Interesting comments.
Yes, it's possible, viable and doable. No, there isn't a physical possesion requirement. Whether it happened, depends on an examination results.
The investigation will provide more intelligence if you tunnel complete device traffic thru a server and analyze that traffic - setup a local VPN with own DNS for start. Be advised that SIM should be disabled and WLAN used exclusively in order to segregate.
In the end, assume compromise and establish sanitary cordon - dispose devices and associated SIM. Change iCloud. Transfer data from offline source.
After I allowed someone to use my mobile network through internet sharing on my iPhone, I feel that both my phone and my brand new Apple Watch Ultra 2 are acting strangely.
The man only had access for 5 minutes MAX, and it was only internet sharing—he did not have the phone in his hand.
Of course, it could just be a coincidence.
Indiferrent probability. May be a coincidence, may be an attack.
So you mean it is not possible to do so in 5 minutes with a iphone from an average guy hanging around in the local gym?
Why do you assume it's a random and average male person if a name of the thread implies nefarious aspect?
He came over to me one morning and said his phone had no network anymore, assuming his data was used up, and asked if I could share my internet with him. I said that I could, but only for 5 minutes, no more. I see him every morning... but never talk to him.
Your OCT content implies that you are aware and critical. What GYM doesn't have a WLAN for members? Probability is now more towards focused action.
Why would a person - assumed attacker - need to be an Israeli agent - maybe you are targeted for kidnaping because you are rich?
If the attacker has root privileges on the device, they could potentially embed the code deeply enough to survive a factory reset.
When a telehone device acts as hotspot, it's a routing and switching function that connects two protocols - 802.11 and any cellular connectivity (3G/4G/5G) on OSI layers 2 and 3, beside DHCP.
Compared to any other switches and routers, traffic passing thru by MAC or IP address does not employ more hardware resources as there is no traffic inspection.
DHCP is a program with
root privilege and functions as a delegator of NATed addresses - from private networks scope 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 - that can't be routed via public networks.
A DHCP will assign an address to WLAN client where the traffic packets will be masqueraded by
kernel mapping - in order to allow the access to public network and disguise the origin.
Theoreticaly, DHCP and its communication with kernel can have a vulnerability.
When that person's device got NATed address from your device hotspot function, its public address - delegated by provider was discovered. But, nowadays, CGNAT - a carrier grade NAT exist - so there isn't significant risk as your device won't share a directly accesssable public address.
Perhaps, in a scenario where you are not mapped with a device, you may (have been) be a target for permanent identification and location - IMEI/IMSI set or via previous, deployment of a complex payload.
There are malicious payloads for iPhone/iPad that require physical access - also, there are payloads that can be deployed via WLAN as they require network as an attack vector. Beware that security is a relative and that black swans do exist - even if everybody praise something - such as ssh - assume that it's compromised.