I'm aware of "Find My Device" that's a documented feature. Find My beacons go OUT
(your device tells others where it is). This is 84MB coming IN. Different thing.
Well, such traffic goes OUT somewhere and that somewhere is other iDevices so that's traffic coming IN for them, no?
I don't have evidence supporting either possibility other than the fact that there's indeed an obscure mesh network involved for "Find My" to operate. I hope this is the starting point to figuring out what their infrastructure does.
Yes, that is used to exchange information between iDevices. The "Find my" mechanism is proprietary and closed source, so you cannot categorically discard the possibility of iOS using such tunnel to send/receive/forward such information.
Yes it could be something else. But if we want to be rigorous, we cannot discard possibilities we aren't 100% sure about.
You are right... and being rigorous is the only path to trust. We can shift the issue from "what is it" to "why isn't it documented and why does status report inactive.
84.5 MB through utun2/IDS during stated isolation—benign or not—contradicts "wireless features turned off" and users have no verification path.
The "closed source" problem you identified is the core issue. So to be rigorous, plausible deniability ends where the telemetry contradicts the UI.
Mathematically invalidated by the temporal anchor in the artifacts.
The spindump captures a precise 2.00-second window (2025-12-31 13:35:14) where mDNSResponder (PID 10252) is in an active execution state with Priority 31 scheduling. Real-time thread activity and kernel buffer management do not occur for "historical" data.
Good catch! checked sharingd (PID 75) in spindump: <0.001s CPU time while mDNSResponder processed the 84MB. Traffic attribution rules out AirDrop.
The 67:1 RX/TX asymmetry and idle sharing daemon confirm this isn't file transfer.
