iOS Activation Flaw Enables Pre-User Device Compromise and Identity Exposure
10 months ago
- #Vulnerability
- #iOS
- #Security
- A critical vulnerability in Apple’s iOS activation pipeline allows remote XML payload injection before user interaction.
- The flaw involves an unsigned `.plist` configuration payload from `humb.apple.com/humbug/baa` that SetupAssistant processes without verification.
- Attackers can inject arbitrary XML data affecting system trust, network behavior, and identity provisioning persistently.
- The issue was observed in a real-world attack, not simulated, affecting iOS 18.5 devices during factory setup.
- Impact includes pre-user control compromise, persistent `.plist` modifications, and regulatory exposure (GDPR, CMMC 2.0, FedRAMP).
- Technical details show SetupAssistant connects to an unauthenticated endpoint, accepting and applying unverified `.plist` payloads.
- Recommendations include enforcing digital signatures, authentication for endpoints, XML schema validation, and urgent patching.
- Disclosure timeline: Reported to Apple and US-CERT on May 19, 2025; public disclosure on June 26, 2025.