mirror of https://github.com/JGoyd/Unauthorized-Signer.git synced 2026-02-13 01:22:48 +00:00

Go to file

Joseph Goydish II b3a8ec030d Revise TL;DR section in README

Clarified the summary of the Apple Internal Certificate Compromise.

2025-12-07 20:40:14 -05:00

README.md

Revise TL;DR section in README

2025-12-07 20:40:14 -05:00

The Facts.md

Create The Facts.md

2025-12-07 20:39:48 -05:00

README.md

Apple Internal Certificate Compromise

A retail iPhone contained an AppleCare Profile Signing Certificate — an internal-only credential that never ships to users — with a serial number not issued by Apple, yet trusted by iOS. Alongside this, internal voice and Siri logging payloads were active, capturing unredacted telemetry. This is a full-chain trust breach, impossible via legitimate means.

Key Facts

1. Internal-Only AppleCare Certificate on Device

Exists only in Apple's private signing infrastructure
Never installed on consumer devices
Indicates unauthorized Apple-trusted signing material

2. Serial Number Not Issued by Apple

0xb745972d0f5e989

Chains to Apple CA but not in any Apple-issued cert catalog
Confirms cryptographic compromise

⚠️ Supporting Payloads

Payload 1 — VoiceServices Logging

UUID: CCCDC519-2EA7-4A1D-93B6-DD4F026F6629
Level: Debug (7), PUBLIC, Persist: TRUE

Payload 2 — Siri Subsystems Logging

UUID: 2cb17420-1f7a-012e-6679-442c03067622
28 internal subsystems active
Unredacted, max verbosity, persistent

Payload 3 — Speech Logging

UUID: 01BEC389-FD6A-45FA-8AE1-F9442AA43B60
Speech logging: ENABLED

Impact: Retail device running internal Apple telemetry, impossible via consumer config.

🧨 Combined Interpretation

Internal-only AppleCare cert present
Serial number not issued by Apple, yet trusted
Multiple internal telemetry payloads active

Conclusion: Privileged, unauthorized profile-level compromise.