iOS 18.6.2 — System-Wide Trust Collapse

TL;DR: A malformed trust anchor reload in iOS 18.6.2 caused broken encryption system-wide. TLS certificate checks silently failed, allowing unverified connections in Safari, Mail, iCloud, and other services—exposing users to spoofing and interception.

Overview

On August 20, 2025, logs from a real iPhone 14 running iOS 18.6.2 revealed a critical failure in Apple’s trust system.

In plain terms:

• The iPhone temporarily stopped verifying whether websites, apps, and services were trustworthy.
• Every certificate was treated as valid — including potentially malicious ones.
• Security of Safari, Mail, iCloud, Bluetooth accessories, and even baseband radio was impacted.

For a short window, the device operated as if all connections were secure, when they were not.

---

Why This Matters

All iPhone security depends on certificate validation, which underpins:

• The lock icon in Safari
• Authentication for iCloud services
• Encrypted communication with accessories and networks

When checks fail in an open state:

• Attackers can impersonate websites and Apple services
• Malicious accessories or networks can inject data or spoof updates
• Sensitive data may be intercepted or redirected without detection

This is a worst-case failure mode because the system did not block traffic or alert the user — it silently accepted everything.

---

What Happened

1. An Apple service (financed) encountered a permission error.

2. The system privacy daemon (tccd) incorrectly granted the permission.

3. The trust subsystem (trustd) reloaded its anchors, which failed with:

   Malformed anchor records, not an array
   

4. Despite the error, the system continued treating all certificates as valid.

Affected systems included:

• Safari and WebKit-based apps
• iCloud and CloudKit
• Bluetooth and accessory management
• Baseband and cellular radio
• Apple’s privacy enforcement subsystem

---

Technical Highlights

• Key processes: trustd, securityd, nsurlsessiond, tccd, CommCenter

• Error log:

  trustd: Malformed anchor records, not an array
  

• Impact on ATS (App Transport Security):

  set_ats_enforced = false
  min_rsa_key_size = 0
  min_ecdsa_key_size = 0
  min_signature_algorithm = 0
  

• TLS handshakes advanced with pending trust evaluations but were still accepted.

---

Risk Profile

Category	Impact Description
Confidentiality	TLS interception, iCloud impersonation, unencrypted traffic exposure
Integrity	Spoofed sync operations, malicious accessory provisioning
Availability	Crashes, trust errors, accessory pairing failures
Scope	System-wide — all trust-based subsystems affected

---

Recommended Actions

For End Users

• Reboot the device to restore a valid trust state.

• Avoid the following during a suspected failure window:

  • Pairing accessories
  • Connecting to untrusted networks
  • Performing iCloud syncs or installing updates

• Stay updated with the latest iOS patches.

For Security Teams

Detection Tips:

• "Malformed anchor records" in trustd
• set_ats_enforced = false in nsurlsessiond
• Certificate evaluations marked pending but accepted

Engineering Recommendations:

• Fail-closed on trust evaluation errors
• Lock ATS enforcement settings after boot
• Add schema validation to trust anchor deserialization
• Patch TOCTOU flaws in TLS processing

---

Why This Is Critical

This was not a simple bug. It was a collapse of iOS’s trust layer — the foundation of secure communication and authentication.

During the failure:

• Certificate verification was bypassed
• TLS requirements were disabled
• Critical services trusted unverified connections without any warning

This left users and organizations vulnerable to impersonation, interception, and tampering.

---