This repository provides an in-depth analysis of critical Bluetooth and GPS privacy vulnerabilities discovered in iOS 18.5. It primarily highlights how multiple native Apple daemons can execute unauthorized operations concerning Bluetooth and location services without user awareness or consent.

Key Highlights

• Silent BLE Scanning: The component SPCBPeripheralManager is capable of triggering silent Bluetooth scans in the background, rendering devices discoverable without any notice.
• Covert GPS Activation: The locationd process can engage in covert GPS harvesting, allowing location tracking without displaying any user interface or requiring user consent.
• Metadata Exposure: The audioaccessoryd component surfaces Bluetooth trust metadata (like IRKs), enabling passive identity tracking.
• Bypassing Privacy Controls: The daemons interact with tccd to bypass TCC privacy permissions altogether. This effectively disables consent enforcement that users expect from iOS.
• Weakening Trust Enforcement: The bluetoothd component continues trust logic even after cryptographic failures, undermining BLE trust enforcement.

This research employed official Apple tools within a legitimate environment using a stock iPhone 14 Pro Max running iOS 18.5, ensuring integrity by avoiding jailbreak, MDM, or third-party applications.

For those interested in the data logs associated with these vulnerabilities, they can be found here: Log Evidence.

Understanding these vulnerabilities is essential for developers, security researchers, and users who rely on iOS for privacy, as they expose significant risks regarding personal data protection.