iOS Activation Flaw Enables Pre-User Device Compromise and Identity Exposure (iOS 18.5)
苹果iOS 18.5版本存在激活漏洞,攻击者可在用户首次使用前通过网络注入恶意XML配置文件,导致设备信任链和网络行为被操控,影响隐私和安全。该漏洞未被苹果修复,已报告至US-CERT,并引发GDPR等隐私法规风险。 2025-7-1 06:49:54 Author: seclists.org(查看原文) 阅读量:11 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: josephgoyd via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 26 Jun 2025 06:11:49 +0000
Title: iOS Activation Flaw Enables Pre-User Device Compromise

Reported to Apple: May 19, 2025
Reported to US-CERT: May 19, 2025
US-CERT Case #: VU#346053
Vendor Status: Silent
Public Disclosure: June 26, 2025

------------------------------------------------------------------------
Summary
------------------------------------------------------------------------

A critical vulnerability exists in Apple’s iOS activation pipeline that
allows remote XML payload injection *before* the user ever interacts
with the device.

During factory setup, iPhones contact:

https://humb.apple.com/humbug/baa

This provisioning endpoint returns unsigned `.plist` configuration
payloads — accepted without cryptographic verification or source
authentication.

An attacker positioned on the network (or in any upstream infrastructure
path) can inject arbitrary XML configuration data that SetupAssistant
will silently process. These changes persist through reboot and affect
system trust, network behavior, and identity provisioning — *before any
user touches the screen.*

------------------------------------------------------------------------
Context
------------------------------------------------------------------------

This disclosure is based on forensic reconstruction of a **real-world
attack observed in the wild**.

These files were extracted from a live device that exhibited
compromise behavior during initial activation. The artifacts presented
here are part of a post-event forensic reconstruction — **not
simulated**, emulated, or crafted artificially.

The compromise occurred during normal SetupAssistant operation, with
no jailbreak, developer tools, or device modifications present.

------------------------------------------------------------------------
Tested Device
------------------------------------------------------------------------

- iPhone running iOS 18.5 (latest as of June 2025)
- Restored to factory settings
- Activated using standard consumer setup flow
- No MDM enrollment or dev profile present

------------------------------------------------------------------------
Impact
------------------------------------------------------------------------

- Remote injection of provisioning configuration before user control
- Persistent `.plist` file modifications affecting:
- Cloud identity frameworks
- Trust and network defaults
- Activation and Apple service behaviors
- System logs show `.plist` entries written and processed before setup
- **Other `.plist` files** can be similarly injected and silently applied
- All occurs pre-setup, pre-consent, and without user awareness

This undermines trust in the provisioning path for:
- Consumers
- Enterprises
- Regulated and government environments

Relevant regulatory exposure includes:
- GDPR / CCPA (privacy violations before consent)
- CMMC 2.0 / NIST 800-171 (loss of provisioning integrity)
- FedRAMP / FISMA (unauthenticated system configuration)

------------------------------------------------------------------------
Technical Summary
------------------------------------------------------------------------

- SetupAssistant connects to `humb.apple.com/humbug/baa` during activation
- This endpoint returns a `.plist` (XML) payload
- Payload is **not signed, not authenticated, and not verified**
- Device accepts and applies it as system configuration
- The following were observed:
- `mobileactivationd.log`: full provisioning POST/response
- `com.apple.bird.plist`: persisted identity config before user input
- Other config files can be similarly injected and silently accepted

------------------------------------------------------------------------
Artifacts
------------------------------------------------------------------------

Attached:
1. `mobileactivationd.log` — provisioning session from activation
2. `com.apple.bird.plist` — identity-related configuration written pre-setup

These files are **unaltered and timestamped**, captured from a real device
during activation after observed anomalous behavior.

------------------------------------------------------------------------
Recommendations
------------------------------------------------------------------------

- Enforce digital signature checks for activation payloads
- Require authentication and origin validation for provisioning endpoints
- Apply strict XML schema validation to all `.plist` responses
- Halt logging of identity-related configuration during SetupAssistant
- Release urgent patch (iOS 18.5.1) to harden client-side provisioning logic

------------------------------------------------------------------------
Timeline
------------------------------------------------------------------------

May 19, 2025 Reported to Apple and US-CERT
June 23, 2025 US-CERT opened case VU#346053
June 26, 2025 Public disclosure

------------------------------------------------------------------------
Researcher
------------------------------------------------------------------------

Joseph Raymond Goydish II

------------------------------------------------------------------------

Attachment: mobileactivationd log .pdf
Description:

Attachment: com.apple.bird.pdf
Description: 

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • iOS Activation Flaw Enables Pre-User Device Compromise and Identity Exposure (iOS 18.5) josephgoyd via Fulldisclosure (Jun 30)

文章来源: https://seclists.org/fulldisclosure/2025/Jun/27
如有侵权请联系:admin#unsafe.sh