Skip to content
/ Unauthorized-Signer Public

A standard iPhone was compromised with Apple’s internal certificate, enabling full surveillance: voice, messages, calls, apps, system activity... everything. Total Apple-level access, impossible through normal means.

6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

JGoyd/Unauthorized-Signer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
The Facts.md
The Facts.md
 
 

Repository files navigation

Apple Internal Certificate Compromise

A retail iPhone was found carrying an AppleCare Profile Signing Certificate — an internal‑only credential that is never shipped on consumer devices — with a non‑Apple serial number that still resolved as trusted under Apple’s certificate chain. At the same time, the device ran internal-only VoiceServices, Siri, and Speech logging payloads at full diagnostic verbosity.

This combination is cryptographically impossible through any legitimate path.

🔑 Key Findings

1. AppleCare-Only Certificate on a Retail Device

  • AppleCare signing certificates exist only inside Apple’s private MDM and service infrastructure.
  • They cannot be exported, provisioned, or installed through user, developer, or enterprise channels.
  • Their presence on a retail device indicates unauthorized access to privileged Apple signing material.

2. Certificate Serial Number Not Issued by Apple

0xb745972d0f5e989
  • Not present in the Apple-RootCA or Worldwide Developer relations databases.
  • Not present in any known AppleCare, MDM, or Device Services catalog.
  • Yet the system accepts it as valid → cryptographic trust boundary broken.

⚠️ Internal Telemetry Payloads Observed

Payload: VoiceServices Debug

UUID: CCCDC519-2EA7-4A1D-93B6-DD4F026F6629
Debug Level: 7 (maximum)
Public: TRUE
Persistence: TRUE

Full internal voice service logging — impossible on consumer firmware.

Payload: Siri Subsystem Logging

UUID: 2cb17420-1f7a-012e-6679-442c03067622
28 internal Siri subsystems enabled
Verbosity: Maximum
Persistence: TRUE
Unredacted telemetry

This is Apple internal QA-level logging, not user-facing.

Payload: Speech Logging

UUID: 01BEC389-FD6A-45FA-8AE1-F9442AA43B60
Speech Logging: ENABLED

Captures unfiltered spoken input and internal pipeline output.

🧨 Combined Interpretation

Across all logs, three impossible conditions occur simultaneously:

  1. An internal-only AppleCare signing certificate is installed on a retail device.
  2. The certificate’s serial number is not Apple-issued but is still trusted.
  3. Multiple internal telemetry payloads are active in production mode.

This indicates:

  • A privileged profile-level compromise, or
  • Unauthorized access to Apple’s internal signing infrastructure, or
  • A misuse of internal trust-chain keys allowing injection of telemetry payloads.

Bottom Line

This is a full-chain trust breach, not achievable through any user, app, profile, MDM, carrier, or enterprise mechanism. Only an Apple-internal or Apple-trusted pathway could create this state.

About

A standard iPhone was compromised with Apple’s internal certificate, enabling full surveillance: voice, messages, calls, apps, system activity... everything. Total Apple-level access, impossible through normal means.

Resources

Readme
Activity

Stars

6 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published