New research shows on-device Apple Intelligence can be tricked by cleverly crafted prompts, and Apple has since released patches. Security testers found high success rates using prompt injection and Unicode tricks, exposing how an assistant that can read, summarize or act across apps creates new attack paths. The issues were reported to Apple on October 15, 2025, and mitigations arrived in iOS 26.4 and macOS 26.4, but users still need basic precautions. This article explains what happened, how the attacks work and practical steps to lower your personal risk.
Apple has long marketed on-device processing as a privacy advantage, and that pitch resonates with people who keep sensitive stuff on their phones. But RSAC Research demonstrated that local models are not magically immune to manipulation, reporting a 76 percent success rate in 100 tests against Apple Intelligence. Those results delivered a stark reality check: proximity and privacy do not stop hostile text from influencing an assistant.
The attack model is simple and sneaky: you do not need someone to steal your device or crack your passcode to start trouble. A malicious message, document or webpage can contain hidden instructions that an AI will read and act on when asked to summarize or rewrite. If that AI can access apps or system features, the impact can go well beyond a weird reply.
Researchers used two clever techniques to fool the model. The first, labeled Neural Exec, fed the model odd-looking prompts designed to push it toward specific behaviors. The second abused Unicode’s right-to-left override so instructions could be hidden visually yet still influence processing, making filters and guards easier to bypass.
Prompt injection is not unique to Apple; it is one of the major security challenges across AI systems today. Attackers can embed commands inside text that appears harmless to humans, so an app that tells the AI to summarize that text may unintentionally trigger the hidden instructions. That makes any AI-driven feature that consumes user content a potential entry point.
Apple’s setup blends local processing with a Private Cloud Compute layer for heavier tasks, which is a sensible privacy trade-off for many people. But the more an assistant can access across apps and system features, the larger the attack surface becomes. Local models reduce cloud exposure while still needing tight internal guardrails to prevent misuse.
RSAC estimated that anywhere from roughly 100,000 to a million users could be running apps that access the on-device model, based on app review data and Apple’s own signals. The work appears to be a proof of concept rather than evidence of active mass exploitation, yet the reported success rate means the findings cannot be ignored. Apple hardened protections in the affected releases but did not publish a full blow-by-blow, which is standard practice for security fixes.
Start with the basics: keep your devices updated because patches only protect devices that actually receive them. Turn on automatic updates so security fixes install sooner rather than later, and check that your iPhone or Mac is running the latest system build whenever you see a security bulletin.
Limit how often AI features get to touch your private stuff. If you do not need specific Apple Intelligence capabilities, consider switching them off or trimming permissions. On iPhone, review Settings > Apple Intelligence & Siri and disable features you do not use to reduce the assistant’s exposure to risky content.
Audit which apps can read your personal data and revoke access for anything unnecessary. On iPhone, visit Settings > Privacy & Security and look at Photos, Contacts, Location Services, Microphone and Files, removing access when an app no longer needs it. Fewer apps with fewer permissions means fewer places for sensitive content to leak into AI prompts.
Be careful when asking AI to process unfamiliar files, emails or webpages since hidden instructions can lurk inside seemingly innocuous content. Avoid pasting Social Security numbers, bank details, tax papers, medical records or passwords into prompts, and treat AI as a tool, not a secure vault for your most sensitive data.
Keep basic device protections active: use Face ID or Touch ID, set a strong passcode rather than a simple 4-digit code, and enable stolen device protection if your model supports it. Those measures do not stop prompt injection by themselves, but they add meaningful layers against physical compromise and unauthorized use.
On balance, Apple Intelligence still offers real privacy advantages by running more tasks on-device and limiting what leaves your phone. At the same time, this research is a reminder that local processing is not a blanket shield. Be selective about AI-powered apps, keep software current, and think twice before letting AI handle content that could include hidden commands or sensitive personal data.
