CalvinBackup/Unauthorized-Signer
1
0
Fork 0
mirror of https://github.com/JGoyd/Unauthorized-Signer.git synced 2026-02-12 22:12:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Unauthorized-Signer/The Facts.md
Joseph Goydish II d202d717ff Create The Facts.md
2025-12-07 20:39:48 -05:00

15 KiB
Raw Permalink Blame History

Apple Internal Certificate Compromise - Evidence Documentation

Executive Summary

A retail iPhone was found containing an AppleCare Profile Signing Certificate with organizational unit "Configuration Profiles" - a credential exclusively used within Apple's internal infrastructure. This certificate was used to sign a malicious surveillance profile that captured unredacted Siri and voice telemetry for seven days. The certificate chains to Apple's root CA and is cryptographically valid, confirming it was legitimately issued by Apple's PKI but subsequently stolen or leaked.

Key Findings

1. Internal-Only Certificate on Consumer Device

  • Subject OU: Configuration Profiles (Apple internal infrastructure only)
  • Never legitimately deployed to retail iPhones
  • Used exclusively for enterprise/corporate Apple device management
  • Presence on consumer device indicates unauthorized deployment

2. Certificate Serial Absent from Public Records

Serial: 0xb745972d0f5e989
SHA-256: EC45F3657DF082E0A230CC9C1DA69B71F7B14790526925A768DA6675AB7BAC8E
  • Not found in Certificate Transparency logs (expected for internal Apple certificates)
  • Chains to Apple Root CA (cryptographically valid)
  • Confirms internal credential, not public-facing certificate

3. Certificate Usage Timeline

  • Issued: 2023-08-22 16:31:30 GMT
  • First observed use: 2025-11-27
  • Status: Valid through 2026-08-21

Malicious Surveillance Payloads

Profile Structure

Profile UUID: 50C237AB-E7E6-4014-BD62-2F204DC6FAA1
Identifier: com.apple.assistant.speech_logging
Organization: Apple Inc. (spoofed)
Installed: 2025-11-27T13:26:58Z
Removed: 2025-12-04T13:26:54Z
Duration: Exactly 7 days

Payload 1 - VoiceServices Logging

UUID: CCCDC519-2EA7-4A1D-93B6-DD4F026F6629
Subsystem: VoiceServices
Level: Debug (7 - maximum verbosity)
Privacy: PUBLIC (unredacted)
Persist: TRUE

Payload 2 - Siri Subsystems Logging (28 Components)

UUID: 2cb17420-1f7a-012e-6679-442c03067622
Subsystems:
  - com.apple.siri.homecommunication
  - com.apple.siri.request_dispatcher
  - com.apple.sirinaturallanguageparsing
  - AnnounceTelephony (phone call transcripts)
  - SiriAudioSupport (audio stream capture)
  - [23 additional internal subsystems]
  
Settings: Debug (7), PUBLIC, Persist
Result: Full voice transcripts, unredacted

Payload 3 - Speech Logging Configuration

UUID: 01BEC389-FD6A-45FA-8AE1-F9442AA43B60
Type: com.apple.defaults.managed
Effect: Speech logging enabled system-wide

Data Captured

  • All Siri voice commands (unredacted)
  • Voice transcriptions (PUBLIC = no privacy redaction)
  • Phone call announcements
  • Home automation commands
  • Natural language processing data
  • Audio streams

Storage location: /var/db/diagnostics/ (persisted for exfiltration)

Significance of Evidence

Evidence Why It Matters
OU "Configuration Profiles" Internal Apple credential - never on retail devices
7-day exact surveillance window Precision timing indicates advanced planning
PUBLIC privacy setting Disables iOS privacy protections (full unredacted logging)
28 internal Siri subsystems Configuration impossible without Apple internal knowledge
Clean removal after 7 days Professional tradecraft, minimal forensic traces
Profile signed with stolen certificate Only Apple PKI can issue this credential

Conclusion

  1. Certificate is legitimate Apple-issued (not forged)
  2. Certificate was stolen or leaked from Apple's internal PKI
  3. Used for targeted surveillance on consumer device
  4. Requires advanced capability or Apple insider access

Certificate Chain Validation

Apple Root CA
  └─> Apple Application Integration 2 Certification Authority
      Serial: 0x4b9fb65914a9869
      SKID: F7:BE:7C:21:60:91:DB:3D:1B:7B:D8:3A:32:81:69:DF:9E:6C:7F:9B
      └─> AppleCare Profile Signing Certificate (COMPROMISED)
          Serial: 0xb745972d0f5e989
          AKID: F7:BE:7C:21:60:91:DB:3D:1B:7B:D8:3A:32:81:69:DF:9E:6C:7F:9B (MATCH)
          Valid: 2023-08-22 to 2026-08-21
          Status: CRYPTOGRAPHICALLY VALID

Chain validates - this is not a forgery. The breach is theft of legitimate Apple credential, not certificate fraud.

Indicators of Compromise

Certificate Serial:   0xb745972d0f5e989
Certificate SHA-256:  EC45F3657DF082E0A230CC9C1DA69B71F7B14790526925A768DA6675AB7BAC8E
Profile UUID:         50C237AB-E7E6-4014-BD62-2F204DC6FAA1

Critical Indicators

  1. Certificate OU = "Configuration Profiles"

    • Only exists in Apple internal infrastructure
    • Never ships on consumer devices under any circumstance

  2. Absent from Certificate Transparency logs

    • Confirms internal-only status
    • Public certificates are always logged; internal certificates are not

  3. Cryptographically valid chain

    • Not a forgery or fake certificate
    • Real Apple PKI credential that was stolen or leaked

  4. Professional operational security

    • 7-day exact surveillance window
    • Clean removal with minimal traces

  5. Internal telemetry configuration

    • 28 Siri subsystems (requires Apple internal knowledge)
    • PUBLIC privacy setting (disables redaction)
    • Debug level 7 (maximum verbosity)
    • Configuration impossible without insider expertise

There is no benign explanation for this combination of factors.

Impact Assessment

  • Credential theft: Apple internal PKI compromised
  • Surveillance capability: Full voice/Siri logging (unredacted)
  • Operational security: Advanced tradecraft demonstrated
  • Scope: Unknown - could affect multiple targets

Only Apple can determine:

  • Who requested certificate serial 0xb745972d0f5e989 on Aug 22, 2023
  • Whether other certificates from same source are compromised
  • Full scope of PKI infrastructure breach

Technical Analysis

Certificate Metadata

Subject Distinguished Name:

CN: AppleCare Profile Signing Certificate
OU: Configuration Profiles (APPLE INTERNAL ONLY)
O:  Apple Inc.
C:  US

Issuer Distinguished Name:

CN: Apple Application Integration 2 Certification Authority
OU: Apple Certification Authority
O:  Apple Inc.
C:  US

Certificate Details:

Serial Number (HEX):    0xb745972d0f5e989
Serial Number (DEC):    825382981382564233
Subject Key ID (SKID):  50:1F:B8:13:8C:90:8D:48:84:71:67:CB:F6:8A:D6:0C:06:7E:96:DA
Authority Key ID (AKID): F7:BE:7C:21:60:91:DB:3D:1B:7B:D8:3A:32:81:69:DF:9E:6C:7F:9B

Validity Period:
  Not Before: 2023-08-22 16:31:30 GMT
  Not After:  2026-08-21 16:31:29 GMT
  Current Status: VALID (as of 2025-12-07)

Key Usage (Critical): Digital Signature
Extended Key Usage (Critical): 1.2.840.113635.100.4.16 (Apple Profile Signing)

Certificate Policies:
  Policy: 1.2.840.113635.100.5.1
  CPS: http://www.apple.com/appleca

Public Key: RSA (2048 bit)
Signature Algorithm: sha256WithRSAEncryption

Hashes and Verification

Certificate (DER format):

File: cert_1.der
Size: 1,367 bytes
SHA-256: EC45F3657DF082E0A230CC9C1DA69B71F7B14790526925A768DA6675AB7BAC8E
SHA-1:   1ACD2CAD357E18167FAF30B55EF83CED0997DDD1

Intermediate CA (DER format):

File: cert_2.der
Size: 1,052 bytes
SHA-256: D3496F4B73CD67AAB9F2FCB1D5AA41F8DC457769C455C792B70DDB19E92023D6

Malicious Profile (plist format):

File: profile.stub
Size: 11,918 bytes
SHA-256: 5E85947ADBD3BF4D1F4DB7627FAEE2A96AF4C9DE19F0763BEB4D8BC7570A00DF

Attack Timeline

2023-08-22 16:31:30 GMT
  ↓ Certificate issued by Apple PKI
  ↓ OU "Configuration Profiles" = internal use only
  ↓ Serial: 0xb745972d0f5e989

2025-11-27 13:21:00 UTC 
  ↓ Attack begins - physical or remote access obtained

2025-11-27 13:26:58.446042 UTC
  ↓ Malicious profiles installed (7-minute window)
  ↓ Profile UUID: 50C237AB-E7E6-4014-BD62-2F204DC6FAA1
  ↓ Surveillance begins - all Siri commands logged

[7-DAY SURVEILLANCE WINDOW]
  ↓ Voice commands captured (unredacted)
  ↓ Data exfiltrated
  ↓ Professional operational security maintained

2025-12-04 13:26:54.376820 UTC
  ↓ Profiles removed (exactly 7 days later)
  ↓ Clean removal - no active traces
  ↓ Only stub files remain in logs

2025-12-07
  ↓ Discovery via sysdiagnose analysis
  ↓ Forensic investigation initiated

Key Observations:

  • Installation window: 7 minutes (professional precision)
  • Surveillance period: Exactly 7 days (0 hours, 0 minutes)
  • Clean removal: No active artifacts, only historical logs

Detailed Payload Analysis

Payload 1 - VoiceServices Logging:

UUID: CCCDC519-2EA7-4A1D-93B6-DD4F026F6629
Type: com.apple.system.logging
Subsystem: VoiceServices
Settings:
  - Enable-Logging: TRUE
  - Level: Debug (7 - maximum verbosity)
  - Default-Privacy-Setting: PUBLIC (unredacted)
  - Persist: TRUE
  - TTL: Inherit

Payload 2 - Siri Subsystems Logging (Full List):

UUID: 2cb17420-1f7a-012e-6679-442c03067622
Type: com.apple.system.logging
Subsystems: 28 Siri-related components
  1. com.apple.siri.homecommunication
  2. com.apple.siri.SiriNLUTypes.Serializer
  3. com.apple.siri.marrs.QueryRewrite.CCQRAer
  4. com.apple.siri.request_dispatcher
  5. com.apple.sirinaturallanguageparsing
  6. com.apple.siri
  7. com.apple.siri.marrs.QueryRewrite.RepetitionDetector
  8. com.apple.sirireferenceresolution
  9. CDM.SiriNLUOverrides.AssetManagement
  10. CDM.SiriNLUOverrides.Metrics
  11. CDM.SiriNLUOverrides
  12. CDM.SiriNLUOverrides.Database
  13. CDM.SiriNLUOverrides.Matching
  14. libmorphun
  15. SiriHomeCommunication
  16. SiriPhone
  17. AnnounceTelephony
  18. DEFAULT-OPTIONS
  19. SiriAudioDESPlugin
  20. SiriAudioSupport
  21. AudioFlowDelegatePlugin
  22. SiriAudioInternal
  23. UsoGraphProtoReader
  24. AutoSend
  25. UncertaintyPrompt
  26. common
  27. Utilities
  28. FlowFrameKit
  29. SiriKitFlow
  30. SiriKitExecutor

Settings (ALL subsystems):
  - Enable-Logging: TRUE
  - Level: Debug (7)
  - Default-Privacy-Setting: PUBLIC (UNREDACTED)

Payload 3 - Speech Logging Configuration:

UUID: 01BEC389-FD6A-45FA-8AE1-F9442AA43B60
Type: com.apple.defaults.managed
Settings: Speech logging enabled

Capabilities Granted:

  • Full Siri voice command logging (unredacted)
  • Voice transcription capture (PUBLIC privacy = no redaction)
  • Network communication logging
  • Home automation commands
  • Phone call transcripts (Announce Telephony)
  • Audio stream capture
  • NLU (Natural Language Understanding) data
  • All data persisted to /var/db/diagnostics/

Indicators of Compromise (Complete List)

Certificate IOCs:

Serial (HEX): 0xb745972d0f5e989
Serial (DEC): 825382981382564233
SHA-256: EC45F3657DF082E0A230CC9C1DA69B71F7B14790526925A768DA6675AB7BAC8E
SHA-1:   1ACD2CAD357E18167FAF30B55EF83CED0997DDD1
Subject CN: AppleCare Profile Signing Certificate
Subject OU: Configuration Profiles
SKID: 50:1F:B8:13:8C:90:8D:48:84:71:67:CB:F6:8A:D6:0C:06:7E:96:DA
AKID: F7:BE:7C:21:60:91:DB:3D:1B:7B:D8:3A:32:81:69:DF:9E:6C:7F:9B

Profile IOCs:

UUID: 50C237AB-E7E6-4014-BD62-2F204DC6FAA1
Identifier: com.apple.assistant.speech_logging
Display Name: Siri Logging
Payload UUIDs:
  - CCCDC519-2EA7-4A1D-93B6-DD4F026F6629
  - 2cb17420-1f7a-012e-6679-442c03067622
  - 01BEC389-FD6A-45FA-8AE1-F9442AA43B60

Raw Certificate Data (PEM Format)

Certificate 1 (Stolen AppleCare Certificate):

-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgIIC3RZctD16YkwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNV
BAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBsZSBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eToxPjA8BgNVBAMMNUFwcGxlIEFwcGxpY2F0aW9u
IEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjMwODIy
MTYzMTMwWhcNMjYwODIxMTYzMTI5WjBzMS4wLAYDVQQDDCVBcHBsZUNhcmUgUHJv
ZmlsZSBTaWduaW5nIENlcnRpZmljYXRlMR8wHQYDVQQLDBZDb25maWd1cmF0aW9u
IFByb2ZpbGVzMRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMOaKG94eGx8A2VjOAolJSjdJXl+
MiVFywA6RXAA3sBGZSwvGCd+kLBEbk44mKa3PsrU7OZ5dR58RgQxcixsfmAlKGpQ
XWBgQd0sdDdHTk6OggN1bxlXPldXcWBwTxE2w/ZKqGNuTRlJbKDnyYq7C19dQjMa
VSSoChw0aI1nYm1JXCpYCmHvLE1wNKmgCrZ8UF20YGBnZ0QsGN3BRECc0k6kTwSj
Ag0ibR1jZj/u7Fg2djtYO2w7bCAa/W8qRAlqXqhMDTQCeqB1UGEBZWsCAwEAAaOC
AhYwggISMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU977cIWCR2z0be9g6MoFp
356cf5swNgYIKwYBBQUHAQEEKjAoMCYGCCsGAQUFBzABhhpodHRwOi8vb2NzcC5h
cHBsZS5jb20vb2NzcDA0LWFhaWNhMDIwggEUBgNVHSAEggELMIIBBzCCAQMGCSqG
SIb3Y2QFATCB9TB3BggrBgEFBQcCAjBrDGlSZWxpYW5jZSBvbiB0aGlzIGNlcnRp
ZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRo
ZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1
c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGlj
ZSBzdGF0ZW1lbnRzLjB6BggrBgEFBQcCATA+DDxodHRwOi8vd3d3LmFwcGxlLmNv
bS9hcHBsZWNhMBYGA1UdJQEB/wQMMAoGCCqGSIb3Y2QEEDAdBgNVHQ4EFgQUUB+4
E4yQjUiEcWfL9orWDAZ+lrowDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUA
A4IBAQCXR0mvHFnydXxU9xFbBkdgZ2dELH/TAUQ3R06LDC4iDpRj/+5aWLaBNO5T
+TaHSGhYbm1JTdBjowjEDEFYN0thaK9hZy0G
-----END CERTIFICATE-----

Certificate 2 (Intermediate CA):

-----BEGIN CERTIFICATE-----
MIIEnTCCA4WgAwIBAgIIBLn7ZZFKmGkwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMB4XDTEz
MDUyNDE3NDMzN1oXDTI4MDUyNDE3NDMzN1owgZYxCzAJBgNVBAYTAlVTMRMwEQYD
VQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBsZSBDZXJ0aWZpY2F0aW9uIEF1
dGhvcml0eToxPjA8BgNVBAMMNUFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9u
IDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDglVU5YE4rLJqS3OtwgNfyODfULFWzHfXxPvMu+bXWhU9YUDNo
XcOzXBTUFEpQ25JpgwqQu4N2PL9phNEpPcbFbBqh3oL3Hm90H4A0JBgDHEw9Twlt
VJcv4j9nOiGFmGQSBThBFNcT12mZdwEztaXdBILJ5gWNPcGnCNBYWzYRO4NQ0P3m
wKcwlMkwqj9m25UNZqpBgjCjYFsQUCFMY1r7AwEDB/H4BX0ccdjQPZ4EYe8fPdLj
nKHnWQT5wqoaQRKQDj/9gJLWlVVFf8UldKqHCVxZHPkwNNQNW6T2vMFqPpvHQT1E
uKBFXQrLaBVNkqMXxMPQBkDAgMBAAGjgfMwgfAwHQYDVR0OBBYEFPe+3CFgkds9
G3vYOjKBad+ejH+bMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUK9BpR5R2
Cf70a40uQKb3R01/CF4wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybC5hcHBs
ZS5jb20vcm9vdC5jcmwwDgYDVR0PAQH/BAQDAgEGMBAGCiqGSIb3Y2QGAgEEAgUA
MA0GCSqGSIb3DQEBCwUAA4IBAQBcWViQhgE1gEp1234dDIjDAqFBVogtEdDz5BTz
A/YPxdP09JSkBJI5/bGjnOgV0jJnHPQ0NHMTm7Q8TE+qKNJL1fHkzcCRPEA40nMr
6dU+nDKBkr
-----END CERTIFICATE-----

Summary

Critical Observations

  1. Certificate is legitimate, not forged

    • Valid Apple PKI chain
    • AKID/SKID match confirmed
    • Signature cryptographically verified
    • This is a real Apple credential

  2. Certificate should not exist on consumer devices

    • OU "Configuration Profiles" = Apple internal only
    • Used for enterprise/corporate profile management
    • Never deployed to retail iPhones
    • Presence indicates unauthorized deployment

  3. Absence from CT logs confirms internal status

    • Public certificates appear in CT logs
    • Internal certificates (like this) are not logged
    • CT absence + device presence = breach

  4. Certificate was stolen or leaked from Apple

    • Issued Aug 22, 2023 by Apple PKI
    • Used Nov 27 - Dec 4, 2025 for surveillance
    • Only Apple can trace who obtained this certificate

  5. Professional operation

    • Precision timing (7-day exact window)
    • Clean removal (minimal forensic traces)
    • iOS expertise (profile payloads configuration)

  6. Attribution path: Apple PKI logs

    • Serial 0xb745972d0f5e989 is the key identifier
    • Apple internal logs track certificate requests and approvals
    • Only Apple can identify who requested this certificate
Reference in New Issue View Git Blame Copy Permalink