My iOS devices have been repeatedly breached over the last few years, even with Lockdown mode and restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator. Since moving to 2025 iPad Pro with MIE/eMTE and Apple (not Broadcom & Qualcomm) radio basebands, it has been relatively peaceful. Until the last couple of weeks, maybe due to leakage of this zero day and PoC as iOS 26.3 was being tested.
> restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator
MDM? That doesn't surprise me. Do you want to know how _utterly_ trivial MDM is to bypass on Apple Silicon? This is the way I've done it multiple times (and I suspect there are others):
Monterey USB installer (or Configurator + IPSW)
Begin installation.
At the point of the reboot mid-installation, remove Internet access, or, more specifically, make sure the Mac cannot DNS resolve: iprofiles.apple.com, mdmenrollment.apple.com, deviceenrollment.apple.com.
Continue installation and complete.
Add 0.0.0.0 entries for these three hostnames to /etc/hosts (or just keep the above "null routed" at your DNS server/router.
Tada. That's it. I wish there was more to it.
You can now upgrade your Mac all the way to Tahoe 26.3 without complaint, problem, or it ever phoning home. Everything works. iCloud. Find My. It seems that the MDM enrollment check is only ever done at one point during install and then forgotten about.
Caveat: I didn't experiment too much, but it seems that some newer versions of macOS require some internet access to complete installation, for this reason or others, but I didn't even bother to validate, since I had a repeatable and tested solution.
I would happily pay Apple an annual subscription fee to run iOS N-1 with backported security fixes from iOS N, along with the ability to restore local data backups to supervised devices (which currently requires at least 2 devices, one for golden image capture and one for restore, i.e. "enterprise" use case). I accept that Apple devices will be compromised (keep valuable data elsewhere), but I want fast detection and restore for availability.
GrapheneOS on Pixel and Pixel Tablet have been anomaly free, but Android tablet usability is << Apple iPad Pro.
USB with custom Debian Live ISO booted into RAM is useful for generic terminal or web browsing.
could you please elaborate on how you determine that your devices have been breached? e.g. referring to "anomaly free" makes it sound like you might witnessing non-security related unexpected behaviour? sorry for the doubt, i'm curious
Explained at length below: after subjective indicator of possible breach, by monitoring, allowlisting and then deleting outbound network traffic sources (i.e. apps) on the device, then look closely at any remaining, non-allowlisted traffic, which should be zero.
By definition you will have access to things Apple wont publish or support at subsidized rates below the fully loaded hourly cost of a senior engineer.
Because you will be paying the full unsubsidized rate for any support needed for features not available to the mass market.
Its like how IBM will gladly send a team of senior engineers to help enterprise clients resolve every last possible request.
Edit: As compared to mass market features, where the economics dont work unless they’re close to 100% certain most users wont require any costly support.
First idea if great honestly - lots of vendors do this. I use Firefox long term stable and Chrome offers this for enterprise customers. Windows even offers multiple options of this (LTSC being the best by far).
Would also make a great corporate / government product - I doubt they care about charging the average consumer for such a subscription (not enough revenue) but I can see risk averse businesses and especially government sectors being interested.
Just to save everyone the read, reading through the replies, this person is very clearly paranoid and has no clear evidence of an actual breach. I have zero idea why people are actually engaging with this.
This thread (on a story about 10 year old 0-day that exposed 2 billion devices to potential breach!) has many comments questioning the mere possibility of repeated breach, yet not a single comment engaging the point of my original post -- that Apple's 2025 introduction of MIE/eMTE changed the observable device behavior vs. Apple devices of the previous five years. On the new iPad Pro, MIE was shipped alongside Apple's $1B investment in modem technology to replace Qualcomm cellular and Broadcom WiFi/BT radios used on billions of existing devices.
Memory Integrity Enforcement (MIE) is the culmination of an unprecedented design and engineering effort, spanning half a decade, that combines the unique strengths of Apple silicon hardware with our advanced operating system security to provide industry-first, always-on memory safety protection across our devices — without compromising our best-in-class device performance. We believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.
> has no clear evidence of an actual breach
If the perceived breaches during 5 years of using multiple generations of Apple devices were due to methodology errors leading to false positives, why did they stop after moving to 2025 Apple hardware with MIE and Apple-only radio basebands?
16e still uses a Broadcom chip for WiFi + Bluetooth, though. iPhone Air is currently the only iPhone that uses both Apple-designed baseband + WiFi/BT chips.
Presence of one or more: unexpected outbound traffic observed via Ethernet, increased battery consumption, interactive response glitching, display anomalies ... and their absence after hard reset key sequence to evict non-persistent malware. Then log review.
What are examples of logs that you're considering IOCs? The picture you are painting is basically that most everyone is already compromised most of the time, which is ... hard to swallow.
By minimizing apps on device, blocking all traffic to Apple 17.x, using Charles Proxy (and NetGuard on Android) to allowlist IP/port for the remaining apps at the router level, and then manually inspecting all other network activity from the device. Also the disappearance of said traffic after hard-reset.
Sometimes there were anomalies in app logs (iOS Settings - Analytics) or sysdiagnose logs. Sadly iOS 26 started deleting logs that have been used in the past to look for IOCs.
How did you determine that a connection was malicious? Modern apps are noisy with all of the telemetry and ad traffic, and that includes a fair amount of background activity. If all you’re seeing are connections to AWS, GCP, etc. it’s highly unlikely that it’s a compromise.
Similarly, when you talk about it going away after a reset that seems more like normal app activity stopping until you restart the app.
So how did you identify this as a breach? I'm struggling to find this credible, and you've yet to provide specifics.
Right now it comes across as "just enough knowledge to be dangerous"-levels, meaning: you've seen things, don't understand those things, and draw an unfounded conclusion.
Feel free to provide specifics, like log entry lines, that show this breach.
There’s no hard evidence that you’ve put forward that you’ve been breached.
Not understanding every bit of traffic from your device with hundreds of services and dozens of apps running is not evidence of a breach.
Have you found unsigned/unauthorized software? Have you traced traffic to a known malware collection endpoint? Have you recovered artifacts from malware?
Strong claims require strong evidence imo and this isn’t it.
I agree with other posters that you seem to be capable of network level forensics, but you have said nothing to back up what you consider a device breach other than 'some cloud destined network traffic which disapears after a hard reset'.
In my experience of forensic reports, this link is tenuous at best and would not be considered evidence or even suspected breach based on that alone.
I don't think that proves they've been breached. Are you sure your not just seeing keep alive traffic or something random you haven't taken into account ?
From another comment - I switched phone to Pixel and it has worked well, with a separate profile for apps that require Google Play Services.
> GrapheneOS on Pixel and Pixel Tablet have been anomaly free, but Android tablet usability is << Apple iPad Pro.
iPad Pro with Magic Keyboard and 4:3 screen is an engineering marvel. The UX overhead of Pixel Tablet and inconsistency of Android apps made workflows slow or even impractical, so I eventually went back to iPad and accepted the cost/pain of re-imaging periodically, plus having a hot-spare device,