Security Newsletter | 3/12/26

Sections:

Body:

🗒️✅ Your Security Checklist
🏆🎖️ Test Your Security Skills
📰 Your Weekly Security Update
🤨 This Should Be on Your Radar 📡
🙈 Security Fail of the Week 👎
🍎📱 Security Updates from Apple 🍎

Title:

In This Newsletter

Body:

If you take nothing else from this newsletter, just do these three things to protect yourself:

Temporarily disable Face ID in a pinch. If you’re ever in a situation where you might be compelled to unlock your iPhone with your face, you can quickly disable Face ID so that your passcode is required to open your phone.
Use Hide My Email to protect your privacy. This iCloud+ feature lets you create a dummy email address so that if any website or app starts emailing you spam, you can cut it off instantly by deactivating the Hide My Email address.
Disable location history in Apple Maps. A new iOS 26 feature in Apple Maps records nearly every location you visit, so if you don’t want your iPhone tracking your every move, remember to turn off Visited Places.

Title:

🗒️✅ Your Security Checklist

Insert Ad:

Ad position 1

Body:

What should you do in the following scenario?

Which of Apple’s built-in tools will help you browse the internet more anonymously in Safari? 🤔

iOS
iCloud Private Relay
A VPN
App sandboxing
Device profiles
Something else (email us your answer)

Scroll to the bottom to see how you did!

Title:

🏆🎖️ Test Your Security Skills

Body:

Google and iVerify both released reports last week on a hacking toolkit targeting iPhones and Macs. The toolkit is described as “incredibly sophisticated,” and one former Apple engineer recorded an hour-long podcast explaining the exact function of the hack in awe-struck detail. The software engineers among our readers may enjoy that podcast, but fair warning: it’s extremely technical.

The hacking toolkit, dubbed Caruna, targets iPhones or Macs that merely visit an infected website. Running in JavaScript in Safari, Caruna exploits a series of extremely subtle bugs to deploy whatever software the hacker wants onto the infected device. In the campaign Google and iVerify discovered, the hackers chose to run crypto-wallet stealers that scanned the victim device for cryptocurrency wallets and stole any money stored inside. According to reporting by TechCrunch, former engineers at L3Harris, a US defense contractor, identified that the hacks were, at least in part, developed by that company. How precisely this elite hacking toolkit somehow made its way from espionage contractors in the US to the hands of criminals is not known for sure, but it may be related to the case of a former L3Harris engineer convicted of selling hacking secrets to a Russian firm.

The Bottom Line: The Caruna hacking kit can infect iPhones running iOS versions 13 through 17.2.1 (which was released in 2023), so up-to-date iPhones are immune—a reminder of the importance of keeping your device up to date.

Title:

Merely Visiting an Infected Website Can Get Your iPhone Hacked by this Elite Toolkit

Insert Ad:

Ad position 2

Body:

Tile Tracking Devices Put Your Privacy at Risk

A small group of researchers wrote up a paper detailing the security of the location tracker Tile. The paper alleges that Tile’s servers can access the locations of users and their tags at any time, that Bluetooth can be used to track Tile tags, that the devices have a weak accountability system to combat stalking, and much more. You can find the full paper over at arXiv.

The Bottom Line: While Tile might have security and privacy flaws, the same cannot be said for Apple. If you’re looking for a tracking tag for everyday use, we’d recommend AirTag over Tile. Apple’s dedication to privacy and security makes the AirTag a far more reliable device.

Police Use License Plate Readers to Track Innocent Civilian

We’ve done our fair share of harping on automated license plate readers (ALPRs) in this newsletter, and now we have a real-world story demonstrating how this technology can be abused. A Kansas man published an opinion piece criticizing ICE operations in his city and how the local police aid the agency. According to radio station KCUR, internal emails from the police department show that they opened an investigation into him because of his opinion piece. ALPRs were used to track his activity for weeks in order to find a minor offense for which to charge him. Read more at the ACLU.

The Bottom Line: While ALPRs cannot be completely avoided, staying aware of the risk they pose to even innocent civilians is important. If you feel particularly strongly about how law enforcement uses ALPRs, contacting your local representative is a good step to take. Staying informed and making your voice heard is the best way to effect change, and lawmakers may be swayed by public opinion.

Title:

🤨 This Should Be on Your Radar 📡

Insert Ad:

Ad position 3

Body:

Photos & Videos Captured by Meta Smart Glasses Are Not Private

Meta’s smart glasses are absolutely everywhere now, and, to the surprise of almost no one, are not exactly the most private devices. Turns out, having a camera on your face recording everything that you do isn’t the best idea. According to a report from Swedish news site Svenska Dagbladet (SvD), Meta is using a company called Sama to manually review photos and videos captured by its smart glasses and annotate them for artificial intelligence training. What this basically means is that real human beings are watching the footage and helping AI understand what it’s looking at. Some of Sama’s employees have come forward to reveal just how much sensitive data they see from Meta’s smart glasses, from changing rooms to bathrooms to bedrooms. Read more at SvD.

The Bottom Line: We recommend against using Meta’s smart glasses, since the company does not have the best reputation when it comes to privacy. There is not much you can do if you encounter someone else wearing the glasses in public, besides avoiding the wearer entirely.

Could Russia Infiltrate Your Signal or WhatsApp Chats?

The Netherlands has issued a security advisory warning that Russian state hackers are currently attempting to breach Signal and WhatsApp. Both Signal and WhatsApp use end-to-end encryption to protect users’ messages, but it’s not the encryption that the hackers are trying to crack. Instead, the attackers are phishing credentials by impersonating customer support and tricking users into scanning QR codes or clicking malicious links. Read more at The Record or check out the Dutch security advisory itself.

The Bottom Line: According to the security advisory, this campaign is targeting “dignitaries, military personnel, and civil servants,” so it is unlikely to affect the average citizen. Still, you should always be cautious. Never hand over multi-factor authentication codes even if you’re being asked by a company representative, don’t scan QR codes without knowing for sure what they actually do, and don’t click links from suspicious texts or emails.

Insert Ad:

Ad position 4

Body:

Private Email Service Hands Over Account Details to FBI

Proton Mail is famous for being a secure, privacy-focused email service. It uses end-to-end encryption, and because the company is based in Switzerland, it is only subject to Swiss privacy laws, making it a great option for privacy-conscious users. However, while Proton protects your privacy through encrypted emails, the company still stores identifiable information, such as payment methods. Recently, Proton provided the Swiss authorities with the payment information of a Proton Mail user, which was then handed over to the FBI. This allowed the bureau to identify and arrest the owner of an anonymous email address. Read more at 404 Media.

The Bottom Line: Proton Mail is still a viable option for a privacy-focused email service, though your payment information is not quite as private. It’s impossible to stay anonymous when using a credit card, so if you want to use Proton Mail and keep your identity a secret, you’ll only be able to stay completely private if you pay with cash, which Proton does accept. You’ll just need to mail it to Switzerland.

Firefox Extension Built to Identify Malicious Websites

A security researcher, Gabriel Biondo, has built a web browser extension to protect users from phishing attacks. The extension helps identify malicious webpages and provides the user with a safety rating for each webpage. It’s not a completely foolproof setup, but it could certainly be useful as Biondo updates the extension. You can read the full technical breakdown of how the extension works (and find a download link) at The Byte Architect.

The Bottom Line: We’re not recommending everyone rush to download this extension, since it’s still very new and we’re not sure how well it works yet. From initial testing, it does appear to throw some false positives. If you’re particularly tech savvy, you can install it and give it a whirl to see how well it works for yourself.

Insert Ad:

Ad position 5

Body:

Vibe Coding Strikes Again: 18K Users’ Data Exposed

Vibe coding has become a common practice among inexperienced developers. If you are unfamiliar with the concept, vibe coding is essentially giving an artificial intelligence tool a prompt for how you want an app to look and how you want it to function, and the tool will do all the coding for you. One particularly popular vibe coding platform called Lovable was recently found to be hosting an app that exposed the data of over 18,000 users. A tech researcher discovered 16 vulnerabilities in the app, which he declined to name. The exposed data includes thousands of email addresses and 870 users’ full personally identifiable information. Read more at The Register.

The Bottom Line: This issue is not limited to just one app. Cybersecurity is difficult to get right, and relying on AI to create an app is going to leave it vulnerable to attack. Every vibe-coded app is sure to contain vulnerabilities like this. Because of this, we do not recommend using AI tools to build apps, and we strongly suggest steering clear of any apps built using AI.

Title:

🙈 Security Fail of the Week 👎

Insert Ad:

Ad position 6

Body:

Everything you need to know about Apple’s latest software updates.

The most recent iOS and iPadOS is 26.3.1
The most recent macOS is 26.3.1 and 26.3.2 for MacBook Neo
The most recent tvOS is 26.3
The most recent watchOS is 26.3
The most recent visionOS is 26.3.1

Read about the latest updates from Apple.

Title:

🍎📱 Security Updates from Apple 🍎

Body:

The correct answer is B: iCloud Private Relay. Read more about it here.

Title:

Security Skills Answer

Body:

There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.

Title:

Mission Statement

Body:

Want to reduce spam and avoid falling for scams? Check out:

How to Block Spam Text Messages
How to Spot a USPS Scam Text

Title:

Next Steps

Body:

Did we help with your security concerns?

With your feedback, we can improve this security newsletter. Let us know how we did:

👍 Yes, this definitely helps me with my security
😐 Some of the content is helpful to me
👎 No, I didn’t find this newsletter helpful

Send Date:

Friday, March 13, 2026

Subject Line:

iPhones Vulnerable to Elite Spyware

Preview text override:

Hi Readers, Cullen here. News has just broken of a new (to us) kind of elite iPhone spyware called Caruna. It was developed by contractors working for the US government but has somehow leaked and ended up in the hands of criminals.

Newsletter Type:

Security Newsletter

Sponsor Logo:

Sponsor URL:

https://deal.incogni.io/aff_c?offer_id=6&aff_id=1070&url_id=13&source=security_hi

Sponsor Name :

Incogni

Submitted by Rhett Intriago on Thu, 03/12/2026 - 14:21