A US Government iPhone-hacking toolkit is now in foreign spy and criminal hands

https://www.wired.com/story/coruna-iphone-hacking-toolkit-us-government/

104•alwillis•2h ago

Comments

oxfeed65261•1h ago

mentalgear•1h ago

How could something as sensitive get out of an administration as competent as the current one? At least they have no access to lets say AI or autonomous weapons and the tools of mass surveillance ...

happyopossum•58m ago

"Possible" stripped from the headline on HN. That word seems particularly important given that it's speculative:

"Clues suggest it was originally built for the US government."

tptacek•22m ago

The Google threat analysis report doesn't say anything about USG involvement; that it was found on compromised Ukrainian sites, has code written in "native English", but also signs of LLM authorship. The Google report says the kit they found can't compromise current iOS, which is a capability you'd assume USG would have --- though it's important remember that "USG" comprises dozens of different buyers each with different toolchains.

Maybe this was the Fisheries Department exploit toolkit.

iVerify, which spun out of Trail of Bits and presumably knows what they're talking about, says it bears "hallmarks" of being connected to USG CNE work. I believe it. But the USG is on net a buyer, not a producer, of CNE tooling. Whatever a given service agency or IC arm buys, dozens of other aligned countries are also buying.

(And, of course, the non-aligned countries have their own commercial supply chains).

doctorpangloss•56m ago

the government doesn't have superpowerful code crackers though

it has a guy working at apple who introduces the subtle vulnerability he is instructed to do

tptacek•32m ago

I expect the evidence for this claim is axiomatic, which is to say that you think it sounds good.

lightedman•26m ago

No, anyone who remembers the Best Buy/FBI debacle knows that this statement is very well-grounded in reality. If you took your laptop to Best Buy for repairs, the FBI got a copy of your hard drive contents.

everdrive•33m ago

No matter the risk, I must carry my smartphone everywhere and install every app. It would be unimaginable to have the urge to look something up, but then wait to do it later until I'm using a real computer. No negative outcome will EVER shake my deep, permanent need to carry a smartphone all the time and use it for as much as possible.

theearling•25m ago

Webapps exist for a reason, they don't get all the special permissions apps get when fully installed.

at the very least use a VPN / more secure phone like a pixel with graphene

You keep doing you though

thewebguyd•1m ago

Ironically, the exploits in this leaked kit all involved flaws in webkit, so you'd have been safer sticking to native apps assuming they didn't have any webviews in them to load the malicious site.

Sen. Wyden Warns of Mass Surveillance Amid Pentagon's Fight with Anthropic

Bluesky adds (broken) age verification

Show HN: Webact – token-efficient browser control for AI agents (GitHub)

In startups, "I assumed" is the most expensive sentence you can say [video]

Ask HN: Why don't MacBooks have Cellular Modems yet?

Show HN: Proofd – Free AI career risk score based on your tasks, not job title

Is Shopify Good for SEO in 2026?

EURO-3C Project to build a federated Telco-Edge-Cloud infrastructure

Show HN: TypeShim – .NET WebAssembly Meets TypeScript

How to Choose the Right Shopify Development Agency in 2026

Neovim cookies for the pluginless – random nvim native tips

The Social Media Discoverability Problem

Millennium Challenge 2002: Persian Gulf War Game Exercise

Open-source community gets a Claude-sized gift

Turning 4,668 comments into AGENTS.md rules to automate Pydantic AI reviews

I Use Neovim by the Way

Scripting on the JVM with Java, Scala, and Kotlin

Show HN: Validatedata 0.3.0 – lightweight inline data validation for Python

OpenWRT 25.12.0 Released

Incident postmortem in the age of AI agents

CIA Station Hit in Drone Attack

Chat at your own risk Data brokers are selling deeply personal bot transcripts

Trae Stephens: I want to buy Wired

Show HN: I build a free topical authority map generator for blog

Show HN: Headless Obsidian Sync Client

Show HN: VibeDiff – Blocks Claude Code from shipping breaking changes

Buckle Up for Bumpier Skies

How To Put 30 Languages Into 1.1MB – hypher, a fast hyphenation library for Rust

Prediction markets on Deutsche Bahn departure delays

AI causing programmers to work longer hours fixing bugs