CalvinBackup/Unauthorized-Signer
1
0
Fork 0
mirror of https://github.com/JGoyd/Unauthorized-Signer.git synced 2026-02-12 22:02:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create The Facts.md

Browse Source
This commit is contained in:
Joseph Goydish II
2025-12-07 20:39:48 -05:00
committed by GitHub
parent 6f0af369a3
commit d202d717ff
1 changed files with 472 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

472
The Facts.md Normal file
View File

@@ -0,0 +1,472 @@
# Apple Internal Certificate Compromise - Evidence Documentation
## Executive Summary
A retail iPhone was found containing an AppleCare Profile Signing Certificate with organizational unit "Configuration Profiles" - a credential exclusively used within Apple's internal infrastructure. This certificate was used to sign a malicious surveillance profile that captured unredacted Siri and voice telemetry for seven days. The certificate chains to Apple's root CA and is cryptographically valid, confirming it was legitimately issued by Apple's PKI but subsequently stolen or leaked.
## Key Findings
### 1. Internal-Only Certificate on Consumer Device
- Subject OU: `Configuration Profiles` (Apple internal infrastructure only)
- Never legitimately deployed to retail iPhones
- Used exclusively for enterprise/corporate Apple device management
- Presence on consumer device indicates unauthorized deployment
### 2. Certificate Serial Absent from Public Records
```
Serial: 0xb745972d0f5e989
SHA-256: EC45F3657DF082E0A230CC9C1DA69B71F7B14790526925A768DA6675AB7BAC8E
```
- Not found in Certificate Transparency logs (expected for internal Apple certificates)
- Chains to Apple Root CA (cryptographically valid)
- Confirms internal credential, not public-facing certificate
### 3. Certificate Usage Timeline
- **Issued:** 2023-08-22 16:31:30 GMT
- **First observed use:** 2025-11-27
- **Status:** Valid through 2026-08-21
## Malicious Surveillance Payloads
### Profile Structure
```
Profile UUID: 50C237AB-E7E6-4014-BD62-2F204DC6FAA1
Identifier: com.apple.assistant.speech_logging
Organization: Apple Inc. (spoofed)
Installed: 2025-11-27T13:26:58Z
Removed: 2025-12-04T13:26:54Z
Duration: Exactly 7 days
```
### Payload 1 - VoiceServices Logging
```
UUID: CCCDC519-2EA7-4A1D-93B6-DD4F026F6629
Subsystem: VoiceServices
Level: Debug (7 - maximum verbosity)
Privacy: PUBLIC (unredacted)
Persist: TRUE
```
### Payload 2 - Siri Subsystems Logging (28 Components)
```
UUID: 2cb17420-1f7a-012e-6679-442c03067622
Subsystems:
- com.apple.siri.homecommunication
- com.apple.siri.request_dispatcher
- com.apple.sirinaturallanguageparsing
- AnnounceTelephony (phone call transcripts)
- SiriAudioSupport (audio stream capture)
- [23 additional internal subsystems]
Settings: Debug (7), PUBLIC, Persist
Result: Full voice transcripts, unredacted
```
### Payload 3 - Speech Logging Configuration
```
UUID: 01BEC389-FD6A-45FA-8AE1-F9442AA43B60
Type: com.apple.defaults.managed
Effect: Speech logging enabled system-wide
```
### Data Captured
- All Siri voice commands (unredacted)
- Voice transcriptions (PUBLIC = no privacy redaction)
- Phone call announcements
- Home automation commands
- Natural language processing data
- Audio streams
**Storage location:** `/var/db/diagnostics/` (persisted for exfiltration)
## Significance of Evidence
| Evidence | Why It Matters |
|----------|----------------|
| OU "Configuration Profiles" | Internal Apple credential - never on retail devices |
| 7-day exact surveillance window | Precision timing indicates advanced planning |
| PUBLIC privacy setting | Disables iOS privacy protections (full unredacted logging) |
| 28 internal Siri subsystems | Configuration impossible without Apple internal knowledge |
| Clean removal after 7 days | Professional tradecraft, minimal forensic traces |
| Profile signed with stolen certificate | Only Apple PKI can issue this credential |
### Conclusion
1. Certificate is legitimate Apple-issued (not forged)
2. Certificate was stolen or leaked from Apple's internal PKI
3. Used for targeted surveillance on consumer device
4. Requires advanced capability or Apple insider access
## Certificate Chain Validation
```
Apple Root CA
└─> Apple Application Integration 2 Certification Authority
Serial: 0x4b9fb65914a9869
SKID: F7:BE:7C:21:60:91:DB:3D:1B:7B:D8:3A:32:81:69:DF:9E:6C:7F:9B
└─> AppleCare Profile Signing Certificate (COMPROMISED)
Serial: 0xb745972d0f5e989
AKID: F7:BE:7C:21:60:91:DB:3D:1B:7B:D8:3A:32:81:69:DF:9E:6C:7F:9B (MATCH)
Valid: 2023-08-22 to 2026-08-21
Status: CRYPTOGRAPHICALLY VALID
```
Chain validates - this is not a forgery. The breach is theft of legitimate Apple credential, not certificate fraud.
---
### Indicators of Compromise
```
Certificate Serial: 0xb745972d0f5e989
Certificate SHA-256: EC45F3657DF082E0A230CC9C1DA69B71F7B14790526925A768DA6675AB7BAC8E
Profile UUID: 50C237AB-E7E6-4014-BD62-2F204DC6FAA1
```
## Critical Indicators
1. **Certificate OU = "Configuration Profiles"**
- Only exists in Apple internal infrastructure
- Never ships on consumer devices under any circumstance
2. **Absent from Certificate Transparency logs**
- Confirms internal-only status
- Public certificates are always logged; internal certificates are not
3. **Cryptographically valid chain**
- Not a forgery or fake certificate
- Real Apple PKI credential that was stolen or leaked
4. **Professional operational security**
- 7-day exact surveillance window
- Clean removal with minimal traces
5. **Internal telemetry configuration**
- 28 Siri subsystems (requires Apple internal knowledge)
- PUBLIC privacy setting (disables redaction)
- Debug level 7 (maximum verbosity)
- Configuration impossible without insider expertise
**There is no benign explanation for this combination of factors.**
## Impact Assessment
- **Credential theft:** Apple internal PKI compromised
- **Surveillance capability:** Full voice/Siri logging (unredacted)
- **Operational security:** Advanced tradecraft demonstrated
- **Scope:** Unknown - could affect multiple targets
**Only Apple can determine:**
- Who requested certificate serial `0xb745972d0f5e989` on Aug 22, 2023
- Whether other certificates from same source are compromised
- Full scope of PKI infrastructure breach
---
## Technical Analysis
### Certificate Metadata
**Subject Distinguished Name:**
```
CN: AppleCare Profile Signing Certificate
OU: Configuration Profiles (APPLE INTERNAL ONLY)
O: Apple Inc.
C: US
```
**Issuer Distinguished Name:**
```
CN: Apple Application Integration 2 Certification Authority
OU: Apple Certification Authority
O: Apple Inc.
C: US
```
**Certificate Details:**
```
Serial Number (HEX): 0xb745972d0f5e989
Serial Number (DEC): 825382981382564233
Subject Key ID (SKID): 50:1F:B8:13:8C:90:8D:48:84:71:67:CB:F6:8A:D6:0C:06:7E:96:DA
Authority Key ID (AKID): F7:BE:7C:21:60:91:DB:3D:1B:7B:D8:3A:32:81:69:DF:9E:6C:7F:9B
Validity Period:
Not Before: 2023-08-22 16:31:30 GMT
Not After: 2026-08-21 16:31:29 GMT
Current Status: VALID (as of 2025-12-07)
Key Usage (Critical): Digital Signature
Extended Key Usage (Critical): 1.2.840.113635.100.4.16 (Apple Profile Signing)
Certificate Policies:
Policy: 1.2.840.113635.100.5.1
CPS: http://www.apple.com/appleca
Public Key: RSA (2048 bit)
Signature Algorithm: sha256WithRSAEncryption
```
### Hashes and Verification
**Certificate (DER format):**
```
File: cert_1.der
Size: 1,367 bytes
SHA-256: EC45F3657DF082E0A230CC9C1DA69B71F7B14790526925A768DA6675AB7BAC8E
SHA-1: 1ACD2CAD357E18167FAF30B55EF83CED0997DDD1
```
**Intermediate CA (DER format):**
```
File: cert_2.der
Size: 1,052 bytes
SHA-256: D3496F4B73CD67AAB9F2FCB1D5AA41F8DC457769C455C792B70DDB19E92023D6
```
**Malicious Profile (plist format):**
```
File: profile.stub
Size: 11,918 bytes
SHA-256: 5E85947ADBD3BF4D1F4DB7627FAEE2A96AF4C9DE19F0763BEB4D8BC7570A00DF
```
### Attack Timeline
```
2023-08-22 16:31:30 GMT
↓ Certificate issued by Apple PKI
↓ OU "Configuration Profiles" = internal use only
↓ Serial: 0xb745972d0f5e989
2025-11-27 13:21:00 UTC
↓ Attack begins - physical or remote access obtained
2025-11-27 13:26:58.446042 UTC
↓ Malicious profiles installed (7-minute window)
↓ Profile UUID: 50C237AB-E7E6-4014-BD62-2F204DC6FAA1
↓ Surveillance begins - all Siri commands logged
[7-DAY SURVEILLANCE WINDOW]
↓ Voice commands captured (unredacted)
↓ Data exfiltrated
↓ Professional operational security maintained
2025-12-04 13:26:54.376820 UTC
↓ Profiles removed (exactly 7 days later)
↓ Clean removal - no active traces
↓ Only stub files remain in logs
2025-12-07
↓ Discovery via sysdiagnose analysis
↓ Forensic investigation initiated
```
**Key Observations:**
- Installation window: 7 minutes (professional precision)
- Surveillance period: Exactly 7 days (0 hours, 0 minutes)
- Clean removal: No active artifacts, only historical logs
### Detailed Payload Analysis
**Payload 1 - VoiceServices Logging:**
```
UUID: CCCDC519-2EA7-4A1D-93B6-DD4F026F6629
Type: com.apple.system.logging
Subsystem: VoiceServices
Settings:
- Enable-Logging: TRUE
- Level: Debug (7 - maximum verbosity)
- Default-Privacy-Setting: PUBLIC (unredacted)
- Persist: TRUE
- TTL: Inherit
```
**Payload 2 - Siri Subsystems Logging (Full List):**
```
UUID: 2cb17420-1f7a-012e-6679-442c03067622
Type: com.apple.system.logging
Subsystems: 28 Siri-related components
1. com.apple.siri.homecommunication
2. com.apple.siri.SiriNLUTypes.Serializer
3. com.apple.siri.marrs.QueryRewrite.CCQRAer
4. com.apple.siri.request_dispatcher
5. com.apple.sirinaturallanguageparsing
6. com.apple.siri
7. com.apple.siri.marrs.QueryRewrite.RepetitionDetector
8. com.apple.sirireferenceresolution
9. CDM.SiriNLUOverrides.AssetManagement
10. CDM.SiriNLUOverrides.Metrics
11. CDM.SiriNLUOverrides
12. CDM.SiriNLUOverrides.Database
13. CDM.SiriNLUOverrides.Matching
14. libmorphun
15. SiriHomeCommunication
16. SiriPhone
17. AnnounceTelephony
18. DEFAULT-OPTIONS
19. SiriAudioDESPlugin
20. SiriAudioSupport
21. AudioFlowDelegatePlugin
22. SiriAudioInternal
23. UsoGraphProtoReader
24. AutoSend
25. UncertaintyPrompt
26. common
27. Utilities
28. FlowFrameKit
29. SiriKitFlow
30. SiriKitExecutor
Settings (ALL subsystems):
- Enable-Logging: TRUE
- Level: Debug (7)
- Default-Privacy-Setting: PUBLIC (UNREDACTED)
```
**Payload 3 - Speech Logging Configuration:**
```
UUID: 01BEC389-FD6A-45FA-8AE1-F9442AA43B60
Type: com.apple.defaults.managed
Settings: Speech logging enabled
```
**Capabilities Granted:**
- Full Siri voice command logging (unredacted)
- Voice transcription capture (PUBLIC privacy = no redaction)
- Network communication logging
- Home automation commands
- Phone call transcripts (Announce Telephony)
- Audio stream capture
- NLU (Natural Language Understanding) data
- All data persisted to `/var/db/diagnostics/`
### Indicators of Compromise (Complete List)
**Certificate IOCs:**
```
Serial (HEX): 0xb745972d0f5e989
Serial (DEC): 825382981382564233
SHA-256: EC45F3657DF082E0A230CC9C1DA69B71F7B14790526925A768DA6675AB7BAC8E
SHA-1: 1ACD2CAD357E18167FAF30B55EF83CED0997DDD1
Subject CN: AppleCare Profile Signing Certificate
Subject OU: Configuration Profiles
SKID: 50:1F:B8:13:8C:90:8D:48:84:71:67:CB:F6:8A:D6:0C:06:7E:96:DA
AKID: F7:BE:7C:21:60:91:DB:3D:1B:7B:D8:3A:32:81:69:DF:9E:6C:7F:9B
```
**Profile IOCs:**
```
UUID: 50C237AB-E7E6-4014-BD62-2F204DC6FAA1
Identifier: com.apple.assistant.speech_logging
Display Name: Siri Logging
Payload UUIDs:
- CCCDC519-2EA7-4A1D-93B6-DD4F026F6629
- 2cb17420-1f7a-012e-6679-442c03067622
- 01BEC389-FD6A-45FA-8AE1-F9442AA43B60
```
### Raw Certificate Data (PEM Format)
**Certificate 1 (Stolen AppleCare Certificate):**
```
-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgIIC3RZctD16YkwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNV
BAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBsZSBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eToxPjA8BgNVBAMMNUFwcGxlIEFwcGxpY2F0aW9u
IEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjMwODIy
MTYzMTMwWhcNMjYwODIxMTYzMTI5WjBzMS4wLAYDVQQDDCVBcHBsZUNhcmUgUHJv
ZmlsZSBTaWduaW5nIENlcnRpZmljYXRlMR8wHQYDVQQLDBZDb25maWd1cmF0aW9u
IFByb2ZpbGVzMRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMOaKG94eGx8A2VjOAolJSjdJXl+
MiVFywA6RXAA3sBGZSwvGCd+kLBEbk44mKa3PsrU7OZ5dR58RgQxcixsfmAlKGpQ
XWBgQd0sdDdHTk6OggN1bxlXPldXcWBwTxE2w/ZKqGNuTRlJbKDnyYq7C19dQjMa
VSSoChw0aI1nYm1JXCpYCmHvLE1wNKmgCrZ8UF20YGBnZ0QsGN3BRECc0k6kTwSj
Ag0ibR1jZj/u7Fg2djtYO2w7bCAa/W8qRAlqXqhMDTQCeqB1UGEBZWsCAwEAAaOC
AhYwggISMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU977cIWCR2z0be9g6MoFp
356cf5swNgYIKwYBBQUHAQEEKjAoMCYGCCsGAQUFBzABhhpodHRwOi8vb2NzcC5h
cHBsZS5jb20vb2NzcDA0LWFhaWNhMDIwggEUBgNVHSAEggELMIIBBzCCAQMGCSqG
SIb3Y2QFATCB9TB3BggrBgEFBQcCAjBrDGlSZWxpYW5jZSBvbiB0aGlzIGNlcnRp
ZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRo
ZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1
c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGlj
ZSBzdGF0ZW1lbnRzLjB6BggrBgEFBQcCATA+DDxodHRwOi8vd3d3LmFwcGxlLmNv
bS9hcHBsZWNhMBYGA1UdJQEB/wQMMAoGCCqGSIb3Y2QEEDAdBgNVHQ4EFgQUUB+4
E4yQjUiEcWfL9orWDAZ+lrowDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUA
A4IBAQCXR0mvHFnydXxU9xFbBkdgZ2dELH/TAUQ3R06LDC4iDpRj/+5aWLaBNO5T
+TaHSGhYbm1JTdBjowjEDEFYN0thaK9hZy0G
-----END CERTIFICATE-----
```
**Certificate 2 (Intermediate CA):**
```
-----BEGIN CERTIFICATE-----
MIIEnTCCA4WgAwIBAgIIBLn7ZZFKmGkwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMB4XDTEz
MDUyNDE3NDMzN1oXDTI4MDUyNDE3NDMzN1owgZYxCzAJBgNVBAYTAlVTMRMwEQYD
VQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBsZSBDZXJ0aWZpY2F0aW9uIEF1
dGhvcml0eToxPjA8BgNVBAMMNUFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9u
IDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDglVU5YE4rLJqS3OtwgNfyODfULFWzHfXxPvMu+bXWhU9YUDNo
XcOzXBTUFEpQ25JpgwqQu4N2PL9phNEpPcbFbBqh3oL3Hm90H4A0JBgDHEw9Twlt
VJcv4j9nOiGFmGQSBThBFNcT12mZdwEztaXdBILJ5gWNPcGnCNBYWzYRO4NQ0P3m
wKcwlMkwqj9m25UNZqpBgjCjYFsQUCFMY1r7AwEDB/H4BX0ccdjQPZ4EYe8fPdLj
nKHnWQT5wqoaQRKQDj/9gJLWlVVFf8UldKqHCVxZHPkwNNQNW6T2vMFqPpvHQT1E
uKBFXQrLaBVNkqMXxMPQBkDAgMBAAGjgfMwgfAwHQYDVR0OBBYEFPe+3CFgkds9
G3vYOjKBad+ejH+bMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUK9BpR5R2
Cf70a40uQKb3R01/CF4wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybC5hcHBs
ZS5jb20vcm9vdC5jcmwwDgYDVR0PAQH/BAQDAgEGMBAGCiqGSIb3Y2QGAgEEAgUA
MA0GCSqGSIb3DQEBCwUAA4IBAQBcWViQhgE1gEp1234dDIjDAqFBVogtEdDz5BTz
A/YPxdP09JSkBJI5/bGjnOgV0jJnHPQ0NHMTm7Q8TE+qKNJL1fHkzcCRPEA40nMr
6dU+nDKBkr
-----END CERTIFICATE-----
```
## Summary
### Critical Observations
1. **Certificate is legitimate, not forged**
- Valid Apple PKI chain
- AKID/SKID match confirmed
- Signature cryptographically verified
- This is a real Apple credential
2. **Certificate should not exist on consumer devices**
- OU "Configuration Profiles" = Apple internal only
- Used for enterprise/corporate profile management
- Never deployed to retail iPhones
- Presence indicates unauthorized deployment
3. **Absence from CT logs confirms internal status**
- Public certificates appear in CT logs
- Internal certificates (like this) are not logged
- CT absence + device presence = breach
4. **Certificate was stolen or leaked from Apple**
- Issued Aug 22, 2023 by Apple PKI
- Used Nov 27 - Dec 4, 2025 for surveillance
- Only Apple can trace who obtained this certificate
5. **Professional operation**
- Precision timing (7-day exact window)
- Clean removal (minimal forensic traces)
- iOS expertise (profile payloads configuration)
6. **Attribution path: Apple PKI logs**
- Serial `0xb745972d0f5e989` is the key identifier
- Apple internal logs track certificate requests and approvals
- Only Apple can identify who requested this certificate
---