top | item 46451487

Show HN: Forensic evidence of iOS mesh networking bypassing Airplane Mode

8 points| TakeFlight007 | 2 months ago |github.com

I found evidence of autonomous mesh networking on iOS during Airplane Mode. What am I missing?

Did forensic analysis on my iPhone during Airplane Mode isolation. Kernel stats show 2,657 packets transmitted and 84.5MB processed through mDNSResponder while interfaces report "inactive". Found a parallel utun2 tunnel bound to IDS framework that persists during isolation. Applied Shannon-Hartley theorem to verify the channel capacity supports this volume. Either I'm misunderstanding legitimate system behavior, or this is a covert channel. Reproducible steps and raw evidence included.

https://github.com/JGoyd/NeuralNet

13 comments

lucasar|2 months ago

Maybe the culprit is the technology and nasty tricks backing the "Find my device" feature? iOS devices will share their location (and potentially other data) with other nearby devices using a mesh network with certain frequency, even in Airplane mode. Also if the iPhone/iPad is powered off using the "power off" feature, the device will still be findable.

This capability is one of the strong selling points for consumers. The modern, average thief will often toss away these devices and settle with the rest of the loot because of this.

Sounds like OP wasn't aware of this.

TakeFlight007|2 months ago

I'm aware of "Find My Device" that's a documented feature. Find My beacons go OUT (your device tells others where it is). This is 84MB coming IN. Different thing.

N_Lens|2 months ago

I'm left wondering what this covert mesh traffic is actually accomplishing, and whether it's actually controversial or whether the researcher came across a red herring (Perhaps background file transfer such as airdrop while in airplane mode, unlikely as that sounds?).

TakeFlight007|2 months ago

Good catch! checked sharingd (PID 75) in spindump: <0.001s CPU time while mDNSResponder processed the 84MB. Traffic attribution rules out AirDrop. The 67:1 RX/TX asymmetry and idle sharing daemon confirm this isn't file transfer.

taraindara|2 months ago

My guess would it has to do with find my iPhone and AirTag tracking features.

ACSL8TER|2 months ago

verified on iPadOS 26.2 (Opkts: 5,132 while status: inactive). The data is not historical; the bypass is active.

https://github.com/JGoyd/NeuralNet/issues/1#issuecomment-370...

Teknomadix|2 months ago

LOL. Seems like the OP is confused and misreading normal macOS/iOS behavior as a conspiracy.

Interface stats are cumulative since boot (eg: not real-time), mDNSResponder traffic includes all historical Bonjour activity. utun tunnels are standard iCloud/VPN infrastructure. Shannon-Hartley math proves WiFi can move data, not that anything covert is happening.

TakeFlight007|2 months ago

Mathematically invalidated by the temporal anchor in the artifacts.

The spindump captures a precise 2.00-second window (2025-12-31 13:35:14) where mDNSResponder (PID 10252) is in an active execution state with Priority 31 scheduling. Real-time thread activity and kernel buffer management do not occur for "historical" data.