Outdated iPhones could be targeted by exploit toolkit being sold

If your iPhone is running an outdated version of iOS, you may have 23 vulnerabilities that can be exploited by highly sophisticated toolkit being sold to bad actors.

It is well known that law enforcement agencies and government entities rely on hardware like GrayKey to attempt a bypass of iPhone security. It seems that the United States Government may have created a monstrous exploit tool that is now being sold and spread to bad actors.

A Wired report details data shared by Google’s Threat Intelligence Group and iVerify. Google explains how the exploit toolkit, named “Coruna,” spread, while iVerify shared its findings tying its origins to the US government.

Basically, an exploit toolkit that contains five hacking techniques utilizing 23 vulnerabilities found in old iOS versions has begun to spread among bad actors. iPhones running iOS 13 (September 2019) to iOS 17.2.1 (December 2023) are capable of being infected by simple means like visiting a webpage.

If your device is capable of running iOS 26, it is highly advised to update immediately. Along with previous patches that help guard against the vulnerabilities, Apple specifically rendered this toolkit ineffective.

Around 74% of iPhones capable of running iOS 26 were updated to the OS as of February 12.

It targets vulnerabilities found in WebKit and there’s no confirmed techniques in the toolkit for Chrome. Coruna also checks for Lockdown Mode and doesn’t attempt a hack if it is present.

That said, there’s no need for regular users to enable Lockdown Mode. It’s a highly restrictive mode meant for those in danger of being targeted, like government officials and journalists.

The iOS 26 patch should be enough, so ensure your devices are up to date.

The spread of Coruna

If iVerify’s assumptions are correct, it seems the US government ordered the development of sophisticated exploit toolkits for use against iPhone users prior to 2025. Various signs suggest it was the US, like similar use of frameworks, the sophistication level, and English speakers writing the code.

“It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government,” iVerify cofounder Rocky Cole said in a statement. “This is the first example we’ve seen of very likely US government tools— based on what the code is telling us— spinning out of control and being used by both our adversaries and cybercriminal groups.”

iVerify says that around 42,000 devices may already have been hacked with a specific version of Coruna being used in a Chinese-language cybersecurity attack. A Russian espionage operation also utilized the tool against an unknown number of Ukrainians.

It appears as if the US government lost control of the tool through some chain of events, then it ended up sold on the black market for millions. The buyer then likely tried to recoup costs by selling a manipulated version, and so on.

Coruna has spread among cybercriminals with different variants being built to accomplish different goals. iVerify says the code it observed had a pile of less sophisticated malware on top of the original government-made tool.

The only good exploit is a patched one

iVerify’s Rocky Cole shared an alternative idea for the origins of Coruna, but dismissed it just as easily. He suggested the toolkit could have been developed by piecing together Operation Triangulation components that Russia had said was used by US hackers.

Choose between avoiding Liquid Glass and potentially being hacked by sophisticated exploits

However, the Coruna toolkit is too well built to have been pieced together. It appears to have been built as a whole with a lot of money funding the development.

It goes to show that tools being developed or used by “good guys” can’t be guaranteed to always be used that way. Apple has battled with the FBI and other governments against providing a backdoor to its encryption, which would result in disaster.

It’s stories like these that show no one can be trusted with a “good guy” solution. Total security and privacy are the only option, and Apple continues to provide that — as long as you’re up to date.