Maybe the culprit is the technology and nasty tricks backing the "Find my device" feature? iOS devices will share their location (and potentially other data) with other nearby devices using a mesh network with certain frequency, even in Airplane mode. Also if the iPhone/iPad is powered off using the "power off" feature, the device will still be findable.
This capability is one of the strong selling points for consumers. The modern, average thief will often toss away these devices and settle with the rest of the loot because of this.
Sounds like OP wasn't aware of this.
I'm aware of "Find My Device" that's a documented feature. Find My beacons go OUT
(your device tells others where it is). This is 84MB coming IN. Different thing.
Well, such traffic goes OUT somewhere and that somewhere is other iDevices so that's traffic coming IN for them, no?
I don't have evidence supporting either possibility other than the fact that there's indeed an obscure mesh network involved for "Find My" to operate. I hope this is the starting point to figuring out what their infrastructure does.
The repo shows traffic is bound to utun2 (IDSNexusAgent). That’s not a location beacon protocol… that’s an encrypted IP tunnel
I'm left wondering what this covert mesh traffic is actually accomplishing, and whether it's actually controversial or whether the researcher came across a red herring (Perhaps background file transfer such as airdrop while in airplane mode, unlikely as that sounds?).
Good catch! checked sharingd (PID 75) in spindump: <0.001s CPU time while mDNSResponder processed the 84MB. Traffic attribution rules out AirDrop.
The 67:1 RX/TX asymmetry and idle sharing daemon confirm this isn't file transfer.
My guess would it has to do with find my iPhone and AirTag tracking features.
Not possible due to directionality and volume:
Find My/AirTag: Characteristic low-payload outbound beacons (Egress).
Observed Reality: 84.5 MB Ingress (Received) vs. 1.25 MB Egress.
LOL.
Seems like the OP is confused and misreading normal macOS/iOS behavior as a conspiracy.
Interface stats are cumulative since boot (eg: not real-time), mDNSResponder traffic includes all historical Bonjour activity. utun tunnels are standard iCloud/VPN infrastructure. Shannon-Hartley math proves WiFi can move data, not that anything covert is happening.
Mathematically invalidated by the temporal anchor in the artifacts.
The spindump captures a precise 2.00-second window (2025-12-31 13:35:14) where mDNSResponder (PID 10252) is in an active execution state with Priority 31 scheduling. Real-time thread activity and kernel buffer management do not occur for "historical" data.