People have been hacking iOS since before it was called iOS and they weren't necessarily "well-resourced, likely state-sponsored". See geohot
:)
Why repeat yourself ? (US Government, criminal hands)
Many components of Coruna have never been seen before, he points out, and the whole toolkit appears to have been created by a “single author,” as he puts it.
He keeps changing his mind every day and keeps talking bullshit. At this point the trashy drug dealer trying to sell to school kids is more reputable than the USA
iPhone makes you an easy target. Sorry Besos, security through obscurity was a bad idea... but you should have known better.
Person suspecting their iPhone has been hacked has no way to check it. Apple only offer cope mechanism in form of "lockdown mode", which likely can be bypassed just as well.
This situation shows that Apple devices are not secure and liability.
They'll likely protect your grandma from getting low effort malware, but if you are a CEO - buy something else.
it has a guy working at apple who introduces the subtle vulnerability he is instructed to do
"Clues suggest it was originally built for the US government."
Maybe because you apparently don’t know what “security by obscurity” means? Regardless, what’s your recommendation for “buy something else”?
Seriously, what's the worst that could happen with an internet connected closed down device that holds all our information and has a microphone and camera? People must be just paranoid.
Apparently if you have Lockdown mode enabled, then yes.
I interpreted this a different way - that a shady supplier to the US Government double dipped to the other side.
In the past, Apple alerted users (journalists, political activists, dissidents) when a "state-level actor" attempted to hack their iPhones [1].
Apparently, the FBI couldn't get past Lockdown Mode: FBI stymied by Apple’s Lockdown Mode after seizing journalist’s iPhone [2]"
And don't forget about Memory Integrity Enforcement (MIE) that debuted on iPhone 17 and iPhone Air [3]:
MIE is described as the industry's first always-on, comprehensive memory safety protection, built on the Enhanced Memory Tagging Extension (EMTE) in synchronous mode, combined with secure typed allocators and tag confidentiality protections.
[1]: https://www.sentinelone.com/blog/so-state-sponsored-attacker...
[2]: https://arstechnica.com/tech-policy/2026/02/fbi-stymied-by-a...
[3]: https://security.apple.com/blog/memory-integrity-enforcement
and the one before it, and the one before that, and the one before that, and so on. that's politics and there is nothing new under the sun
at the very least use a VPN / more secure phone like a pixel with graphene
You keep doing you though
(However, if we are International Systems Realists, there are inevitable effects that happen. I have a feeling even Biden/Harris would be in Iran right now.)
Maybe this was the Fisheries Department exploit toolkit.
iVerify, which spun out of Trail of Bits and presumably knows what they're talking about, says it bears "hallmarks" of being connected to USG CNE work. I believe it. But the USG is on net a buyer, not a producer, of CNE tooling. Whatever a given service agency or IC arm buys, dozens of other aligned countries are also buying.
(And, of course, the non-aligned countries have their own commercial supply chains).
The leap from supply chain interdiction to cooperative insiders isn't a big one.
Americans can't understand this because Americans hate being embarrassed by their states' misdeeds, but its very real. The rest of the world sees the crimes, even if American's are too cowardly to also do so ..
Or things like Memory Tagging Extension (MTE) Apple has implemented, but they have not released specification and implementation details, so you don't know if it has backdoors.
Know what's fun? Facing down a trained attorney as a pro se litigant in small claims court. Want to beat the 70-90% loss rate for pro se litigants in a forum that was originally designed specifically for pro se litigants? Hire a lawyer, lol.
Small claims, true to the name, is the lowest of low stakes. It's downhill from there.
No sitting president has ever enriched themselves by billions of dollars.
We’re in a completely different universe from the days when Jimmy Carter put his peanut farm in a blind trust so there would be no appearance of a conflict of interest.
Or when Lincoln was given some gifts from the King of Siam. Because of the Emoluments Clause in the Constitution, he went to Congress to check if he could keep them. Congress said no; Lincoln donated them.
It was understood a president could be prosecuted if he broke the law—that’s why Nixon needed to be pardoned by Ford; otherwise, he would have faced at least some consequences.
SCOTUS did a 180 degree turn by ruling a precedent is immune from prosecution for crimes committed in office.
SCOTUS just made that up out of thin air.
All of this and much more is unprecedented.
Last one: no president has ever gone to war without making a case for it to the country.
So no, what’s happening now is not the same old thing.
I seriously doubt that; certainly not under the current circumstances of rising inflation with negative economic growth.
buried lede, but hilarious
This proves the opposite IMO - while the Legislative is co-opted, the Judicial branch has shown it is quite inadequate exerting control or punishment of the Executive.
famously known for their backdoors.
Not true. There are commercial apps that can scan your iPhone for vulnerabilities and exploits [1]. Apple goes through ridiculous lengths regarding security on their platforms [2].
> Memory Tagging Extension (MTE) Apple has implemented, but they have not released the specification.
It's based on the Memory Tagging Extension (MTE) added to the ARMv8.5 architecture in 2019, co-designed by ARM and Google [3]. MTE support has recently been added to Android 12+ and some Linux distros like recent Fedora and Ubuntu 24.04.
Apple's Memory Integrity Enforcement (MIE) is based on MTE. Now that Apple designs its own ARM-based processors, they used MTE as a starting point for Apple Silicon. The iPhone 17 series and the iPhone Air shipped with MIE enabled in September.
The point of these technologies is to enable software that hasn't been written in memory-safe languages (many millions of lines of C, C++, etc. that will never be rewritten) to run safely.
Although it's starting to change, the vast majority of the rendering engines used by Safari, Chrome, and Firefox are written in C/C++; so it makes sense to address potential browser vulnerabilities at the hardware level.
[1]: https://iverify.io/products/enterprise-protection
[2]: https://support.apple.com/guide/security/toc
[3]: https://www.usenix.org/system/files/login/articles/login_sum...
Maybe they could maybe they couldn't, doesn't mean criminals couldn't.
MIE is opaque - Apple has not disclosed its design - it also means it can contain intentional backdoors and other security holes.
In other words this is just meaningless PR and doesn't change the fact that Apple's security is poor.
I really wish people would understand that VPNs are not magical, unbreakable security. VPNs are barely security at all, and commercial VPNs even less so.
I think the notion here is that either:
* There's a shared upstream origin or author between this toolkit and the Operation Triangulation toolkit ahead of the use in Operation Triangulation (ie - someone sold this chain to both the Operation Triangulation authors and a third party). I actually think that the uses of specifically structured code-names internally and the overall structure of the codebase described in the Google writeup make this theory less likely; building an exploit toolkit while using these practices to cosplay as a US-government affiliated engineer would be clever and fun, but it's not something we've really seen before.
* This toolkit originated from (whether it was leaked, compromised, or resold) the same actor who was responsible for Operation Triangulation.
15 chars to spare!
Don't get me wrong - I've long shared your condemnations, even as an American! Although for us who acknowledge them, I wouldn't say it's "too cowardly" - rather we're quite disenfranchised and the cognitive dissonance tendency is for Americans to see the government as something apart from themselves. So it's more like that I can't practically do much about these criminals acting in my name.
But I mean, the global community basically gave a Nobel Peace Prize to Obama for not being Bush. I'd say the relationships got patched up pretty quickly there. Global domestic surveillance? So nice for the US to take the heat for FVEY et al.
If anything starting a war in Iran is back to business as usual, with (the leadership of) most countries seemingly giving a tacit green light.
The fact that there is no option so that any webview by default opens in safari across all app in ios is horrible.
i am not surprised it is riddled with security holes.
Apple only alerts people who are potentially in life threatening situations because of who they are or what they do:
Apple today detailed two initiatives to help protect users who may be personally targeted by some of the most sophisticated digital threats, such as those from private companies developing state-sponsored mercenary spyware. Lockdown Mode — the first major capability of its kind, coming this fall with iOS 16, iPadOS 16, and macOS Ventura — is an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security.
“Apple expands industry-leading commitment to protect users from highly targeted mercenary spyware” — https://www.apple.com/newsroom/2022/07/apple-expands-commitm...
The system has always been corrupt in that the rich write the rules but this is pure kleptocracy. Remember that Nixon was told by his own party that his conduct was unacceptable and they would not support him...
And, more to the point - both Ukraine and Iran demonstrate that the USA isn't really that concerned with human rights.
A bug has existed for many years in Apple devices, until a few years ago, when it has been discovered accidentally by some victims, which has forced Apple to fix it, after several CVEs where assigned to it and associated software bugs.
The bug consisted that some secret test registers, which allowed a complete bypass of all memory protection, were left accessible after production. Thus knowledgeable attackers could take control remotely of an iPhone, for many years, in a completely undetectable way, by sending an invisible message, which then exploited some bugs in Apple system libraries to gain privileged access to the secret test registers, which were then used for complete access to any hardware, including stored files, video camera and microphone.
This backdoor was discovered only because some victims became suspicious due to unexpectedly high Internet traffic originating from their iPhone, which was recorded by an external firewall.
This was discussed on HN after its discovery.
It is hard to believe that such a mistake like forgetting to disable the test registers after production could have happened and it also would have never been discovered for many years, without some Apple insider intentionally doing it.
Moreover, the unknown attackers who have exploited the backdoor for many years had complete knowledge about the secret test registers, which is likely to have been provided by an Apple insider, perhaps the same who has ensured that they remain accessible.
Hopefully, the backdoor has been created only by some lower-rank employee, and it was not created with the knowledge of the management, due to some request from a TLA. It is unknown whether the backdoor has been open in all Apple devices, or only in those sold in certain markets.
When the backdoor was discovered, it was used to spy on some Russians, so some US agency or one from Israel were among the possible exploiters of it (this was before the current war).
But that Nobel prize came from "the rest of the world" ? It seems that you're conflating other countries' governments/elites, and grassroots.
Nowhere in that entire case does anyone allege that the FBI was regularly being sent entire copies of the hard drive contents of best buy customers.
The FBI merely taught workers how to identify and report CSAM. There is nothing illegal about that.
EFF only sued because their FOIA request for info about their training process was denied, and after the FBI argued why they shouldn't grant the request, EFF agreed and backed down.
Not only did the EFF agree to dismiss the case, their blog post claim of a supposed Fourth Amendment violation was never even argued in any of their filings at all.
In my opinion, to construe a simple disagreement/misunderstanding over a FOIA request denial (which was proven as legal and justified) as "If you took your laptop to Best Buy for repairs, the FBI got a copy of your hard drive contents"... is patently and demonstrably false, and does not make any sense whatsoever.
It was always corrupt but my word, you can't say that it's the same corruption just more exposed.
Another thing is that while perhaps entire copies of customers' hard drives weren't sent to the FBI, the Best Buy repair staff dug through the contents of people's hard drives. If I have a software issue with my OS (or whatever the repairs were about), I wouldn't expect the repair staff to look at my photos. Obviously, is CP was set as the wallpaper or something, you can't miss it, but why is it OK to look into random folders looking for suspicious files?
Employees were trained on how to identify and respond to CSAM. The training material was not released based on the FOIA request.
That doesn’t imply that the employees were poking around above and beyond where they had to look to do their job, and it doesn’t imply that full copies of your hard drive are being copied to the FBI.
An iPhone-hacking technique used in the wild to indiscriminately hijack the devices of any iOS user who merely visits a website represents a rare and shocking event in the cybersecurity world. Now one powerful hacking toolkit at the center of multiple mass iPhone exploitation campaigns has taken an even rarer and more disturbing path: It appears to have traveled from the hands of Russian spies who used it to target Ukrainians to a cybercriminal operation designed to steal cryptocurrency from Chinese-speaking victims—and some clues suggest it may have been originally created by a US contractor and sold to the American government.
Security researchers at Google on Tuesday released a report describing what they're calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it visits a website containing the exploitation code. In total, Coruna takes advantage of 23 distinct vulnerabilities in iOS, a rare collection of hacking components that suggests it was created by a well-resourced, likely state-sponsored group of hackers.
In fact, Google traces components of Coruna to hacking techniques it spotted in use in February of last year and attributed to what it describes only as a “customer of a surveillance company.” Then, five months later, Google says a more complete version of Coruna reappeared in what appears to have been an espionage campaign carried out by a suspected Russian spy group, which hid the hacking code in a common visitor-counting component of Ukrainian websites. Finally, Google spotted Coruna in use yet again in what seems to have been a purely profit-focused hacking campaign, infecting Chinese-language crypto and gambling sites to deliver malware that steals victims’ cryptocurrency.
Conspicuously absent from Google's report is any mention of who the original surveillance company “customer” that deployed Coruna may have been. But the mobile security company iVerify, which also analyzed a version of Coruna it obtained from one of the infected Chinese sites, suggests the code may well have started life as a hacking kit built for or purchased by the US government. Google and iVerify both note that Coruna contains multiple components previously used in a hacking operation known as “Triangulation” that was discovered targeting Russian cybersecurity firm Kaspersky in 2023, which the Russian government claimed was the work of the NSA. (The US government didn’t respond to Russia’s claim.)
Coruna's code also appears to have been originally written by English-speaking coders, notes iVerify's cofounder Rocky Cole. “It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government," Cole tells WIRED. “This is the first example we’ve seen of very likely US government tools—based on what the code is telling us—spinning out of control and being used by both our adversaries and cybercriminal groups.”
An “EternalBlue Moment”
Regardless of Coruna's origin, Google warns that a highly valuable and rare hacking toolkit appears to have traveled through a series of unlikely hands, and now exists in the wild where it could still be adopted—or adapted—by any hacker group seeking to target iPhone users.
“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google's report reads, using the term zero-day to refer to secret hacking techniques that exploit unpatched vulnerabilities. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities.”
iVerify's Cole notes that if Coruna actually began life as a tool intended for the US government, though, it also raises questions about the security of mobile devices in a world where highly sophisticated hacking tools created for or sold to the American government can leak to adversaries. “This is the EternalBlue moment for mobile malware,” says Cole. EternalBlue is the Windows-hacking tool stolen from the National Security Agency and leaked in 2017, leading to its use in catastrophic cyberattacks, including North Korea's WannaCry worm and Russia's NotPetya attack.
Google notes that Apple patched vulnerabilities used by Coruna in the latest versions of its mobile operating system, iOS 26, so its exploitation techniques are only confirmed to work against iOS 13 through 17.2.1. It targets vulnerabilities in Apple's Webkit framework for browsers, so Safari users on those older versions of iOS would be vulnerable, but there's no confirmed techniques in the toolkit for targeting Chrome users. Google also notes that Coruna checks if an iOS devices has Apple's most stringent security setting, known as Lockdown Mode, enabled, and doesn’t attempt to hack it if so.
Despite those limitations, iVerify says Coruna likely infected tens of thousands of phones. The company consulted with a partner that has access to network traffic and counted visits to a command-and-control server for the cybercriminal version of Coruna infecting Chinese-language websites. The volume of those connections suggest, iVerify says, that roughly 42,000 devices may have already been hacked with the toolkit in the for-profit campaign alone.
Just how many other victims Coruna may have hit, including Ukrainians who visited websites infected with the code by the suspected Russian espionage operation, remains unclear. Google declined to comment beyond its published report. Apple did not immediately provide comment on Google or iVerify's findings.
A Single, Very Professional Author
In iVerify's analysis of the cybercriminal version of Coruna—it didn't have access to any of the earlier versions—the company found that the code appeared to have been altered to plant malware on target devices designed to drain cryptocurrency from crypto wallets as well as steal photos and, in some cases, emails. Those additions, however, were “poorly written” compared to the underlying Coruna toolkit, according to iVerify chief product officer Spencer Parker, which he found to be impressively polished and modular.
“My God, these things are very professionally written,” Parker says of the exploits included in Coruna, suggesting that the cruder malware was added by the cybercriminals who later obtained that code.
As for the code modules that suggest Coruna’s origins as a US government toolkit, iVerify’s Cole notes one alternative explanation: It's possible that the overlaps between Coruna's code and the Operation Triangulation malware, which Russia pinned on US hackers, could have resulted from Triangulation’s components being picked up and repurposed after they were discovered. But Cole argues that’s unlikely. Many components of Coruna have never been seen before, he points out, and the whole toolkit appears to have been created by a “single author,” as he puts it.
“The framework holds together very well,” says Cole, who previously worked at the NSA, but notes that he's been out of the government for more than a decade and isn't basing any findings on his own outdated knowledge of US hacking tools. “It looks like it was written as a whole. It doesn’t look like it was pieced together.”
If Coruna is, in fact, a US hacking toolkit gone rogue, just how it got into foreign and criminal hands remains a mystery. But Cole points to the industry of brokers that may pay tens of millions of dollars for zero-day hacking techniques that they can resell for espionage, cybercrime, or cyberwar. Notably, Peter Williams, an executive of US government contractor Trenchant, was sentenced this month to seven years in prison for selling hacking tools to the Russian zero-day broker Operation Zero from 2022 to 2025. Williams’ sentencing memo notes that Trenchant sold hacking tools to the US intelligence community as well as others in the “Five Eyes” group of English-speaking governments—the US, UK, Australia, Canada and New Zealand—though it's not clear what specific tools he sold or what devices they targeted.
“These zero-day and exploit brokers tend to be unscrupulous," says Cole. “They sell to the highest bidder and they double dip. Many don’t have exclusivity arrangements. That’s very likely what happened here.”
“One of these tools ended up in the hands of a non-Western exploit broker, and they sold it to whoever was willing to pay,” Cole concludes. “The genie is out of the bottle.”