iPhone Exploit DarkSword Steals Data In Minutes With No Trace (nerds.xyz) 85
BrianFagioli writes: A new iOS exploit chain called DarkSword shows how attackers can break into certain iPhones, grab sensitive data like messages, credentials, and even crypto wallets, and then disappear without leaving obvious traces. It targets older iOS 18 builds using Safari and WebGPU flaws to escape Apple's sandbox, which is pretty wild on its own, but what really stands out is how fast it works and how financially motivated these attacks have become. The takeaway is simple but important, update your iPhone ASAP and don't assume mobile devices are somehow safer than desktops anymore.
How about we recycle old devices? (Score:2, Insightful)
How about we present the message: recycle old devices that cannot be updated anymore?
Apple does not back port all fixes. They only fully update their latest OS.
Re: (Score:1, Insightful)
How about we present the message: recycle old devices that cannot be updated anymore?
Apple does not back port all fixes. They only fully update their latest OS.
How about we stop allowing corporations to do that? They are legal fictions which exist at the pleasure of The People, and if we stop bending over for them, we can bring them to heel. They should not be allowed to abandon devices they could easily support when any significant number of people are still using them. The only reason corporate charters are supposed to exist is to serve the public interest.
Re: (Score:1, Offtopic)
Oh would you stop complaining like the big cry baby you are, always complaining about everything?
No, because it works. Telling me not to do things which work is stupid. You're stupid.
Anyway, as a distinguished member or the rsilvergun Chinese troll farm
You troll farmers always cry troll farm. If you were a real person you wouldn't post anonymously.
Re: (Score:2, Offtopic)
The person who posts 24/7 on Slashdot complaining that a stupid opinion didn't get modded up?
Oh look, you can't read.
Uh, you must new here?
Oh look, you can't write, either.
This is even dumber than your other comment about this, where you give Apple a handy even though they will never ever appreciate you. Notice me Apple-Senpai!
Re: (Score:2)
Apple was the context of the other post, but you were modded down for a stupid comment and not because of anything about Apple.
I'm still curious to see your answer.
Re: (Score:2)
Apple was the context of the other post
Yes, that's what I said. Guess you just learned to read. Now if you could learn not to simp for corporations you'd really be getting somewhere.
Re: Oh look, cuckery (Score:2)
Why donâ(TM)t the people who run those companies have the right to decide how to invest their resources?
It costs money to patch obsolete stuff
Re: (Score:2)
Re:How about we recycle old devices? (Score:5, Informative)
How about we stop allowing corporations to do that? They are legal fictions which exist at the pleasure of The People, and if we stop bending over for them, we can bring them to heel. They should not be allowed to abandon devices they could easily support when any significant number of people are still using them. The only reason corporate charters are supposed to exist is to serve the public interest.
According to Apple, as of February 2026, 90% of all currently running iOS devices are on either iOS 26 (current release) or iOS 18 (previous release), while 10% are running something earlier.
iOS 15, 16, and 17 covers ~10% of all iOS users and are all actively patched for security bugs. (Presumably there is a tiny fraction of people running something before iOS 15.)
iOS 15 supports iPhone 6s devices first released in 2015.
So, Apple is supporting their iPhone hardware for at least 11 years right now.
Now, how much further would you, Drinkypoo, force them to make updates for? Should it go all the way back to iOS 1 in 2007? Sure, only a few hobbyists may be running those devices, but what does that matter. Does your dictat apply to all companies that release software packages? Should every company that has ever released a piece of software be forced to patch _every revision level_, separately, forever? How do you define what they could "easily support" and "any significant number of people"? I'm really curious how you imagine your system working. It sure sounds like it would put a lot of small and open source developers out of business.
Re: (Score:2)
Now, how much further would you, Drinkypoo, force them to make updates for?
Which word in "They should not be allowed to abandon devices they could easily support when any significant number of people are still using them" confused you? No, don't tell me. Look it up.
Re: (Score:3)
Sure, since you missed it in my post, here's what I already asked you:
How do you define what they could "easily support" and "any significant number of people"? I'm really curious how you imagine your system working. It sure sounds like it would put a lot of small and open source developers out of business.
From your post, directly replying to OP about Apple, it's clear that you believe Apple is egregiously guilty of breaking your rules and "we [need to] stop bending over for them, we [need to] bring them to heel." (Nice.) Apple currently supports 11+ years of devices and 5 major OS software revisions. Well under 1% of iOS users are running something that is not currently supported.
So, what can Apple "easily support" that they are not curren
Re: (Score:2)
Apple currently supports 11+ years of devices and 5 major OS software revisions.
First, both of those numbers are irrelevant. If Apple is popular then there will be more devices to support. Second, Apple doesn't support all of those revisions on all devices. Third, Apple can easily support all of the devices, because they have all of the necessary information. Fourth, stop asking stupid questions, you're exactly like the people saying "how much do you think a living wage is" when that's completely beside the point of the argument.
Re:How about we recycle old devices? (Score:5, Interesting)
So, you jump into a thread specifically about Apple supporting old devices but next you say "numbers are irrelevant" when they don't match your narrative. You make bombastic claims like "if we stop bending over for them, we can bring them to heel. They should not be allowed to abandon devices they could easily support when any significant number of people are still using them" but won't even attempt to articulate what your demand actually is. Seemingly, supporting 11+ year old devices and 5 major OS revisions is not sufficient. Forget Apple, if that gets your dander up, support is an issue for almost all developers.
Your statement has real costs that must be born by someone. Supporting more than a decade of devices (with multiple device releases each year) and five OS revisions (and maintaining build systems, testing systems and staff, etc.) is not a simple operation.
Regulations are very easy to impose through anti-corporate diatribes, when you ignore costs and consequences.
Re: (Score:2)
Apple currently supports 11+ years of devices and 5 major OS software revisions.
First, both of those numbers are irrelevant. If Apple is popular then there will be more devices to support. Second, Apple doesn't support all of those revisions on all devices. Third, Apple can easily support all of the devices, because they have all of the necessary information. Fourth, stop asking stupid questions, you're exactly like the people saying "how much do you think a living wage is" when that's completely beside the point of the argument.
Any Device that can run a Certain Major Version of an Apple OS, can run any Minor Revisions within that Version. So, e.g., iOS 18.x.x.x would be supported. Consequently, Apple wisely Updates only the Highest Revision within a Major Version it intends to Support. Anything else would lead to nearly infinite Regression Testing!
Re: (Score:2)
Re: (Score:2)
Now, how much further would you, Drinkypoo, force them to make updates for?
I am not drinkypoo, obviously; however, his point is sound and the way to resolve the issue is for every abandoned device that someone may own, full schematics and source code should be provided immediately upon abandonment.
Don't want to release that info? Then don't abandon security updates.
The default answer that you provide basically says, "fuck the consumer, the business is more important", but I have to ask, is it really more important? The business can not exist without consumers, so the consumer is a
Re: (Score:1)
Re: (Score:2)
Sadly, we cannot stop them any longer, they have become to powerful. Corporations may be legal fiction however classism and corruption are not. Given that the upper class owns the governments and the courts, there is no effective way to constrain transnational corporations. Indeed, such legal machinations were designed to allow the upper class to act with impunity. This is how the entitled turned our democracies into thier global plutocracy.
This always ends the same way, an internal ethical rot that destroy
Re: (Score:2)
I just received an iOS 16 patch for my iPhone 8 yesterday. This model was released in 2017.
Re: (Score:1)
Re: (Score:3)
Apple does not back port all fixes.
And you know this ... How, exactly ?
My ten year old iphone SE first gen is capped on ios 15. It just received a security update this week.
That's TEN YEARS of support for security updates.
Re: (Score:2)
You working for Apple? We don't need cell phones every two years anymore. Our throwaway society is costly
Re: (Score:2)
Re: (Score:2)
How about we present the message: "it is fraud to advertise a device as suitable for use on the internet unless you are committing to fixing any critical security flaws found on it for the lifetime of that device".
So, if internet Usage Statistics suggest that only 2 people are still running iPhoneOS 1.0, it must be Maintained?
Riiight. . .
Re: (Score:2)
How about we present the message: recycle old devices that cannot be updated anymore?
Apple does not back port all fixes. They only fully update their latest OS.
Their usual Policy is to fully Maintain the Current Major OS Version and the Previous Major OS Version. At present, that means 26.x and 18.x.
If an Exploit is serious enough, they can and will reach back even further to update even more previous OS Versions.
Er (Score:5, Insightful)
and then disappear without leaving obvious traces.
Er, do attackers normally leave a handy log of traces?
and don't assume mobile devices are somehow safer than desktops anymore
Was ... somebody assuming that? Why?
Re: (Score:2)
Yes, I was wondering the samer things. Quality "journalism" brought to you by a "technology journalist".
Re: (Score:2)
That appears to be a problem with the summary - the original articles (I must admit I did not read all of the first one) seem to be written by people who have a better idea of what they are talking about.
Re: (Score:2)
and don't assume mobile devices are somehow safer than desktops anymore
Was ... somebody assuming that? Why?
Well, my manager at a Fortune 500 company about 8 years ago assumed/believed that. He was a good manager and had real IT experience. He wasn't a paper pusher who got into IT management. I was floored when he told me he believed accessing stuff via an iPhone was much safer than using a PC. I told him my assumption was the exact opposite. I asked him why he believed that and he said he just assumed various app makers simply had to make their apps more secure because people were moving away from using
Re: (Score:1)
Of course you don't agree with him. That's a foolish stance for him to take. Smart phones are just small computers with radio equipment. I don't want to speculate on who's network, the ISP or Mobile Carrier, is more unsafe, but at least with a desktop, there stands a good chance you are behind at least one firewall and at least one router before you end up on the ISP's network. Do our cellphones even HAVE firewalls on them? Maybe Pine phone does.
Apps on a phone are no different then apps on a desktop. They
Re: (Score:2)
This is like people who rationalise that there's Military Grade Encryption that is somehow different to the stuff everyone else uses
It's kind of a confession about how they see the world, they assume that some corporate commercial retail daddy is making all the necessary work happen out of sight and you should not worry your little head about it. They don't see this as part of the problem, that they're perpetuating a series of adages that prevent the wealthy from being held to account, they explicitly see i
Re: Er (Score:2)
Persistent malware by definition leaves code on the target so it can reload after a reboot.
What they call memory resident doesn't leave code on the device and therefore doesn't persist across reboots.
Re:Er (Score:5, Informative)
Er, do attackers normally leave a handy log of traces?
They do not purposefully leave traces; but breaches can leave traces. Your assumption was traces were left on purpose which is not the normal case.
Was ... somebody assuming that? Why?
Applications are more curated on phones than on desktops. Phones are by nature more locked down including use of security chips like iPhone's Secure Enclave, Google's Titan M2, and Samsung's Knox Vault . Desktops have been more open which is why people use them. One of the main reasons Windows 11 cannot be used on some older hardware is that the hardware lacks any ability to add a security chip. Yes some hardware was arbitrarily left off the compatibility list but the push for more security is a main reason some hardware was left behind.
Re: (Score:2)
My desktop doesn't move around with me, and it's relatively difficult to access the microphone and camera without me knowing about it. PCs generally require a stronger skillset rather than being designed so anyone can use it without understanding the implications. Facebook and other social networks are sandboxed websites on PCs.
Over all, PCs are less of an attack surface and as a result developers do not, these days, target PCs for information collection. It's not that they're inherently more secure, it's a
Re: (Score:2)
... but the push for more security is a main reason some hardware was left behind.
You should be asking yourself exactly WHOSE security are they interested in because I can guarantee you that it is not YOUR security they care about.
Does the change provide a basis for more security? Sure. Will the typical user see ANY benefits from it? No.
Re: (Score:2)
You should be asking yourself exactly WHOSE security are they interested in because I can guarantee you that it is not YOUR security they care about.
And you should read information about hardware security works like how Apple's Secure Enclave works. [apple.com]
Does the change provide a basis for more security? Sure. Will the typical user see ANY benefits from it? No.
Yes. And yes. One thing a TPM does for a machine is a centralized and safe place to store cryptographic algorithms and the keys themselves. However, Microsoft's implementation is extremely lacking compared to Apple's Secure Enclave.
Re: (Score:2)
Even if they left a 479 page manifesto and a step by step log of everything they did you probably wouldn't be able to access whatever folder it was in without jailbreaking the device.
Re: (Score:2)
and then disappear without leaving obvious traces.
Er, do attackers normally leave a handy log of traces?
Plenty of attacks can leave a trace that they occurred. Why are you under the impression that that's not normal? It's not like attackers ever intentionally left traces of their presence.
and don't assume mobile devices are somehow safer than desktops anymore
Was ... somebody assuming that? Why?
Have you never interacted with a member of the general public? Or seen how they use their devices? People tend to not think of their phones as being phones, not as computers. With computers, the extent of their security awareness is knowing that computers can get infected with viruses, but
Re: (Score:2)
> The takeaway is simple but important, update your iPhone ASAP and don't assume mobile devices are somehow safer than desktops anymore
Yeah I wanted to comment on that. They're confusing "Unauthorized third parties stealing your data" as being the only test of whether a system is safer. They ignore that most of us want Google, Apple, and Facebook to be just as unable to profile us as the guys wanting to steal credit cards.
Re: (Score:2)
Er, do attackers normally leave a handy log of traces?
Yes. Yes they do. The attackers are lazy and uncaring as long as they get what they want, so lots of clues are left behind because "who cares, I already have mine". The people stealing from you are not very bright.
and don't assume mobile devices are somehow safer than desktops anymore
Was ... somebody assuming that? Why?
Many ignorant people thought that phones would be safer since they are more limited. The limitations were sold as being for the consumer's safety... however, those limitations were actually for the manufacturers safety, not the consumers, but people were sold a load of shit claiming that they were
Who thinks mobile devices are secure? (Score:5, Interesting)
That sounds to me like a childish belief. What mobile devices get you is a second computer that is not easily associated with your first one for an attacker (if you are careful). But they are just computers. Not special in any way except for the from-factor.
I guess too many people still see tech as "magic".
Re: (Score:2)
I assume my phone is less secure than my desktop, because it's less frequently updated and probably a preferential target.
Re: (Score:1)
And fscking impossible to firewall properly. I've never tried with an apple phone but an android phone with always on VPN will still bypass the VPN when it feels like because "the OS is too important to be inconvenienced by such things"
The easiest way to see this happening is to remove the sim, so it has no mobile data at all, connect to wifi and turn on always on VPN.
Then monitor for tr
Re: (Score:2)
Disable JS in Safari and these exploits don't work.
Re: (Score:2)
Disable JS in Safari and these exploits don't work.
Neither do most websites.
Re:Who thinks mobile devices are secure? (Score:5, Informative)
Who thinks mobile devices are secure? That sounds to me like a childish belief. [...] I guess too many people still see tech as "magic".
Banks think mobile devices are secure. That's why they will let you upload a check image from your bank app but not from your desktop where you scanned it at high enough resolution to see security features.
Re: (Score:2)
Banks think mobile devices are secure. That's why they will let you upload a check image from your bank app but not from your desktop where you scanned it at high enough resolution to see security features.
From the use of the historic concept of a "Cheque" (I assume auto-correct made that into "check") I assume you are talking about US banks? For some European banks I know, they assume a large faction of phones are compromised. They do assume the compromise is more limited on a phone and they scan for malware (as much as a single app is allowed to), but basically they just use the phone as 2nd factor where an attacker would have to compromise both devices to really gain anything. But they carefully monitor th
Re: (Score:3)
From the use of the historic concept of a "Cheque" (I assume auto-correct made that into "check")
No, that's how we spell it in American English, the language spoken where this site was created and is hosted.
I assume you are talking about US banks?
That part is correct.
For some European banks I know, they assume a large faction of phones are compromised. They do assume the compromise is more limited on a phone
Womp womp
Re: (Score:1)
While cheque is the standard in British English, the original spelling was check, and the Oxford Dictionary still recognizes that.
Personally I prefer Oxford spelling, e.g. "recognize". It has the added benefit of not instantly identifying me as British online.
Re: (Score:2)
I personally don't care which people use, I can read either one just fine without confusion. I just don't want to be told that I'm using the wrong word or whatever when that's clearly not so.
Re: (Score:2)
Technically a check is anything, so scanning those 'security features' isn't really relevant. You can write a check on a bar napkin, as long as all the required fields are present, routing numbers, account number, name, amount as text, amount numeric, date, and signature banks will often honor them. Although if it is something goofy like a bar napkin usually only in person and after a tedious conversation with the branch manager and if you have some long established relationship with the bank..
All of which is a long winded way to say that the security features are relevant, because you can't just send in a scan of a check written on a bar napkin.
Re: (Score:2)
Who thinks banks need to care? (Score:2)
Who thinks mobile devices are secure? That sounds to me like a childish belief. [...] I guess too many people still see tech as "magic".
Banks think mobile devices are secure. That's why they will let you upload a check image from your bank app but not from your desktop where you scanned it at high enough resolution to see security features.
The real reason? Banks hold ZERO liability regarding your personal device. Has almost nothing to do with security.
If they were actually liable, they would make you walk into a bank to deposit a check. Where they would check an approved form of ID in person, and perform additional analysis on the check itself to ensure it was valid. A process approved in triplicate by their liability mitigation department.
Right now banks can't even handle a small bank run. In the end, I doubt even that fancy FDIC placa
Re: (Score:2)
Banks think mobile devices are secure.
Are you inferring that since they let you use a mobile device that they think they're secure?
This is the same group of organizations that will allow you to withdraw cash if you know a four digit code that hasn't been changed in the account holder's entire lifetime. The same group of organizations that will allow you to ACH transfer funds from an account because you know the account number and routing number, which are both on every check they hand out.
BTW, none of the things in the previous paragraph are en
Re: (Score:1)
I guess too many people still see tech as "magic".
No. Most people (including IT) more see that device as far more locked down. Go figure the overwhelming majority of people feel that way when root or admin rights an iPhone hasn't been reduced to a right-click option or pop-up approval for just any fucking moron user to click on.
Why do you think they've lasted this long in the corporate world? Side-loading hacker-friendly OSes were NOT going to make Crackberry execs feel secure.
Re: (Score:3)
Re: (Score:1)
The main reason banks trust phones more is because Android and iOS both have decent mechanisms for detecting when apps and the OS have been altered. The reason your banking app takes so long to start up is because the OS is verifying that both the OS itself and the app are functioning as intended.
If you root your Android device you will find that many such apps refuse to work.
Re: (Score:2)
Mobile devices are just computer, but in addition have so many additional attack surfaces plus arbitrary enforced obsolescence on software can really make it worse than a general purpose computer. The browser really should be easily upgradeable in perpetuity and not locked to an OS version. It's irresponsible planned obsolescence of devices that causes this.
Re: (Score:2)
I'd wager that 90% of the planet thinks so. Only tinfoil-hat-wearing Slashdorks don't see their phones as perfectly secure.
Re: (Score:2)
So you are saying 90% of all people, you included, are stupid?
Re: Who thinks mobile devices are secure? (Score:2)
Re: (Score:2)
If you can't punch it or fuck it, its beyond what most people can imagine.
Sad but true.
Re: (Score:2)
Nota Bene (Score:5, Insightful)
Both iOS and Android are full-fledged operating systems, and the only reason they are considered safer than desktop operating systems is because their application stores are somewhat curated. That's it.
Their software stacks are very similar to desktop operating systems, except they both strip you of superuser rights by default. That doesn't mean their kernels and user space are significantly more secure; they're just a tad different.
Not updating either of them is like leaving your house key out in the open.
Re: (Score:3)
There's more to it than just 'smaller'. Cellphone OS are designed to provide a smaller attack surfaces. They provide less access (iOS provides no conventional user-visible file system) in exchange for that security.
But consider: Here an iOS vulnerability makes headlines. A new Windows vulnerability is just "meh".
I find it interesting that some here would want operating system vendors to be legally liable for security vulnerabilities? Will they also accept legal liability for bugs in their own applicati
Re: (Score:2)
Both iOS and Android are full-fledged operating systems, and the only reason they are considered safer than desktop operating systems is because their application stores are somewhat curated. That's it.
Smartphones and their OSes use security chips whereas desktops are only now implementing those features. One of the pain points of Windows 11 upgrades was the TPM requirement.
Re: Nota Bene (Score:2)
Security imbalance (Score:2)
This creates an imbalance in the security of the OS. A power user can't launch a root terminal and just take a look at what's going on. They are bound by the OS level sandbox, and can only access so much of the system. Which also means that any user le