Mismatched Trust Store Version on iOS 16.5

T3ddy19 wrote:

Mr Hoffman, mine has the same trust store, but 1002 as the trust asset version. My phone has been doing many crazy things (and the iPads) since I was in the hospital in 2021, and I’ve replaced phones as well. I’ve had a lot of software that was fraudulently downloaded (some free, some not), but reformatting or even buying a new phone does not help. It has a screen recorder downloaded, the icon showed up on that, but in downloads. When I go to the site, it starts recording and continues for 45 minutes, then sends a link that I can’t access (just in example of many many issues). It also has a “managed” Wi-Fi hotspot that when running, the IP resolves to Apple. I understand Apple only issues a Wi-Fi hotspot if you have an MDM. I can’t control or use the hotspot, but it will connect then connect to other iPads and windows devices. It shows Internet traffic using Bluetooth! And even with location services off, the Wi-Fi hotspot will come on. I have 2 detectors, either will pick it up. I disconnected my internet about 4 months ago, I don’t know if this hotspot was there before or not. But my device, and everything on it is compromised.

A managed Wi-Fi connection is normal and expected when a carrier app is installed.

Screen recording is part of iOS.

Websites can request camera access, and when granted that will show camera access.

Accusations of fraud are best discussed with legal advice, or police.

What you are reporting is a password or passcode compromise, or exceedingly expensive exploit tooling. if you’re of interest to intelligence organizations or otherwise targeted by exploit tooling, then you’re well outside what anybody can assist you with here.

And the trust store is unrelated to all of that…

As someone with IT experience, you will want to collect configuration details and forensics details and engage someone that can provide assistance with what is a catastrophic exploitation of multiple devices and disparate operating systems. Again, as someone with IT experience, you will clearly recognize that assistance with the sheer scale of exploitation you are reporting here is for beyond what can be expected. Direct device access and forensics are in your future, as well as a frank discussion about your particular risks for the sorts of tools seemingly employed here.

Just last night I noticed the same problem. My trust asset version is 1002. I’m very concerned. Have you had any luck figuring out any further information about this? My iPhone also had a root certificate under this number and it said it was an enforced certificate. I could not delete it.

MissFiddy333 wrote:

I’m very concerned.

I see nothing concerning here.

Have you had any luck figuring out any further information about this?

You appear to have a Comcast Xfiniti app installed, probably because they’re your ISP or maybe your cellular carrier or quite possibly both, and that app loads a profile that contain this, and many (most?) carrier apps also load a list of Wi-Fi networks (SSIDs).

I could not find anything on it, searched on Apple.com, called Apple, no answer. I’m not 100% certain what this is now? I thought it was related to security certs, for SSL, and maybe this was the number of certs? But I found nothing. I didn’t know you could delete them on Apple. I have another phone that shows about 100, and I don’t use it for the web. Some were foreign, but a reformat did not remove them. I do agree with Mr Hoffman, but it seems like I should be able to find a definition. Have you had any other issues with your phone? If this were my only issue? I’d be OK with it, but it’s not.

When you make a https:// connection to a site, that involves using the site's certificate, and typically checking that the certificate is signed by a trusted authority.

It does not involve installing that certificate on the phone or computer doing the browsing. There's no reason for your phone to keep any sort of permanent list of Web site certificates.

https://www.ssl.com/faqs/what-is-https/

T3ddy19 wrote:

I should mention, generally when you go to a secure site, like Amazon and it’s https, it will install a security cert for that site.

That is incorrect.

Visiting a website with a trusted certificate does not “install a security cert for that site”.

The Apple certificate trust store being discussed in this thread is what avoids that certificate download and that manually-trusted certificate.

Yes, it is possible to access a website that is configured with a self-signed or expired or untrusted certificate, and that access will show an untrusted certificate error. It will not automatically “install a security cert” for that website, however.

It is possible to manually load a trusted certificate to include trust for a particular website or service or organization, but that is not the common case, and that is not the default behavior.

But I don’t see a list stored anywhere?

Because there isn’t one. The trusted certificate store is a fundamental part of iOS, iPadOS, and macOS, built into the platform, and expressly protected against modifications by users or apps.

If you are interested in learning how public key encryption and certificates work in general terms, there are available resources. (Here is a Khan Academy intro.)

MissFiddy333 wrote:

Do you know how to delete this root certificate and regain my normal trust asset version?

Delete the Comcast Xfinity app, and restart the iPhone.

That deletion should clear that, and should also prevent you from accessing the secure Comcast Xfinity Wi-Fi networks.

if you’re having issues with your school or business login, contact the associated IT organization.

The whois for the surveysapple.com domain is registered to Apple Inc., and I have references here to that domain in messages from Apple going back over a decade, too.

Based on your own use of whois, you will of course know all that.

The rest of the images posted here are seemingly immaterial.

I do not have a school or business login. That is the problem. I’m not suppose too. But it shows I already have a login and in fact I am logged in. That is the security issue. Someone has created a login and logged me in on my phone. I cannot see a profile and do not know as you said the organization to contact to get it off my phone. I guess it would be called a MDM. So that is a security issue because whatever organization has logged my phone in is also in control of my phone now. Right?

Well, I was the Security person installing a complete PKI system at a banking site. It involved creating key pairs for both the server and the client. So the client would have a private key for his part of the connection, and the clients public key was available to view the encrypted data. Likewise, in this scenario, the server had a public and private key as well. This is a very secure method of connectivity with key “exchange”. However, an SSL site may not always provide a key exchange. You will get a security certificate to view encrypted data, but a key pair exchange does not occur without the entire key pair exchange. I think Proton email provides this type of key exchange, but not all “ssl” sites. It can be a bit complicated. This info came from an ssl dot com site:

”Discussions of PKI will quickly lead to you SSL which require a private key and a public key. The private key is held on the web server. The public key is embedded in the SSL certificate. When you visit a website and you see that lock to the left of the address bar, and the URL says https, your browser will automatically download that public key along with the certificate, which confirms that the website is indeed who it presents itself to be.” This validates the site, but not the client. A key pair exchange is required to have a 2 way encrypted exchange with PKI key pairs, vs a single SSL web site. It’s been a while since I worked on this huge project. But while SSL and PKI are related, they are not the same thing. It is much easier to use SSL vs full PKI with 2 key pairs. It’s too much for this forum, but searching on PKI bs SSL provides lots of info about the differences.

I looked everywhere for the trusted asset version 1002. Not to be confused with the store trust version. I didn’t find any consistent information, some said it’s the MDM, others said Pegasus virus, a couple of people said it means you have had fraud, another said it’s financial issues, while others said it’s random? I called as well. I also found a friend of mine has the same number? I apologize, I can’t locate a consensus anywhere. All of my devices have been compromised badly (and that’s been confirmed). But I have no way to know if 1002 has anything to do with that. It would be nice to know. The information is scarce.

Wow! I looked at your screen shot. I’ve been a victim of a targeted attack that’s been going on a while. If anyone ever gets their hands on your device, and has seen you type in the PIN, that’s it (if they have malicious intent). Mine started after a one month hospital stay, welcome home. I’m at the point where I would get rid of the phones if possible. Everything else has been compromised. This will likely get deleted, as most with this subject. But when you logged out, the xfinity (hotspot?) disappeared? I have another phone that had over 100 certificates installed, some looked shady. But I don’t know how to see them on an iPhone. A reformat of that device, and reset of network connections did not help.

T3ddy19 wrote:

Well, I was the Security person installing a complete PKI system at a banking site. It involved creating key pairs for both the server and the client. So the client would have a private key for his part of the connection, and the clients public key was available to view the encrypted data. Likewise, in this scenario, the server had a public and private key as well. This is a very secure method of connectivity with key “exchange”. However, an SSL site may not always provide a key exchange. You will get a security certificate to view encrypted data, but a key pair exchange does not occur without the entire key pair exchange. I think Proton email provides this type of key exchange, but not all “ssl” sites. It can be a bit complicated. This info came from an ssl dot com site:

”Discussions of PKI will quickly lead to you SSL which require a private key and a public key. The private key is held on the web server. The public key is embedded in the SSL certificate. When you visit a website and you see that lock to the left of the address bar, and the URL says https, your browser will automatically download that public key along with the certificate, which confirms that the website is indeed who it presents itself to be.” This validates the site, but not the client. A key pair exchange is required to have a 2 way encrypted exchange with PKI key pairs, vs a single SSL web site. It’s been a while since I worked on this huge project. But while SSL and PKI are related, they are not the same thing. It is much easier to use SSL vs full PKI with 2 key pairs. It’s too much for this forum, but searching on PKI bs SSL provides lots of info about the differences.

The private keys are necessarily present on both ends of the connection.

For HTTPS, the end that is usually most interesting is the one on the server, and that private key and the signed public key are then used to check the signed public key against the trust store.

There are applications where the certificates on both ends of the connection are verified.

The private key doesn’t leave the client or leave the server, but the private key is necessarily involved in the challenge-response math.

The clever parts of PKE is how it doesn’t share the private keys present on each end, but does use it in the verification to “prove” its existence and correctness, and (when done right) sets up ephemeral keys to avoid cases where a subsequent breach of a private key allows previously-captured network connection data that used that key-pair to be decrypted. That would be bad. Oh, and how it uses math that’s easy to calculate in one direction, and hard in another; some operations are very difficult to reverse. The math underlying cryptographic hashes (digests) are also similarly one-way, but that’s fodder for another reply.

TLS inherently includes the handshake (this is the TLSv1.3 stuff) for the handshake), the key exchange, and establishing the session keys (those preferably being ephemeral), the certificate verification, and negotiates the connection encryption algorithm used, among other details, and only then lights up the lock icon.

If you’re creating key-pairs for that bank, that’s either a self-signed setup with key-pairs for each connection, or generating a private key and a certificate signing request. The CSR is then signed by either a commercial certificate vendor, or by whoever is administering the local organization's own private certificate authority. The commercial signing providers is how most websites work, in conjunction with certificate vendors and the trust stores implemented by most (though not all) operating system vendors. The private stuff works just fine—I have various of these running—but does need a trusted path to load the public key into the various clients.

I’ve written a fair amount of TLS code (in mostly C and C++, though with some Swift) (the Apple PKE and TLS frameworks are easier than libtls, and libtls APIs is easier than OpenSSL APIs, and there are others of differing complexities), and designed and worked on various apps and app server configurations in enterprise environments, as well as writing a whole lot of documentation for both TLS and ssh connections, and more than a little troubleshooting. And yes, TLS and ssh are different in numerous ways, but the PKE parts work the same.

Most folks glaze over when discussing TLS, of course. Usually with good reason. 🤪

T3ddy19 wrote:

That was me in response to your posted response from an unknown email address used to send you a message.

Ah, okay. No wonder I was confused. TLS (technically, STARTTLS) wasn’t used on that mail message, as STARTTLS was less common in decades past.

As you are somebody with IT familiarity, package up a detailed description and a reproducer and forensic evidence, and build a cause, and report it. This thread (so far) is not that.