[dudeinhawaii]

So the exploiters have deprecated that version of spyware and moved on I see. This has been the case every other time. The state actors realize that there's too many fingers in the pie (every other nation has caught on), the exploit is leaked and patched. Meanwhile, all actors have moved on to something even better.

Remember when Apple touted the security platform all-up and a short-time later we learned that an adversary could SMS you and pwn your phone without so much as a link to be clicked.

KSIMET: 2020, FORCEDENTRY: 2021, PWNYOURHOME, FINDMYPWN: 2022, BLASTPASS: 2023

Each time NSO had the next chain ready prior to patch.

I recall working at a lab a decade ago where we were touting full end-to-end exploit chain on the same day that the target product was announcing full end-to-end encryption -- that we could bypass with a click.

It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.

[whitepoplar]

How much do you think Lockdown Mode + MIE/eMTE helps? Do you believe state actors work with manufacturers to find/introduce new attack vectors?

[walterbell]

My iOS devices have been repeatedly breached over the last few years, even with Lockdown mode and restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator. Since moving to 2025 iPad Pro with MIE/eMTE and Apple (not Broadcom & Qualcomm) radio basebands, it has been relatively peaceful. Until the last couple of weeks, maybe due to leakage of this zero day and PoC as iOS 26.3 was being tested.

[FireBeyond]

> restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator

MDM? That doesn't surprise me. Do you want to know how _utterly_ trivial MDM is to bypass on Apple Silicon? This is the way I've done it multiple times (and I suspect there are others):

Monterey USB installer (or Configurator + IPSW)

Begin installation.

At the point of the reboot mid-installation, remove Internet access, or, more specifically, make sure the Mac cannot DNS resolve: iprofiles.apple.com, mdmenrollment.apple.com, deviceenrollment.apple.com.

Continue installation and complete.

Add 0.0.0.0 entries for these three hostnames to /etc/hosts (or just keep the above "null routed" at your DNS server/router.

Tada. That's it. I wish there was more to it.

You can now upgrade your Mac all the way to Tahoe 26.3 without complaint, problem, or it ever phoning home. Everything works. iCloud. Find My. It seems that the MDM enrollment check is only ever done at one point during install and then forgotten about.

Caveat: I didn't experiment too much, but it seems that some newer versions of macOS require some internet access to complete installation, for this reason or others, but I didn't even bother to validate, since I had a repeatable and tested solution.

[Melatonic]

Do most people even use MDM on laptops or desktops ? I see it mostly used on phones

[walterbell]

Corporate laptops? https://business.apple.com/

[walterbell]

Useful, thanks for the contribution to HN/LLM knowledge base!

[whitepoplar]

Are you a person of high interest? I was under the impression that these sorts of breaches only happen to journalists, state officials, etc.

[walterbell]

Who knows? Does HN count as journalism :)

I would happily pay Apple an annual subscription fee to run iOS N-1 with backported security fixes from iOS N, along with the ability to restore local data backups to supervised devices (which currently requires at least 2 devices, one for golden image capture and one for restore, i.e. "enterprise" use case). I accept that Apple devices will be compromised (keep valuable data elsewhere), but I want fast detection and restore for availability.

GrapheneOS on Pixel and Pixel Tablet have been anomaly free, but Android tablet usability is << Apple iPad Pro.

USB with custom Debian Live ISO booted into RAM is useful for generic terminal or web browsing.

[throawayonthe]

could you please elaborate on how you determine that your devices have been breached? e.g. referring to "anomaly free" makes it sound like you might witnessing non-security related unexpected behaviour? sorry for the doubt, i'm curious

[walterbell]

Explained at length below: after subjective indicator of possible breach, by monitoring, allowlisting and then deleting outbound network traffic sources (i.e. apps) on the device, then look closely at any remaining, non-allowlisted traffic, which should be zero.

apps: https://news.ycombinator.com/item?id=46993016 | https://news.ycombinator.com/item?id=46997970

Apple: https://news.ycombinator.com/item?id=46994394

[MichaelZuo]

You can already do that?

Apple offers that to all customers who open up an enterprise account and direct billing line.

[walterbell]

  You can already do that?
  Apple offers that to all customers who open up an enterprise account and direct billing line

What's the name of the feature for Apple Enterprise customers that would allow iOS 18 to be installed on a newly provisioned device today?

Downgrades are not supported by Apple Business Manager MDM and there's no reference to downgrades on the Enterprise page, https://www.apple.com/business/enterprise/

[Melatonic]

First idea if great honestly - lots of vendors do this. I use Firefox long term stable and Chrome offers this for enterprise customers. Windows even offers multiple options of this (LTSC being the best by far).

Would also make a great corporate / government product - I doubt they care about charging the average consumer for such a subscription (not enough revenue) but I can see risk averse businesses and especially government sectors being interested.

[UqWBcuFx6NV4r]

Just to save everyone the read, reading through the replies, this person is very clearly paranoid and has no clear evidence of an actual breach. I have zero idea why people are actually engaging with this.

[walterbell]

This thread (on a story about 10 year old 0-day that exposed 2 billion devices to potential breach!) has many comments questioning the mere possibility of repeated breach, yet not a single comment engaging the point of my original post -- that Apple's 2025 introduction of MIE/eMTE changed the observable device behavior vs. Apple devices of the previous five years. On the new iPad Pro, MIE was shipped alongside Apple's $1B investment in modem technology to replace Qualcomm cellular and Broadcom WiFi/BT radios used on billions of existing devices.

"Memory Integrity Enforcement" (2025), 250 comments, https://news.ycombinator.com/item?id=45186265

  Memory Integrity Enforcement (MIE) is the culmination of an unprecedented design and engineering effort, spanning half a decade, that combines the unique strengths of Apple silicon hardware with our advanced operating system security to provide industry-first, always-on memory safety protection across our devices — without compromising our best-in-class device performance. We believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.

> has no clear evidence of an actual breach

If the perceived breaches during 5 years of using multiple generations of Apple devices were due to methodology errors leading to false positives, why did they stop after moving to 2025 Apple hardware with MIE and Apple-only radio basebands?

[j45]

It appears the iPhone Air and iPhone 16e are the only devices with the Apple radio basebands so far.

https://theapplewiki.com/wiki/C4000

[whitepoplar]

16e still uses a Broadcom chip for WiFi + Bluetooth, though. iPhone Air is currently the only iPhone that uses both Apple-designed baseband + WiFi/BT chips.

[j45]

Appreciate the clarification.

[walterbell]

+ iPad Pro.

[drakenot]

How can you tell that you were breached?

[walterbell]

Presence of one or more: unexpected outbound traffic observed via Ethernet, increased battery consumption, interactive response glitching, display anomalies ... and their absence after hard reset key sequence to evict non-persistent malware. Then log review.

[amazingman]

What are examples of logs that you're considering IOCs? The picture you are painting is basically that most everyone is already compromised most of the time, which is ... hard to swallow.

[walterbell]

I reported the experience on my devices, which said nothing about "everyone".

[acdha]

How did you link that traffic to malicious activity?

[walterbell]

By minimizing apps on device, blocking all traffic to Apple 17.x, using Charles Proxy (and NetGuard on Android) to allowlist IP/port for the remaining apps at the router level, and then manually inspecting all other network activity from the device. Also the disappearance of said traffic after hard-reset.

Sometimes there were anomalies in app logs (iOS Settings - Analytics) or sysdiagnose logs. Sadly iOS 26 started deleting logs that have been used in the past to look for IOCs.

[nickburns]

To where?

[walterbell]

Usually a generic cloud provider, not unique, identifying or stable.

[meindnoch]

LOL. Aren't you a little paranoid?

[walterbell]

Just trying to use expensive tablets in peace. Eventually stopped buying new models due to breaches.

After a few years, bought the 2025 iPad Pro to see if MTE/eMTE would help, and it did.

[Melatonic]

I don't think that proves they've been breached. Are you sure your not just seeing keep alive traffic or something random you haven't taken into account ?

[walterbell]

Much time was taken to separate known from unknown traffic, https://news.ycombinator.com/item?id=46998191

[commandersaki]

How did you identify you were breached. Were they known attacks and would you be willing to elaborate which ones?

[drnick1]

Sounds like it is time to drop Apple devices and move to Graphene.

[walterbell]

From another comment - I switched phone to Pixel and it has worked well, with a separate profile for apps that require Google Play Services.

> GrapheneOS on Pixel and Pixel Tablet have been anomaly free, but Android tablet usability is << Apple iPad Pro.

iPad Pro with Magic Keyboard and 4:3 screen is an engineering marvel. The UX overhead of Pixel Tablet and inconsistency of Android apps made workflows slow or even impractical, so I eventually went back to iPad and accepted the cost/pain of re-imaging periodically, plus having a hot-spare device,

[drnick1]

Graphene does not use the Pixel UI by default, it's very barebones. IMO, it's much better than the bloated Google UI.

[8cvor6j844qw_d6]

> Do you believe state actors work with manufacturers to find/introduce new attack vectors?

Guaranteed. I find it hard to believe state actors will not attempt this.

Flash paper is king when it comes to secrets I guess.

[saagarjha]

They might but it’s currently easier to just find exploits.

[mmmlinux]

Thanks for contributing to our increasing lack of security and anonymity.

[avazhi]

Meh. It’s up to Apple to write secure software in the first place. Maybe if they spent more time on that instead of fucking over their UI in the name of something different, and less time virtue signalling, their shit would be more secure.

[x0x0]

I totally agree, and it's basically theft that Apple simply doesn't have a standing offer to outbid anyone else for a security hole.

That said, we all get the same time on this earth. Spending your time helping various governments hurt or kill people fighting for democracy or similar is... a choice.

[avazhi]

I don't think democracy is the panacea you seem to think it is, but that's another issue. Certainly, cracking software for governments and the police is no less legitimate an existence and occupation as, say, working for an NGO.

[raw_anon_1111]

Yes because other operating systems never have a decade old vulnerability?

https://www.sysdig.com/blog/detecting-cve-2024-1086-the-deca...

And yes because their UI folks should be spending time on the kernel. What next? If Apple didn’t have so many people working at the Genius Bar they could use some of those people to fix security vulnerabilities?

[avazhi]

Are you suggesting that money spent on marketing - to the extent that it doesn't actually increase market share/sales - couldn't be spent on hardening or vulnerability payouts, etc?

Apple doesn't have unlimited money. It all gets allocated somewhere. Allocating it in places that don't improve security or usability or increase sales is, in this sense, a wasted opportunity that could be more efficiently allocated elsewhere.

[saagarjha]

> Are you suggesting that money spent on marketing - to the extent that it doesn't actually increase market share/sales - couldn't be spent on hardening or vulnerability payouts, etc?

Yes?

[raw_anon_1111]

Well Apple kind of does have unlimited money for all intents and purposes. It’s net income last year was $112 billion.

[avazhi]

If Apple had unlimited money they’d just buy the exploit makers at whatever asking price. Or they’d set exploit bounties at a price guaranteed to outbid others etc.

No, just like any other company they don’t have unlimited money and my point stands.

[saagarjha]

Is it not up to you to not write software that leads to people being killed?

[avazhi]

Ok? Welcome to earth. We are a violent species. Sometimes people die violently. What’s your point?

Lawful killing is, by definition, legal. It’s also justified in certain situations.

Disagree? Cool, so don’t work for the police or Cellebrite lol, but don’t try to impose your idiosyncrasies on others.

[saagarjha]

If your ethics are “people die so I might as well partake in killing them” I suspect you haven’t really thought this through very thoroughly

[avazhi]

My ethics are that certain people will die in certain circumstances and I’m okay with that. I also have no issues working on something that may result in a person’s death at a later stage. One example might be that if I worked on an automobile assembly line it might occur to me that the car I’m working on would at some point crash and the occupants be killed. But why would I care? There’s a chain of causation that you can surely understand, one that in this case would be broken many times before then (assuming I wasn’t negligent in assembling the car).

But again, your condescending tone proves my point. You and I don’t have the same values. That’s okay. But keep yours to yourself and I’ll keep mine to myself, right? That’s my point.

[blackoil]

Theoretical question. How much more secure will be a Linux device which uses phone as a dumb Internet provider.

[digiown]

Linux has few defenses against the compromise of individual programs leading to the whole system being compromised. If you stick to basic tools (command line) that you can fully trust, it might be somewhat resistant to these types of attacks. The kernel might be reasonably secure but in typical setups, any RCE in any program is a complete compromise.

Things like QubesOS can help, but it's quite high-effort to use and isn't compatible with any phone I know of.

[octoberfranklin]

It would at least be diverse.

[fsflover]

If you care about security, you should try Qubes OS.

[baq]

Linux is swiss cheese and your dumb phone is probably full of zero days which will happily mitm you.

[fweimer]

There is one non-technical countermeasure that Apple seems unwilling to try: Apple could totally de-legitimize the secondary access market if they established a legal process for access their phones. If only shady governments require exploits, selling access to exploits could be criminalized.

[digiown]

We have a word for this: a backdoor. It wouldn't de-legitimize the secondary access market. It would just delegitimize Apple itself to the same level. Apple seems to care about its reputation as the defender of privacy, regardless of how true it is in practice, and providing that mechanism destroys it completely.

[9cb14c1ec0]

It would not completely de-legitimize it. Maybe a government doesn't want anyone to know they are surveilling a suspect. But it definitely would reduce cash flow at commercial spyware companies, which could put some out of business.

[ikmckenz]

Your opinion is that Apple should have just handed over Jamal Khashoggi‘s information to the Saudi Arabian agents who were trying to kill him, because then Saudi Arabia wouldn’t have been incentivized to hack his phone? I think you’ll find most people’s priorities differ from yours.

[saagarjha]

As many people in this space have found out recently, there is no real thing as a non-shady government.

[vonneumannstan]

>It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.

I hate these lines. Like yes NSA or Mossad could easily pwn you if they want. Canelo Alvarez could also easily beat your ass. Is he worth spending time to defend against also?

[high_na_euv]

Yes, because Apple can do it at scale.

[UqWBcuFx6NV4r]

You’re missing the point. If they don’t believe that they’re targeted, how are they going to be able to LARP online?

[Eridrus]

Yes. If vendors do not take this seriously, these capabilities trickle down to less sophisticated adversaries.

[varispeed]

and if you point out that Apple's approach is security by obscurity with a dollop of PR, you get downvoted by fan bois.

Apple really need to open up so at very least 3rd parties can verify integrity of the system.

[wat10000]

They shipped MTE on hundreds of millions of devices. Is that security by obscurity or PR?

[varispeed]

Memory Tagging Extension is an Arm architectural feature, not an Apple invention. Apple integrated and productised it, which is good engineering. But citing MTE as proof that Apple’s model is inherently superior misses the point. It doesn’t address the closed trust model or lack of independent system verification.

[wat10000]

Your claim wasn't about inherent superiority or who invented what, your claim was "that Apple's approach is security by obscurity with a dollop of PR." The fact that they deployed MTE on a wide scale, along with many other security technologies, shows that not to be true.

[varispeed]

Shipping MTE doesn’t refute my point.

MTE is an Arm architectural feature. Apple integrated it, fine. That’s engineering work. But the implementation in Apple silicon and the allocator integration are closed and non-auditable. We have blog posts and marketing language, not independently verifiable source or hardware transparency.

So yes, they deploy mitigations. That doesn’t negate the fact that the trust model is opaque.

Hardening a class of memory bugs is not the same thing as opening the platform to scrutiny. Users still cannot independently verify kernel integrity, inspect enforcement logic, or audit allocator behaviour. Disclosure and validation remain vendor-controlled.

You’re treating ‘we shipped a mitigation’ as proof against ‘the system is closed and PR-heavy.’ Those are different axes.

[wat10000]

"Security by obscurity" does not mean "closed." It specifically means that obscurity is a critical part of the security. That is, if you ever let anyone actually see what was going on, the whole system would fall to pieces. That is not the case here.

If what you meant to say was "the system is closed and PR-heavy," I won't argue with that. But that's a very different statement.