Researchers identified a method to bypass Apple’s safeguards, enabling its on-device language model to carry out attacker-defined actions through prompt injection. Apple has responded by enhancing its security measures against such vulnerabilities.
The findings, detailed in two blog posts on the RSAC blog via AppleInsider, highlight significant security concerns pertaining to Apple’s model. The researchers merged two exploit techniques to compel the model to disregard safety protocols and successfully navigate content filters.
The researchers noted uncertainty regarding how Apple’s model manages input and output filtering, owing to the company’s non-disclosure of operational specifics. They suspect an input filter exists that assesses prompts for unsafe content before forwarding them to the model, followed by an output filter that evaluates responses.
In their approach, researchers reversed harmful strings and utilized the Unicode RIGHT-TO-LEFT OVERRIDE character to disguise these strings on user screens while keeping them flagged for inspection in raw input. This tactic allowed them to embed harmful strings within a secondary method known as Neural Exec, effectively overriding the model’s original instructions.
The combined effectiveness of these techniques facilitated the circumventing of Apple’s content filters, enabling the model to misinterpret intended commands. To rigorously test this exploit, the researchers established three distinct categories of input prompts: system prompts, harmful strings, and benign inputs drawn from random Wikipedia articles.
During trials, utilizing prompts from these pools resulted in a 76% success rate across 100 test prompts. The researchers disclosed their findings to Apple in October 2025, prompting the company to bolster their protections, which were implemented in updates for iOS 26.4 and macOS 26.4.
Apple confirmed that they have subsequently intensified security measures to guard against this type of attack, reinforcing the integrity of their models and safeguarding user interactions.
