https://github.com/opa334/TrollStore), which I cannot vouch for, seems to work around these limits.
So: It seems like if you are the kind of person who keeps disposable vapes to reprogram the microcontrollers, the iPhone 6S should actually be an attractive device worth keeping:
- Runs an operating system released in September 2021 and received regular bug fixes and security updates through July 2024. Still receives occasional security updates as of September 2025. Not completely end-of-life.
- Supported by the latest developer tools, probably through June 2026, with older downloads available (https://xcodereleases.com/).
- Known jailbreaks and exploits to maximize utility.
It's not surprising that the trade-in value for a 10-year-old device is nil, but on the secondary market they fetch about $60 (https://swappa.com/prices/apple-iphone-6s) which is not bad if you consider the device capabilities compared to most hobbyist devkits.
Even if there was no mention of this or the implication that it’s linked to the notifications Apple sends for targeted attacks, is it fair to say this kind of backdated security patch implies a lot about the severity of the vulnerability? What’s Apple’s default time frame for security support?
The full exploit chain seems to target WhatsApp directly using a second bug in WhatsApp; although this vulnerability is definitely present anywhere this kind of image is processed using Apple’s native image support, it would usually be aggressively sandboxed (in iMessage by BlastDoor and in Safari by the web content sandbox), so you’d need a lot more vulnerabilities than those that are currently disclosed to make it useful in those places. A bug in WhatsApp itself is particularly bad in terms of spyware actors, since it leaves one of their most popular targets, WhatsApp, vulnerable without a significantly more complex kernel escalation and sandbox bypass.
https://www.whatsapp.com/security/advisories/2025/
Pixels 6-7 got 5 years. I'd say that's on the low end of okay.
For "lol" you have to go back to 2021 or earlier. Or look at some of Motorola's offerings.
Apple may have done better in the past, but these other manufacturers are making stronger legally binding claims than Apple.
Pros:
- [for users] 15.8.5 patches one high-profile bug.
- [for Apple] minimal effort which translates to longer perceived support time
Cons:
- It leaves unpatched multiple bugs fixed in iOS 16-26, and so it might give users false sense of security
I'm on a fence here, especially without real numbers
It seems to me that this exploit was used in a chain with a WhatsApp issue that would trigger the malicious DNG data to be loaded as a zero click, presumably just into WhatsApp. It’s unclear to me if there was a sandbox escape or kernel vulnerability used along with this; it might have been used to exfiltrate WhatsApp messages only.
This would explain why there’s only a single patch for a simple memory corruption issue; usually an attacker would need a lot of chained vulnerabilities to bypass mitigations on iOS, but if the vulnerability is in the exact target application to begin with, it sure does make things easier.
Of course it's still up to phone manufacturer to integrate these changes, but it puts an effective security support timeline on even 3rd party ROM's like lineageos. They can cherrypick, but it's not as secure once that support ends.
Apple has almost everything in-house (except until recently, modems). So they have a ton of flexibility in continuing to provide updates.
We do them all the time in enterprise consulting, regarding how long to provide support after the project is considered delivered.
It’s not clear to me if this can result in a RCE. If it does, then does this mean that enough iPhone 6s are still out in the wild where a bad actor could easily take over a big enough portion to do more nefarious things?
From a ROI, for corporate phones, Apple iPhones had a longer lifespan, which is why we bought hundreds of iPhones, and not Androids.
On a personal note, I had the Nexus S, the Nexus 5, and they all died a horrible death either from lack of updates, or just having the physical button break, and the microphone stop working.
And let us not speak of Sony Xperia Z5, which all of sudden removed their fingerprint sensor due to a North American patent problem. They also broke their bluetooth audio so that song names STOPPED being displayed. That was all in a span of less than 3 years.
Never again Sony Android phones.
At that point, I got fed up of custom ROMS and joined the "iPhone, it just works" group and moved on.
> Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
> iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
That's a lot of devices, more so than "10-year old iPhone 6s" implies.
I won't be upgrading my iPhone 7 and 4th gen iPad mini, because I don't want to take the chance that the update needs an update to Dopamine to be jailbroken. Fortunately they're secondary devices for me.
Although I'm not sure that people who are running an OS/device that ancient are the ones that are going to upgrade or even know what an upgrade is.