A basic cross-device attack can steal Apple Intelligence tokens and hand hackers total control over a private AI.
April 20, 2026
Original Paper
Too Private to Tell: Practical Token Theft Attacks on Apple Intelligence
arXiv · 2604.15637
The Takeaway
The Serpent attack exploits a flaw in how Apple Intelligence handles access tokens across different devices. Attackers can replay these tokens to bypass security and impersonate the legitimate user on their own hardware. Apple marketed this system as a privacy-first breakthrough, but this flaw proves that anonymization does not equal secure authentication. The vulnerability allows for the theft of personal AI context and the ability to trigger actions on the victim behalf. Developers need to move beyond simple tokenization to prevent AI-specific identity theft.
From the abstract
Apple Intelligence is a generative AI (GenAI) service provided by Apple on its devices. While offering a similar set of features as other similar GenAI services, Apple Intelligence is claimed to be designed with an extra focus on user security and privacy through a two-stage authentication and authorization design using anonymous access tokens. In this paper, we present our investigation into this token issuance mechanism with a goal to reveal possible vulnerabilities using traffic analysis, rev