|
|
|
|
|
|
by FluGameAce007
296 days ago
|
|
|
A forensic analysis of iOS 18.6 reveals a silent data exfiltration sequence initiated entirely by Apple system daemons — no app involved, no permission prompt, no UI indicator.
In a ~3-second window, nsurlsessiond and symptomsd transferred ~5MB of data over the network. This activity is not tied to any userland app, does not trigger any TCC prompt, and cannot be viewed or controlled in iOS privacy settings. Sequence of events: tccd preflights access to Reminders (TCC-protected) with no app context abm-helper, CommCenterRootHelper, and cfprefsd coordinate via Mach/XPC sosd attempts to write to a sensitive communications safety plist nsurlsessiond purges its cache symptomsd logs 5MB+ of RX/TX traffic — with no app running There is: No telemetry toggle No EDR/MDM visibility No disclosure from Apple This breaks the app-based sandbox and represents: A system-native stealth exfil pipeline Cross-daemon privilege chaining A real privacy and compliance blind spot |
|
|