From 6f0af369a39c8886bcfe4cef9213d3a811326328 Mon Sep 17 00:00:00 2001 From: Joseph Goydish II Date: Sun, 7 Dec 2025 20:09:58 -0500 Subject: [PATCH] Create README.md --- README.md | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..509bc03 --- /dev/null +++ b/README.md @@ -0,0 +1,54 @@ +# Apple Internal Certificate Compromise + +**TL;DR:** +A **retail iPhone** contained an **AppleCare Profile Signing Certificate** — an **internal-only credential that never ships to users** — with a **serial number not issued by Apple**, yet trusted by iOS. Alongside this, **internal voice and Siri logging payloads** were active, capturing **unredacted telemetry**. This is a **full-chain trust breach**, impossible via legitimate means. + +--- + +## Key Facts + +### 1. Internal-Only AppleCare Certificate on Device +- Exists only in Apple's private signing infrastructure +- **Never** installed on consumer devices +- Indicates **unauthorized Apple-trusted signing material** + +### 2. Serial Number Not Issued by Apple +``` +0xb745972d0f5e989 +``` +- Chains to Apple CA but **not in any Apple-issued cert catalog** +- Confirms **cryptographic compromise** + +--- + +## ⚠️ Supporting Payloads + +### Payload 1 — VoiceServices Logging +``` +UUID: CCCDC519-2EA7-4A1D-93B6-DD4F026F6629 +Level: Debug (7), PUBLIC, Persist: TRUE +``` + +### Payload 2 — Siri Subsystems Logging +``` +UUID: 2cb17420-1f7a-012e-6679-442c03067622 +28 internal subsystems active +Unredacted, max verbosity, persistent +``` + +### Payload 3 — Speech Logging +``` +UUID: 01BEC389-FD6A-45FA-8AE1-F9442AA43B60 +Speech logging: ENABLED +``` + +**Impact:** Retail device running **internal Apple telemetry**, impossible via consumer config. + +--- + +## 🧨 Combined Interpretation +- Internal-only AppleCare cert present +- Serial number not issued by Apple, yet trusted +- Multiple internal telemetry payloads active + +**Conclusion:** Privileged, unauthorized profile-level compromise.