Show HN: Forensic evidence of iOS mesh networking bypassing Airplane Mode

8 pointsposted a month ago
by TakeFlight007
(github.com)

14 Comments

lucasar

a month ago

Maybe the culprit is the technology and nasty tricks backing the "Find my device" feature? iOS devices will share their location (and potentially other data) with other nearby devices using a mesh network with certain frequency, even in Airplane mode. Also if the iPhone/iPad is powered off using the "power off" feature, the device will still be findable.

This capability is one of the strong selling points for consumers. The modern, average thief will often toss away these devices and settle with the rest of the loot because of this.

Sounds like OP wasn't aware of this.

TakeFlight007

a month ago

I'm aware of "Find My Device" that's a documented feature. Find My beacons go OUT (your device tells others where it is). This is 84MB coming IN. Different thing.

lucasar

a month ago

Well, such traffic goes OUT somewhere and that somewhere is other iDevices so that's traffic coming IN for them, no? I don't have evidence supporting either possibility other than the fact that there's indeed an obscure mesh network involved for "Find My" to operate. I hope this is the starting point to figuring out what their infrastructure does.

ACSL8TER

a month ago

The repo shows traffic is bound to utun2 (IDSNexusAgent). That’s not a location beacon protocol… that’s an encrypted IP tunnel

lucasar

a month ago

Yes, that is used to exchange information between iDevices. The "Find my" mechanism is proprietary and closed source, so you cannot categorically discard the possibility of iOS using such tunnel to send/receive/forward such information. Yes it could be something else. But if we want to be rigorous, we cannot discard possibilities we aren't 100% sure about.

TakeFlight007

a month ago

You are right... and being rigorous is the only path to trust. We can shift the issue from "what is it" to "why isn't it documented and why does status report inactive.

84.5 MB through utun2/IDS during stated isolation—benign or not—contradicts "wireless features turned off" and users have no verification path.

The "closed source" problem you identified is the core issue. So to be rigorous, plausible deniability ends where the telemetry contradicts the UI.

N_Lens

a month ago

I'm left wondering what this covert mesh traffic is actually accomplishing, and whether it's actually controversial or whether the researcher came across a red herring (Perhaps background file transfer such as airdrop while in airplane mode, unlikely as that sounds?).

TakeFlight007

a month ago

Good catch! checked sharingd (PID 75) in spindump: <0.001s CPU time while mDNSResponder processed the 84MB. Traffic attribution rules out AirDrop. The 67:1 RX/TX asymmetry and idle sharing daemon confirm this isn't file transfer.

taraindara

a month ago

My guess would it has to do with find my iPhone and AirTag tracking features.

TakeFlight007

a month ago

Not possible due to directionality and volume:

Find My/AirTag: Characteristic low-payload outbound beacons (Egress).

Observed Reality: 84.5 MB Ingress (Received) vs. 1.25 MB Egress.

user

a month ago

[deleted]

Teknomadix

a month ago

LOL. Seems like the OP is confused and misreading normal macOS/iOS behavior as a conspiracy.

Interface stats are cumulative since boot (eg: not real-time), mDNSResponder traffic includes all historical Bonjour activity. utun tunnels are standard iCloud/VPN infrastructure. Shannon-Hartley math proves WiFi can move data, not that anything covert is happening.

TakeFlight007

a month ago

Mathematically invalidated by the temporal anchor in the artifacts.

The spindump captures a precise 2.00-second window (2025-12-31 13:35:14) where mDNSResponder (PID 10252) is in an active execution state with Priority 31 scheduling. Real-time thread activity and kernel buffer management do not occur for "historical" data.