mirror of
https://github.com/JGoyd/Unauthorized-Signer.git
synced 2026-04-29 17:27:49 +02:00
Joseph Goydish IIApple Internal Certificate Compromise
TL;DR:
A retail iPhone contained an AppleCare Profile Signing Certificate — an internal-only credential that never ships to users — with a serial number not issued by Apple, yet trusted by iOS. Alongside this, internal voice and Siri logging payloads were active, capturing unredacted telemetry. This is a full-chain trust breach, impossible via legitimate means.
Key Facts
1. Internal-Only AppleCare Certificate on Device
- Exists only in Apple's private signing infrastructure
- Never installed on consumer devices
- Indicates unauthorized Apple-trusted signing material
2. Serial Number Not Issued by Apple
0xb745972d0f5e989
- Chains to Apple CA but not in any Apple-issued cert catalog
- Confirms cryptographic compromise
⚠️ Supporting Payloads
Payload 1 — VoiceServices Logging
UUID: CCCDC519-2EA7-4A1D-93B6-DD4F026F6629
Level: Debug (7), PUBLIC, Persist: TRUE
Payload 2 — Siri Subsystems Logging
UUID: 2cb17420-1f7a-012e-6679-442c03067622
28 internal subsystems active
Unredacted, max verbosity, persistent
Payload 3 — Speech Logging
UUID: 01BEC389-FD6A-45FA-8AE1-F9442AA43B60
Speech logging: ENABLED
Impact: Retail device running internal Apple telemetry, impossible via consumer config.
🧨 Combined Interpretation
- Internal-only AppleCare cert present
- Serial number not issued by Apple, yet trusted
- Multiple internal telemetry payloads active
Conclusion: Privileged, unauthorized profile-level compromise.