13 KiB
iMessage Attack
Zero-Day, Zero-Click Remote Exploit Defeats Cryptographic Trust on iOS (Patched in iOS 18.4.1)
Summary
A zero-day, zero-click exploit chain targeting iOS 18.4 and below delivered a malicious MP4 audio file via iMessage, bypassing BlastDoor and Blackhole protections by leveraging the known sender context. The file triggers a CoreAudio heap corruption (CVE-2025-31200) that escalates to kernel execution through AMPDU mishandling in the AppleBCMWLAN driver (CVE-2025-31201). With kernel access, attackers invoke CryptoTokenKit operations using Secure Enclave–backed keys — all without user interaction.
Note: iOS 18.4.1 patches only CVE-2025-31200 and CVE-2025-31201; downstream misuse of CryptoTokenKit and Secure Enclave keys remains unaddressed.
Key Impact: Bypass of Cryptographic Trust Model
Although cryptographic keys were not exported, attackers used Secure Enclave–backed keys to sign data without authorization, effectively defeating Apple’s identity and message authentication mechanisms.
This allowed:
- Device impersonation in Apple services
- Forgery of identity-bound tokens
- Abuse of end-to-end encryption assumptions
- Untrusted signing operations using trusted keys
This breaks the integrity of Apple’s cryptographic trust model; not by decrypting ciphertexts, but by co-opting legitimate keys for unauthorized use.
Affected Versions
- iOS Versions: 18.4 and below
- Patched In: iOS 18.4.1
Affected components (direct vs. collateral)
Directly exploited / vulnerable
AudioConverterService(CoreAudio) — AAC decoder heap corruption via malformedinMagicCookie(CVE-2025-31200).AppleBCMWLAN.dext(Wi‑Fi driver) — AMPDU status mishandling leading to kernel privilege escalation (CVE-2025-31201).CryptoTokenKit— Unauthorized signing operations invoked post‑compromise using Secure Enclave–backed keys.
Collateral / leveraged components (observed activity or impact)
IMTransferAgent/imagent— Attachment decryption and materialization (shows file reached local decoder).identityservicesd/IDS— Peer lookup, token validation, and key‑management activity tied to signing abuse.AWDL/ Apple Wireless Direct Link (com.apple.madrid) — Peer discovery/advertising pathway used to surface/validate tokens.mediaplaybackd/AVFoundation/WebKit (WKWebView)— HLS/variant switching and WebKit GPU decode paths implicated in playback instability and PME triggers.audiomxd/ audio subsystem — PME enforcement logs and AP ↔ co‑processor connect attempts appear here.AppleDCP/ GPU (AppleDCPDPTXController) — ALPM/getLinkData failures and GPU link errors during PME incidents.powerd/ PME / power management traces` — Power‑state transitions and enforcement failures.launchd/system supervisorReportMemoryException/ SoC stall symptoms indicating system‑wide impact.keychaind/secd/CloudKeychainProxy(key services) — Implicated by downstream signing/token misuse.IO80211ControllerMonitor/IO80211interfaces — Driver/kernel interface logs related to AMPDU anomalies.
Note: The exploit directly compromises a small set of components but touches many subsystems as failures propagate.
Exploit Overview
1. Bypass of iMessage Protections via Known Sender
The malicious audio file was delivered from a previously known contact, which in observed cases caused iMessage filtering and sandboxing to be bypassed (BlastDoor/Blackhole protections were not applied). This allowed the attachment to be processed automatically (zero‑click) and handed to system services for decoding.
Logs:
IDSDaemon BlastDoor: Disabled for framing messages
SpamFilter Blackhole disabled; user has disabled filtering unknown senders.
Observed behavior: message processed while device was locked (no user interaction required).
2. Heap Corruption in CoreAudio (CVE-2025-31200)
A malformed MP4 audio file triggers heap/memory corruption inside CoreAudio’s AAC decoder by supplying an invalid decoder parameter (inMagicCookie) and malformed codec metadata. Logs show the decoder receiving a standard AAC input format but an invalid inMagicCookie size, which is the immediate cause of the corruption that is later chained to kernel escalation and, in observed cases, to PME enforcement failures.
Logs:
AudioConverterService ACMP4AACBaseDecoder.cpp: Input format: 2 ch, 44100 Hz, aac
AudioConverterService ACMP4AACBaseDecoder.cpp: inMagicCookie=0x0, inMagicCookieByteSize=39
Why this matters:
The inMagicCookie field contains codec configuration data used by the AAC decoder; an invalid size or malformed contents can cause unsafe parsing and heap corruption. Confirming the input format (channels/sample rate/codec) helps responders reproduce the decoder state without exposing exploit primitives.
2.a PME Enforcement Failure — hardware interconnect & power management impact
Playback of the malformed MP4 triggered a Power Management Entity (PME) enforcement failure, preventing proper interconnects between the Application Processor and co-processors (e.g., Wi‑Fi, Bluetooth, GPU) and leading to variant-switching loops, GPU/driver errors, and ultimately a device-wide stall.
Logs:
audiomxd: Connection between ports Application Processor and <CO-PROC_PORT> not allowed due to property inclusion policy Require PME Enabled
kernel: DCPAV[PID] AppleDCPDPTXController::getLinkDataGated getALPMEnabled failed
mediaplaybackd: FigAlternate/HLS variant switching loop detected
mediaplaybackd: Repeated playback switch -> stall
launchd: ReportMemoryException -> power state collapse / SoC stall
Why this matters:
- The PME log shows the system refused an AP <-> co‑processor connection because PME was not enabled, indicating an improper power state transition during media decode.
- GPU/DCP and mediaplaybackd errors confirm variant switching instability and deadlock behavior following the decode failure.
- The launchd memory exception and SoC stall demonstrate system‑wide impact beyond a process crash — a hardware/power coordination collapse that requires vendor firmware/PME review.
3. IMTransferAgent decrypts and materializes the audio attachment
After CoreAudio begins processing, IMTransferAgent decrypts and writes the audio file to disk for further processing - evidence that the attachment reached the local decoder and system processing pipeline.
Logs:
IMTransferAgent Succeeded decrypting input URL: file:///var/mobile/tmp/com.apple.messages/<GUID_REDACTED>/.../<FILE_REDACTED>.m4a
4. Kernel Privilege Escalation via AppleBCMWLAN (CVE-2025-31201)
CoreAudio’s memory corruption is chained into the AppleBCMWLAN Wi‑Fi driver via malformed AMPDU status processing. The driver fails to handle unexpected AMPDU status types, allowing memory corruption to be turned into kernel code execution and full system compromise.
Logs:
IO80211ControllerMonitor::setAMPDUstat unhandled kAMPDUStat_ type 14
IO80211ControllerMonitor::setAMPDUstat unhandled kAMPDUStat_ type 13
4.a Wireless Peer Manipulation Observed (AWDL / madrid)
Following kernel-level anomalies, identityservicesd logs indicate that wireless peer discovery and token state were leveraged to surface or validate device identities. This behavior likely facilitated downstream key operations and CryptoTokenKit signing activity.
IDSDaemon identityservicesd: Noting peer token {shouldNoteToken: YES, token: <TOKEN_REDACTED>, service: com.apple.madrid, fromIdentifier: <ID_REDACTED>}
PeerLookup_DBCache identityservicesd: DB Cache Hit { service: com.apple.madrid, fromURI: <URI_REDACTED>, toURI: <URI_REDACTED> }
PeerLookup_SwiftData identityservicesd: Checking peer token: <TOKEN_REDACTED> for URI: <URI_REDACTED> (Tokens: <REDACTED>)
PeerLookup_SwiftData identityservicesd: => Good to go, we have it
Why this matters:
- This shows how the attacker used peer discovery and cached tokens to validate or manipulate device identities.
- This provides a link between wireless/driver anomalies and subsequent identity and signing operations.
5. Unauthorized Use of Secure Enclave Keys via CryptoTokenKit
With kernel control the attacker impersonates identityservicesd and invokes cryptographic signing operations via CryptoTokenKit using Secure Enclave–backed keys. No key material is exported, but signing requests are performed without user authorization, enabling forged identity tokens and device impersonation.
identityservicesd Decrypting message <GUID_REDACTED> of encryption type "pair-tetra"
identityservicesd begins key management operations (sending/receiving decryption keys)
identityservicesd Query for encryption with IDs of remote/local devices
CryptoTokenKit operation:2 algo:algid:sign:ECDSA:digest-X962:SHA256
CryptoTokenKit <sepk:p256(d) kid=<KID_REDACTED>> parsed for identityservicesd
These entries confirm unauthorized signing activity (algorithm and operation) and directly link the kernel pivot to abuse of Secure Enclave–backed keys, undermining service‑level authentication without extracting keys.
CVEs
| CVE / Tag | Component / Subsystem | Description / Impact | Exploit Vector / Evidence | CVSS / Severity (recommended) | Patch / Status |
|---|---|---|---|---|---|
| CVE-2025-31200 | AudioConverterService (CoreAudio) | Heap corruption in AAC decoder via malformed inMagicCookie (decoder params) |
Malicious MP4 audio file; ACMP4AACBaseDecoder logs | 9.8 (Critical) | Patched in iOS 18.4.1 |
| CVE-2025-31201 | AppleBCMWLAN.dext (Wi‑Fi driver) | Kernel privilege escalation via malformed AMPDU status handling (driver) | Chained after CoreAudio corruption; AMPDU logs | 9.8 (Critical) | Patched in iOS 18.4.1 |
| (No CVE) | CryptoTokenKit / identityservicesd | Unauthorized use of Secure Enclave–backed keys invoked from compromised context | CryptoTokenKit signing logs; identityservicesd key ops | High (service‑impact) | Remediation recommended; vendor review |
| (No CVE) | PME / audiomxd / powerd (hardware impact) | Observed PME enforcement failure causing AP ↔ co‑processor connection block and SoC stalls | audiomxd / AppleDCP / mediaplaybackd / launchd logs | High (system‑impact) | Requires firmware/PME review (vendor) |
Apple publicly confirmed the use of a malicious audio file as the exploit vector, matching observed behaviors.
Impact Summary
- Cryptographic isolation defeated: Secure Enclave–backed keys were invoked by untrusted code to perform signing operations without user authorization (keys were not exported, but their authority was abused).
- Device impersonation & token forgery: Legitimate identity tokens and signatures could be forged, enabling impersonation across Apple services.
- Service‑level authentication undermined: The trust assumptions used by identity, messaging, and authentication services were subverted, degrading system‑level integrity.
- Zero‑click remote compromise: The entire chain can be triggered remotely without user interaction, increasing scale and operational risk.
- System stability / hardware impact: In observed cases the malformed media also triggered PME enforcement failures and GPU/mediapath deadlocks that caused SoC stalls or device‑wide freezes (denial‑of‑service class impact).
Recommendations
- Enforce post‑kernel attestation for CryptoTokenKit. Even privileged callers should require validation before invoking key‑bound operations.
- Apply BlastDoor and Blackhole protections to all messages. Do not bypass inspection based on sender status.
- Sanitize codec inputs. Input validation for decoder parameters (e.g., inMagicCookie) must be rigorous.
- Secure kernel‑exposed driver surfaces. Harden wireless and AMPDU handling against malformed input even after memory corruption.
- Isolate signing operations with runtime integrity enforcement. Cryptographic signing APIs should verify process integrity and entitlements even when caller context is compromised.
Status
- Reported: Yes
- Patched: Yes — vendor released fixes in iOS 18.4.1
- CVE IDs:
CVE-2025-31200: CoreAudio memory corruptionCVE-2025-31201: AppleBCMWLAN kernel escalation
- Exploit Vector Confirmed by Apple: Yes — malicious MP4 audio file via iMessage
- Exploit Type: Zero-day, zero-click, remote
- Hardware / PME observation: PME enforcement failures and SoC stall behavior were observed in testing; vendor firmware/PME review recommended (no public CVE).