Presence of one or more: unexpected outbound traffic observed via Ethernet, increased battery consumption, interactive response glitching, display anomalies ... and their absence after hard reset key sequence to evict non-persistent malware. Then log review.

What are examples of logs that you're considering IOCs? The picture you are painting is basically that most everyone is already compromised most of the time, which is ... hard to swallow.

I reported the experience on my devices, which said nothing about "everyone".

How did you link that traffic to malicious activity?

By minimizing apps on device, blocking all traffic to Apple 17.x, using Charles Proxy (and NetGuard on Android) to allowlist IP/port for the remaining apps at the router level, and then manually inspecting all other network activity from the device. Also the disappearance of said traffic after hard-reset.

Sometimes there were anomalies in app logs (iOS Settings - Analytics) or sysdiagnose logs. Sadly iOS 26 started deleting logs that have been used in the past to look for IOCs.

How did you determine that a connection was malicious? Modern apps are noisy with all of the telemetry and ad traffic, and that includes a fair amount of background activity. If all you’re seeing are connections to AWS, GCP, etc. it’s highly unlikely that it’s a compromise.

Similarly, when you talk about it going away after a reset that seems more like normal app activity stopping until you restart the app.

Summary: https://news.ycombinator.com/item?id=46998191

That doesn’t have any details supporting the belief that this traffic was malicious or a sign of compromise. I’d easily believe that it’s picking up developer telemetry or ad networks but without some hard evidence this sounds like misinterpretation rather than a compromise.

Are you sure whatever you have configured in the MDM profile or one of these apps like Charles Proxy is not the source of the traffic?

Are you using a simple config profile on iOS to redirect DNS and if so how are you generating it ? Full MDM or what are you adding to the profile ?

Traffic was monitored on a physical ethernet cable via USB ethernet adapter to iOS device.

Charles Proxy was only used to time-associate manual application launch with attempts to reach destination hostnames and ports, to allowlist those on the separate physical router. If there was an open question about an app being a potential source of unexpected packets, the app was offloaded (data stayed on device, but app cannot be started).

MDM was not used to redirect DNS, only toggling features off in Apple Configurator.

Surely you used several USB Ethernet adapters to rule them out as being the source as well right? Those types of dongles are well known for calling home.

Good observation :) Multiple ethernet adapters: Apple original (ancient USB2 10/100), Tier 1 PC OEM, plus a few random ones. Some USB adapters emit more RF than others.

And your sure it wasn't some built in Apple service ? I believe they host a ton on GCP

It excluded the published hostnames for services and CDNs (some of which resolved to GCP, Akamai, etc) published by Apple for sysadmins of enterprise networks, https://news.ycombinator.com/item?id=46994394. It's indeed possible that one of the unknown destination IPs could have been an undocumented Apple service, but some (e.g. OVH) seem unlikely.

To where?

Usually a generic cloud provider, not unique, identifying or stable.

So how did you identify this as a breach? I'm struggling to find this credible, and you've yet to provide specifics.

Right now it comes across as "just enough knowledge to be dangerous"-levels, meaning: you've seen things, don't understand those things, and draw an unfounded conclusion.

Feel free to provide specifics, like log entry lines, that show this breach.

I worked at Corellium tracking sophisticated threats. Nothing you’ve posted is indicative of a compromise. If you’re convinced I’d be happy to go through your IOCs and try to explain them to you.

Thanks. In this thread, I was trying to share a positive story about the recent iPad Pro _NOT_ exhibiting the many issues I observed over 5 years and multiple generations of iPhones and iPad Pros. If any new issues surface, I'll archive immutable logs for others to review.

I think this just further highlights my credibility point.

With the link I provided, a hacker can use iOS emulated in QEMU for:

  • Restore / Boot
  • Software rendering
  • Kernel and userspace debugging
  • Pairing with the host
  • Serial / SSH access
  • Multitouch
  • Network
  • Install and run any arbitrary IPA

Unlike a locked-down physical Apple device. It's a good starting point.

I'm much more convinced that you're competent in the field of forensics. But I still don't think suspicious network traffic can be categorically defined as a 'device breach.'

For all you know, the traffic you've observed and deem malicious could just as well have been destined for Apple servers.

Apple traffic goes to 17.0.0.0/8 + CDNs aliased to .apple.com, which my egress router blocks except for Apple-documented endpoints for notifications and software update, https://support.apple.com/en-us/101555

appldnld.apple.com configuration.apple.com gdmf.apple.com gg.apple.com gs.apple.com ig.apple.com mesu.apple.com mesu.apple.com ns.itunes.apple.com oscdn.apple.com osrecovery.apple.com skl.apple.com swcdn.apple.com swdist.apple.com swdownload.apple.com swscan.apple.com updates.cdn-apple.com updates-http.cdn-apple.com xp.apple.com

There was no overlap between unexpected traffic and Apple CDN vendors.

'Apple-documented' being operative here.

True, perhaps OVH in Germany (one anomaly example) is an Apple vendor. No way to know.

They said upthread that they had blocked 17.0.0.0/8 ("Apple"), but maybe there are teams inside Apple that are somehow operating services outside of Apple's /8 in the name of Velocity? I kind of doubt it, though, because they don't seem like the kind of company that would allow for that kind of cowboying.

I don't doubt it in the slightest. Every corporate surveillance firm—I mean, third-party CDN in existence ostensibly operates in the name of 'velocity'.

Apple has used AWS and Cloudflare in the past, too, so it’s not like seeing that traffic is a reliable indicator of compromise.

LOL. Aren't you a little paranoid?

Just trying to use expensive tablets in peace. Eventually stopped buying new models due to breaches.

After a few years, bought the 2025 iPad Pro to see if MTE/eMTE would help, and it did.

There’s no hard evidence that you’ve put forward that you’ve been breached.

Not understanding every bit of traffic from your device with hundreds of services and dozens of apps running is not evidence of a breach.

Have you found unsigned/unauthorized software? Have you traced traffic to a known malware collection endpoint? Have you recovered artifacts from malware?

Strong claims require strong evidence imo and this isn’t it.

As mentioned elsewhere in this thread, traffic from each iOS app was traced via Charles Proxy, the endpoints allowlisted for normal behavior, and finally the app was offloaded so it could not generate any traffic from the device. Over time, this provided a baseline of known outbound traffic from the device, e.g. after provisioning a new device with a small number of trusted apps.

Apple traffic was isolated separately, https://news.ycombinator.com/item?id=46994394

Traffic outside that baseline could then be reviewed closely.

Lol 'breaches'.

I agree with other posters that you seem to be capable of network level forensics, but you have said nothing to back up what you consider a device breach other than 'some cloud destined network traffic which disapears after a hard reset'.

In my experience of forensic reports, this link is tenuous at best and would not be considered evidence or even suspected breach based on that alone.