Apple Intelligence, the on-device artificial intelligence system built into iPhones, iPads, and Macs, can be hijacked to produce harmful outputs and manipulate user data through a technique called prompt injection. Researchers at RSAC (RSA Conference) successfully bypassed Apple's safety filters and input protections in 76 out of 100 test attempts, demonstrating a significant vulnerability affecting an estimated 200 million Apple Intelligence-capable devices worldwide .

How Does This Security Attack Actually Work?

The researchers employed a two-part attack strategy to compromise Apple Intelligence's defenses. First, they used a technique called Neural Exec, which applies machine learning algorithms to automatically generate malicious prompts that trick the AI model into misbehaving. Unlike manual prompt injection attacks that require human creativity, Neural Exec speeds up the process by using optimization algorithms to discover inputs that trigger unintended behavior .

Second, they bypassed Apple's text filters using a Unicode trick. By embedding text written backwards and using the Unicode right-to-left override function, the researchers forced Apple Intelligence to render offensive content that would normally be blocked. The combined attack successfully made the system output profanity and other harmful responses .

"We knew that we wanted to come up with some sort of prompt that would evade the pre-filtering, the post-filtering, as well as any guardrails within the model itself, so we started probing the model," explained Petros Efstathopoulos, VP of research and development at RSAC.

Petros Efstathopoulos, VP of Research and Development at RSAC

What Devices and Apps Are Affected?

Apple Intelligence is integrated into a wide range of Apple hardware and software. The vulnerability affects iPhone 15 Pro and later models, iPads with A17 Pro chips, Macs with M1 or later processors, and Apple Vision Pro devices. Native Apple applications including Mail, Messages, Notes, Photos, Safari, and Siri all use Apple Intelligence features, and the system is also accessible to third-party developers through an API .

As of December 2025, researchers estimate there are at least 200 million Apple Intelligence-capable devices in active use. Additionally, up to 1 million apps on the Apple App Store employ Apple Intelligence features, meaning the potential attack surface is enormous .

What Could Attackers Actually Do Beyond Making the AI Curse?

While the researchers demonstrated the vulnerability by making Apple Intelligence produce profanity, the real danger lies in what attackers could accomplish with the same technique. The researchers verified that the attack could be weaponized to manipulate user data and device settings in far more serious ways .

• Contact Manipulation: Attackers could create fake contacts in a user's contact list, potentially impersonating trusted individuals like family members or colleagues to facilitate social engineering attacks.
• Identity Spoofing: An attacker could create a contact card with their phone number but assign it a trusted name like "mom," leading to confusion and potential financial or personal harm.
• Data Access and Modification: Any data or functionality accessible through apps using Apple Intelligence could theoretically be manipulated, including calendar entries, reminders, notes, and other sensitive information.

"We verified that it could be used to create a new contact in your contact list. So suddenly I exist in your contact list, and therefore I enjoy trust privileges. Or I could create a contact card with my number in your contact list, but with a different name like 'mom.' This could lead to confusion, or worse. Anything that has implications or an impact on the user's device, you could imagine that it can be used in very weird or nefarious ways," noted Efstathopoulos.

Petros Efstathopoulos, VP of Research and Development at RSAC

Has Apple Fixed This Problem?

The RSAC team disclosed their findings to Apple on October 15, 2025. According to Efstathopoulos, Apple released patches in iOS 26.4 and macOS 26.4 that address the specific attack the researchers developed. However, Apple did not respond to requests for comment about the vulnerability, the fix, or the research itself .

Despite the patch, the broader security challenge of prompt injection remains unresolved. Efstathopoulos characterized the situation as an ongoing "cat and mouse problem" where AI models will gradually improve at detecting these attacks, but attackers will continue to develop new techniques. The vulnerability highlights a fundamental challenge with on-device AI systems: smaller, locally-running models are easier to attack through prompt injection than large cloud-based models that have more sophisticated filtering infrastructure .

Why Are On-Device AI Systems More Vulnerable?

Apple Intelligence runs directly on users' devices rather than relying on cloud servers. While this approach offers privacy benefits, it creates a security trade-off. Smaller AI models designed for on-device performance are inherently easier to manipulate through prompt injection attacks compared to larger, more complex cloud-based models. Attackers have direct access to the model running locally, making it simpler to probe for weaknesses and develop exploits .

The research demonstrates that as companies move toward on-device AI for privacy and performance reasons, they must invest equally in robust safety mechanisms and adversarial testing. The 76% success rate of the RSAC attack suggests that Apple's initial safety guardrails were insufficient for protecting against sophisticated prompt injection techniques powered by machine learning optimization.