SouthernWorldwide.com – Apple has long emphasized device-level privacy, a message that resonates with many users who feel reassured by their personal data—messages, photos, emails, and app data—being protected by features like Face ID and passcodes. However, recent research has cast a new light on the security of Apple’s on-device artificial intelligence.
Researchers from RSAC Research have discovered a method to exploit Apple Intelligence through prompt injection, adversarial prompts, and Unicode manipulation. In a series of 100 tests, they achieved a remarkable 76% success rate against the on-device model that powers Apple Intelligence. These findings were reportedly shared with Apple on October 15, 2025. Following this disclosure, RSAC noted that Apple subsequently enhanced its security measures in iOS 26.4 and macOS 26.4.
The critical aspect of this discovery is that such attacks might not necessitate physical access to your iPhone, cracking your passcode, or breaching Apple’s servers. Instead, they could be initiated through carefully designed text inputs that mislead the AI into performing actions unintended by the user. Given that Apple Intelligence can read, summarize, rewrite, and even facilitate app actions, malicious actors will undoubtedly seek to exploit these capabilities for their own purposes.
Understanding how these attacks function, why Apple has addressed them, and what settings can mitigate your risk are crucial steps for users.
APPLE TAPS GOOGLE GEMINI TO POWER APPLE INTELLIGENCE
The RSAC researchers specifically targeted the on-device large language model integrated into Apple’s operating systems. This is significant because third-party applications can interact with Apple Intelligence through system tools and application programming interfaces (APIs).
Their attack strategy involved two primary techniques. The first, dubbed Neural Exec, utilized unconventional prompts designed to confuse the AI model and steer it towards a predetermined outcome. The second technique leveraged Unicode’s right-to-left override feature. This feature allows text to be displayed in a different direction, potentially masking malicious instructions from security filters while still influencing the AI’s processing.
NEW EMAIL SCAM USES HIDDEN CHARACTERS TO SLIP PAST FILTERS
In essence, the attack aimed to bypass Apple’s AI safeguards by embedding hidden commands within text. These prompts might appear nonsensical to human users, yet the AI model could interpret them as executable commands. This presents a growing risk, as Apple Intelligence is capable of interacting with various apps and system functionalities. Consequently, a manipulated AI response could do more than simply generate an erroneous output; in a worst-case scenario, attackers could potentially interfere with data or functionalities accessible to an Apple Intelligence-enabled app, particularly if that app handles sensitive information.
Prompt injection is recognized as one of the most significant security challenges confronting AI tools. It occurs when attackers conceal instructions within text that an AI model subsequently processes. Imagine a deceptive email, an unusual document, or a webpage with hidden text. While you might perceive one thing, the AI model could be processing entirely different, malicious instructions.
This introduces a novel threat vector. An attacker may not need to compromise your iPhone directly; they might only need to present a carefully crafted message, file, or application input to the AI model.
OPENAI ADMITS AI BROWSERS FACE UNSOLVABLE PROMPT ATTACKS
Should an application request Apple Intelligence to summarize, rewrite, or act upon such content, the embedded malicious prompt could attempt to redirect the AI’s response. For users, this means that AI security is no longer solely dependent on robust passwords and software updates. It also hinges on the efficacy of AI tools in handling adversarial instructions.
Apple Intelligence employs a hybrid architecture. Certain tasks are processed directly on your iPhone, iPad, or Mac. More complex requests may be routed through Apple’s Private Cloud Compute system.
Apple has positioned this approach as a privacy-conscious alternative to AI tools that rely entirely on cloud processing. This strategy is logical, as keeping more processing localized on the device can minimize the amount of personal data transmitted from your phone.
However, local AI processing does not inherently equate to risk-free AI. RSAC’s research indicates that deeper system integration can expand the potential attack surface. The more Apple Intelligence interacts with apps and system features, the more critical its protective mechanisms become.
A basic writing tool carries a certain level of risk. Conversely, an AI tool that comprehends personal context and operates across multiple applications presents a more substantial risk.
The concern extends beyond the generation of unusual chatbot responses. Apple Intelligence’s direct integration with apps via system-level tools means that manipulated responses could alter application behavior. Researchers have noted that the model could be induced to produce offensive or unintended outputs. They also cautioned that attackers might potentially manipulate data and functionalities accessible to an affected Apple Intelligence-enabled application.
THOUSANDS OF IPHONE APPS EXPOSE DATA INSIDE APPLE APP STORE
RSAC estimates that between 100,000 and 1 million users might already be utilizing applications with potential security vulnerabilities. This estimate is based on apps identified by Apple as using the on-device LLM and RSAC’s preliminary analysis of App Store review data. It is important to note that this does not imply active exploitation of this specific attack by cybercriminals. RSAC stated there was no public evidence of active exploitation at the time of their research publication. Nevertheless, the high success rate of the attack makes these findings difficult to disregard.
RSAC shared its research findings with Apple prior to public disclosure. According to RSAC, Apple has since strengthened the affected systems against this type of attack in iOS 26.4 and macOS 26.4. Apple has not provided detailed public information about every change made, which is a common practice for security fixes to avoid revealing vulnerabilities to potential attackers.
The research appears to be a proof of concept rather than an indication of a widespread, active attack targeting everyday users. The most important advice for users is straightforward: keep your devices updated. Security patches are only effective if they are applied to your device. Delaying updates for weeks or months could mean missing out on protections that close known security gaps.
DON’T IGNORE APPLE’S URGENT SECURITY UPDATE
There is no need to discontinue the use of Apple Intelligence. However, it should be treated with the same caution as any powerful phone feature: ensure it is updated, limit its access, and exercise vigilance when encountering unfamiliar content.
Begin with the most accessible protective measure. Verify that your device is running the latest software version.
On iPhone: Navigate to Settings > General > Software Update.
On Mac: Click the Apple menu in the upper-left corner of your screen, then select System Settings > General > Software Update.
Enable automatic updates whenever possible. This ensures your device receives security fixes promptly upon their release by Apple.
If you do not utilize certain Apple Intelligence features, consider disabling or restricting them. This action can reduce the frequency with which AI tools interact with your applications, messages, summaries, and personal content.
On iPhone: Go to Settings > Apple Intelligence & Siri.
Within this menu, review the enabled features and turn off any that you do not require.
Avoid granting every application access to sensitive information simply because it offers an AI-powered feature. Before installing an app, thoroughly review its developer, user reviews, and privacy policy. Also, consider whether the app genuinely requires access to your messages, files, photos, or contacts. If the necessity is not clear, it is advisable to refrain from installing it.
DON’T GET CAUGHT IN THE ‘APPLE ID SUSPENDED’ PHISHING SCAM
Prompt injection can be concealed within content that appears innocuous. This could include emails, webpages, documents, notes, or copied text. Exercise caution when asking AI to summarize unfamiliar content. A malicious file might contain hidden instructions intended for the AI, not for you.
Take a few moments to review which applications have access to your private data.
On iPhone: Go to Settings > Privacy & Security.
Then, examine categories such as Photos, Contacts, Location Services, Microphone, and Files. Revoke access for any app that no longer requires it.
Whenever possible, refrain from including your most sensitive information in AI prompts. This category includes Social Security numbers, banking details, tax documents, medical records, and passwords. While AI can assist with numerous tasks, it should not become a repository for your personal life.
Unused applications can pose a risk to your data. If you downloaded an app months ago and have since forgotten about it, consider removing it.
On iPhone: Touch and hold the app icon, then select Remove App > Delete App > Delete.
The fewer applications you maintain, the fewer avenues exist for your personal data to be disseminated.
Robust antivirus software provides an additional layer of defense against malicious links, fraudulent websites, infected downloads, and phishing attempts designed to steal your personal information. While antivirus software may not directly prevent every AI prompt injection risk, it can help block threats before they reach your device or trick you into divulging sensitive data.
The best antivirus software can also alert you to suspicious emails, dangerous attachments, and fake websites. This enhanced protection becomes increasingly important as scammers leverage AI to create more convincing attacks. Find my recommendations for the best 2026 antivirus protection for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
Identity theft protection will not prevent a prompt injection attack. However, it can be invaluable if your personal information is compromised or misused. A reputable identity theft protection service can monitor your personal data, notify you of suspicious activity, and assist you in responding to identity theft attempts. As AI tools become more deeply integrated with applications and personal data, this additional monitoring offers a supplementary layer of security. See my tips and top picks for Best Identity Theft Protection at Cyberguy.com.
Ensure Face ID or Touch ID is enabled. Utilize a strong passcode rather than a simple four-digit code. Furthermore, activate Stolen Device Protection if your iPhone supports this feature.
On iPhone: Go to Settings > Face ID & Passcode > Enter your passcode if prompted > Stolen Device Protection.
While this feature alone will not prevent prompt injection, it adds a crucial layer of security if someone gains physical access to your phone.
Apple Intelligence continues to uphold a strong privacy stance. The ability to process more AI tasks directly on your iPhone, coupled with the use of Private Cloud Compute for more demanding requests, provides Apple with a significant advantage over many cloud-centric AI solutions. However, this recent research serves as a reminder that “private” does not always equate to “invulnerable.” If an AI model possesses the capability to interpret prompts, summarize content, and interact with applications, malicious actors will inevitably seek methods to exploit these functionalities for their own gain. For users, the key takeaway is straightforward: maintain updated devices, be discerning about AI-powered applications, and exercise caution before allowing AI to process sensitive information. Apple can erect robust defenses around your data, but ultimately, you control what you allow it to interact with.
Would you place more trust in an AI assistant simply because it operates on your iPhone, or does deeper access to your personal data make you more apprehensive? Share your thoughts by writing to us at Cyberguy.com.
