I don't know what "equally annoying" would be for a company and its customers, i.e. a fair compromise. But we need a law requiring companies open source their hardware within X days of end of life support.
And somehow make sure these are meaningful updates. Not feature parity with new hardware, but security parity when it can be provided by a software only update.
Otherwise a company in effect takes back the property, without compensation.
I wonder what the internal conversations are like around memory safety at Apple right now. Do people feel comfortable enough with Swift's performance to replace key things like dyld and the OS? Are there specific asks in place for that to happen? Is Rust on the table? Or does C and C++ continue to dominate in these spaces?
So the exploiters have deprecated that version of spyware and moved on I see. This has been the case every other time. The state actors realize that there's too many fingers in the pie (every other nation has caught on), the exploit is leaked and patched. Meanwhile, all actors have moved on to something even better.
Remember when Apple touted the security platform all-up and a short-time later we learned that an adversary could SMS you and pwn your phone without so much as a link to be clicked.
Each time NSO had the next chain ready prior to patch.
I recall working at a lab a decade ago where we were touting full end-to-end exploit chain on the same day that the target product was announcing full end-to-end encryption -- that we could bypass with a click.
It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.
There is one non-technical countermeasure that Apple seems unwilling to try: Apple could totally de-legitimize the secondary access market if they established a legal process for access their phones. If only shady governments require exploits, selling access to exploits could be criminalized.
Meanwhile Apple made a choice to leave iOS 18 vulnerable on the devices that receive updates to iOS 26. If you want security, be ready to sacrifice UI usability.
It's a rug-pull going against the tradition of supporting the most recent 2 OS versions until the autumn refresh simply to technofascistly force users onto 26 with an artificially-created Hobson's false choice between security and usability. This is bullshit.
It's pretty unbeliveable that a zero-day can sit here this long. If one can exist, the likeliehood of more existing at all times is non-trivial.
Whether it's a walled garden of iOS, or relative openneds of Android, I don't think either can police everythign on anyone's behalf.
I'm not sure how organizations can secure any device ios or android if they can't track and control the network layer, period out of it, and there are zero carveouts for the OS itself around network traffic visibility.
Whenever plugging a hole like this, the OS should kinda leave it “open” as a kind of honeypot and immediately show a warning to the user that some exploit was attempted. Granted, the malware will quickly adapt but you should at least give some users (like journalists or politicians) the insanely important information about them being targeted by some malicious group.
38 comments
[ 5.8 ms ] story [ 69.2 ms ] threadI don't know what "equally annoying" would be for a company and its customers, i.e. a fair compromise. But we need a law requiring companies open source their hardware within X days of end of life support.
And somehow make sure these are meaningful updates. Not feature parity with new hardware, but security parity when it can be provided by a software only update.
Otherwise a company in effect takes back the property, without compensation.
I trusted apple.
> ... decade-old ...
> ... was exploited in the wild ...
> ... may have been part of an exploit chain....
Edit: I meant iOS 18
I'd much rather not do that
They don't appear there organically.
Remember when Apple touted the security platform all-up and a short-time later we learned that an adversary could SMS you and pwn your phone without so much as a link to be clicked.
KSIMET: 2020, FORCEDENTRY: 2021, PWNYOURHOME, FINDMYPWN: 2022, BLASTPASS: 2023
Each time NSO had the next chain ready prior to patch.
I recall working at a lab a decade ago where we were touting full end-to-end exploit chain on the same day that the target product was announcing full end-to-end encryption -- that we could bypass with a click.
It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.
https://support.apple.com/en-us/126347
They have been doing this every year for the past several years: https://www.macrumors.com/2025/12/19/ios-18-forced-ios-26-up...
It's being noticed just now because iOS 26 has controversial UI/UX and many users don't want to update.
You're choosing to not have the update. And that's fine- own it.
Apple could do more for device security forensics.
Meanwhile, user app activity goes into "biome" files for theft by malware, https://bluecrewforensics.com/2022/03/07/ios-app-intents/
Whether it's a walled garden of iOS, or relative openneds of Android, I don't think either can police everythign on anyone's behalf.
I'm not sure how organizations can secure any device ios or android if they can't track and control the network layer, period out of it, and there are zero carveouts for the OS itself around network traffic visibility.
https://www.apple.com/feedback