Carrier IQ

The interwebs have been booming in the last 24 hours, the IQ of the carrier on the Android smartphones alleged logging of user activity, including keystrokes. TUAW can confirm that the carrier IQ seems to be contained on iOS 5, but that its purpose is rather benign.

iOS chpwn virtuosos found support in the firmware Carrier IQ as current as iOS 3.x on Apple devices. TUAW Carrier IQ confirmed references in iOS 5 installed after reading this post on the MacRumors forum and evaluate / usr/bin/awd_ic3 file found in the operating system.

The firmware contains references to Carrier IQ, such as the URL contained in the binary. We have included a number of strings corresponding to the end of this paper.

http://collector.sky.carrieriq.com:7001/collector/c?cm_sl=5

Next TUAW called by the binary, we found evidence for the telemetry carrier collection as the local cell tower, signal strength, and your phone number. We found no evidence of key-logging. We found long-distance calls CTServerConnectionEnableRemoteDiagnostics diagnosis.

In addition, the service must be explicitly enabled. A list of the properties in the library user "mobile" as it should be overridden to allow the recording of diagnoses.

iPhone # com.apple.iqagent.plist plutil
{
DiagnosticsAllowed = 0;
}

Moreover, the binary appears to be waiting a little bad. The most important reference in / var / mobile / Library / Logs / IQAgent / folder has now been to / var / mobile / Library / Logs / AWD replaced in the field.

The inclusion of Apple Carrier IQ is not in our original estimate seems to be a rootkit or threaten privacy. We reserve the right to re-evaluate our decision on this in the future, but now we see not what bothers us. Since the recording, it looks like the "conservation of network performance" claim of Jason Gertzen sprint when he was asked about Carrier IQ on Android. But even that is carefully implemented to IOS.

If you want to stay on top of this story, follow chpwn blog to examine how it will continue.

Games in IQ / usr/bin/awd_ic3 on an iPhone iOS 4 5

/ Dev / dlci.spi-baseband.iq
/ Var / mobile / Library / Logs / IQAgent /
/ Tmp / com.apple.iqagent.server
_IQSem_
/ Tmp /. _IQSHM_
N22CIQAgentImplementation13AgentTaskListE
AddUniqueKey
13IQMetricXform
N21CIQForthMetricFilters18ForthMetricHandlerE
30CIQTransactionElementOperators
9CIQObject
16CIQByteStreamOut
15CIQByteStreamIn
18CIQPacketStreamOut
21IQ_ISQAMetricsHandler
14CIQListElement
16CIQMetricHandler
26CIQKeycodeElementOperators
19CIQElementOperators
N7CIQList25CIQVoidPointerListElementE
N7CIQList30CIQVoidPointerElementOperatorsE
16IQ_SQADataStream
11IQ_IWbxmlCb
27CIQTransactionNetworkLookup
13IQMetricCache
17CIQTargetSocketIf
. Carrieriq.com
N20CIQConnectionManager28CIQTransactionNetworkHoldoffE
N20CIQConnectionManager26HoldoffTransactionCallbackE
11CIQCallback
18CIQTargetNetworkIf
27CIQTransactionNetworkStatus
30CIQTransactionNetworkOpenClose
N9IQNetwork15NetworkCallbackE
28CIQUploadTransactionProvider
N13CIQUploadHttp32NetworkLookupTransactionCallbackE
26CIQSocketSecureTransaction
27CIQSocketReceiveTransaction
24CIQSocketSendTransaction
20CIQSocketTransaction
N9CIQSocket25SocketTransactionCallbackE
15CIQTargetFileIf
N14IQ_HttpRequest19StreamSocketHandlerE
18CIQ_ISocketHandler
32CIQMetricArchiveCompressedWriter
22CIQMetricArchiveWriter
14IQ_ISQATrigger
12IQ_Component
com.apple.iqagent
com.apple.iqagent.IQAllowedChangeNotification
IQAgent output
IQPorting_GetConfigurationString
IQPorting_GetConfigurationString
. Carrieriq.com
IQPorting_NetworkInitialize
IQPorting_SelectFirstNetwork
IQPorting_SelectNextNetwork
IQPorting_GetNetworkPropertyInteger
0x% 08x IQPorting_GetNetworkPropertyInteger
IQPorting_GetNetworkPropertyString
0x% 08x IQPorting_GetNetworkPropertyString
IQPorting_NetworkOpen: kSCNetworkReachabilityFlagsIsWWAN
IQPorting_NetworkOpen
IQPorting_NetworkOpen:% d is active PDP
IQPorting_NetworkOpen: pending async% of PDP
IQPorting_NetworkOpen: Received Accessibility 0, bail
IQPorting_NetworkOpen: Do not use WWAN download
IQPorting_NetworkOpen: No access
IQPorting_DNSLookup
IQPorting_NetworkClose
IQPorting_NetworkClose - the DNS lookup
IQPorting_NetworkShutdown
IQPorting_SocketSecure means
IQPorting_SocketRead be called
IQPorting_SocketWrite means
/ SourceCache/IQAgent/IQAgent-520/Source/SocketConnection.cpp
/ Var / mobile / Library / Preferences / com.apple.iqagent.plist
/ SourceCache/IQAgent/IQAgent-520/MiG/Server/AWDServer.cpp
CIQ_AgentRequestForBackendWakeup
Stop Agent IQ
CIQAgentImplementation:: Execute
The input IQBackend_Execute
Fill stop Agent IQ
IQBackend_Execute leave (% lu)
IQBackend_Initialize () failed again to% 08lx% lu
/ / IQ
IQAgent: Can not connect to server
libIQ start
ReceivedFromClient (CIQ_CMD_SUBMIT_METRIC): enough to get a lot of metrics, dropping% d bytes.
iq_submit_metric (% s) failed to open lock
iq_submit_metric (% s) modified profile
iq_submit_metric (% s) spoiled metric buffer
IQ_NOT_AGENT_DATA
IQ_SUCCESS
IQ_ERROR
IQ_CANNOT_INITIALIZE
IQ_NOT_INITIALIZED
IQ_INVALID_PARAM
IQ_OUT_OF_MEMORY
IQ_NO_REGISTRATIONS
IQ_NOT_PERMITTED
IQ_PORTING_IO_WOULDBLOCK
IQ_PORTING_IO_ASYNC_PENDING
IQ_PORTING_IO_BROKEN
IQ_PORTING_ERROR
IQ_PORTING_NOT_IMPLEMENTED
IQ_PORTING_INVALID_PARAM
IQ_PORTING_TIMEOUT
IQ_PORTING_OUT_OF_MEMORY
IQ_PORTING_SHUTDOWN_COMPLETE
IQ_PORTING_NET_UNKNOWN_ERROR
IQ_PORTING_NET_TIMEOUT
IQ_PORTING_NET_UNAVAILABLE
IQ_PORTING_NET_CONNECTION_REFUSED
IQ_PORTING_NET_UNKNOWN_HOST
IQ_PORTING_NET_HOST_UNREACHABLE
IQ_PORTING_NET_WOULD_BILL
IQ_PORTING_NET_UNSUPPORTED_PROPERTY
IQ_PORTING_NET_UNKNOWN_PROPERTY
IQ_PORTING_SOCKET_UNKNOWN_ERROR
IQ_PORTING_SOCKET_SECERR
IQ_PORTING_SOCKET_SECERR_UNREAD_DATA
IQ_PORTING_SOCKET_SECERR_HANDSHAKE
IQ_PORTING_SOCKET_SECERR_BADCERT
IQ_PORTING_SOCKET_SECERR_UNTRUSTED_CA
IQ_PORTING_SOCKET_SECERR_HOST_MISMATCH
IQ_PORTING_SOCKET_SECERR_IP_MISMATCH
IQ_PORTING_SOCKET_UNSUPPORTED_PROPERTY
IQ_PORTING_SOCKET_UNKNOWN_PROPERTY_VALUE
IQ_PORTING_FILE_UNKNOWN_ERROR
IQ_PORTING_FILE_EOF
IQ_PORTING_FILE_NO_SPACE
IQ_PORTING_FILE_BAD_NAME
IQ_PORTING_FILE_MAX_FILES_EXIST
IQ_PORTING_FILE_MAX_FILES_OPEN
IQ_PORTING_FILE_ALREADY_OPEN
IQ_PORTING_FILE_NO_FILE
IQ_PORTING_FILE_BAD_SEEK_POS
IQ_PORTING_FILE_FILE_EXISTS
IQ_PORTING_IOEVENT_WRITABLE
IQ_PORTING_IOEVENT_WRITE_COMPLETE
IQ_PORTING_IOEVENT_READABLE
IQ_PORTING_IOEVENT_READ_COMPLETE
IQ_PORTING_IOEVENT_ERROR
IQ_PORTING_IOEVENT_OPEN_COMPLETE
IQ_PORTING_IOEVENT_NETWORK_AVAILABILITY_CHANGED
IQ_PORTING_IOEVENT_NETWORK_OPENED
IQ_PORTING_IOEVENT_NETWORK_CLOSED
IQ_PORTING_IOEVENT_SOCKET_CONNECTED
IQ_PORTING_IOEVENT_SOCKET_SECURED
IQ_PORTING_IOEVENT_SOCKET_SERVER_CLOSED
IQ_PORTING_IOEVENT_SMS_SEND_COMPLETED
IQ_PORTING_IOEVENT_SMS_SEND_FAILED
CIQ-lou%
/ Tmp / com.apple.iqagent.server
16CIQAsyncTaskList
12CIQAsyncTask
24CIQTextMsgKeycodeHandler
24CIQLoggingKeycodeHandler
24CIQGeneralKeycodeHandler
19CIQKeycodeProcessor
N19CIQKeycodeProcessor21KeypressMetricHandlerE
N19CIQKeycodeProcessor15KeycodeUnlockerE
18CIQKeycodeCallback
IQ-2.3.10: 4096
IQ Agent v3.2.10: 4096 [30/08/11 03:54:31]
CIQCrasher: (% ld) crashme
CIQCrasher:% lu (% ld) crashme
10CIQCrasher
IQBridge: complete open (% s)
IQBridge: Broken
8IQBridge
N8IQBridge13ProfileWriterE
N8IQBridge16TimeSynchronizerE
N8IQBridge6ReaderE
N8IQBridge16TimeSubscriptionE
N8IQBridge11SyncWatcherE
23CIQTouchscreenProcessor
N23CIQTouchscreenProcessor24TouchscreenMetricHandlerE
20IQ_SQATriggerService
CIQPROFIL
CIQProfileDatabase: set_profile: id: name% ld:% s
CIQProfileDatabase: set_profile (Standard): Id:% ld
CIQProfileDatabase: load profile:% s
CIQPRSTAT
LoadProfile CIQ_Dictionary_Construct () failed:% 08lx
IQ_File: WriteAll failed (% ld)
IQ_File: ReadAll failed (% ld)
25IQ_SQAPackageAgentService
access and manage IQPorting_FileClose =% ld
Return status = 0x% 08lx IQPorting_FileClose
access and manage IQPorting_FileFlush =% ld
Return status = 0x% 08lx IQPorting_FileFlush
access and manage IQPorting_FileGetPosition =% ld
State feedback IQPorting_FileGetPosition = 0x% 08lx, position =% ld
Manage call IQPorting_FileSetPosition =% ld, offset =% ld,% ld = original
Status = 0x% 08lx IQPorting_FileSetPosition return
access and manage IQPorting_FileWrite =% ld, ld ptr = 0x% 08lx, len =%
State feedback IQPorting_FileWrite = 0x% 08lx, len =% ld
IQPorting_FileRead call handle =% ld, ld ptr = 0x% 08lx, len =%
State feedback IQPorting_FileRead = 0x% 08lx, len =% ld
IQPorting_FileOpen call filename =% s = 0x% 08lx cbFunc, cbData = 0x% 08lx
State feedback IQPorting_FileOpen = 0x% 08lx, act =% ld
IQPorting_FileCreate call filename =% s = 0x% 08lx cbFunc, cbData = 0x% 08lx
State feedback IQPorting_FileCreate = 0x% 08lx, act =% ld
IQ_PORTING_FILE_MAX_FILES_EXIST IQPorting_FileCreate returned ()
filename =% s calls IQPorting_FileDelete
Return status = 0x% 08lx IQPorting_FileDelete
Call IQPorting_FileRename oldName =% s,% s = newName
Return status = 0x% 08lx IQPorting_FileRename
Cookies = 0x% 08lx call IQPorting_FileEndListing
Status = 0x% 08lx IQPorting_FileEndListing return
Call IQPorting_FileGetNextFile maxNameLen =% ld
Back cookies IQPorting_FileGetNextFile = 0x% 08lx, filename =% s, status = 0x% 08lx
Call IQPorting_FileBeginListing
Back newCookie = 0x% 08lx IQPorting_FileBeginListing
IQPorting_FileShutdown call
Status = 0x% 08lx IQPorting_FileShutdown return
Call IQPorting_FileInitialize
IQPorting_FileInitialize return status = 0x% 08lx
17CIQTargetFileShim
CIQTIME
N14CIQTimeManager15PeriodicCheckerE
http://collector.sky.carrieriq.com:7001/collector/c?cm_sl=5
IQPorting_GetUploadWhitelist failed.
20CIQConnectionManager
N20CIQConnectionManager14KeycodeHandlerE
CIQCOOK
14CIQCookieStore
CIQ_PACKAGE_PUSH_ID: GetPackageAgentForID (% 08lx) failed.
CIQ_PACKAGE_START_ID: IQPackageAgentFactory: STARTpackage () failed.
Request CIQPackage end (% 08lx,% 08lx), ignoring
CIQPackage Calling (% 08lx,% 08lx):: Abort ()
N22CIQPackageAgentFactory21RemotePackageListenerE
N22CIQPackageAgentFactory15PackageListenerE
CIQCallbackProcessor: process callbacks
20CIQCallbackProcessor
20CIQTargetTransaction
IQ00000
store profile (% s) failed: CIQ_NEW (CIQFile) failed
store profile (% s) failed: CIQFile: init check ():% 08lx
store profile (% s) failed: CIQ_NEW (CIQLZWriter) failed
store profile (% s) CIQLZWriter: check init () failed
13IQ_SQAService
CIQASSERT
CIQDebugger: PassAllMetrics (% s)
11CIQDebugger
N11CIQDebugger7HandlerE
N11CIQDebugger6CmdNubE
N20IQ_SQAMetricReporter14KeycodeHandlerE
N20IQ_SQAMetricReporter7HandlerE
13CIQSubscriber
IQPorting_GetNetworkPropertyString complainant: PROPID =% s, buflen =% lu
Back IQPorting_GetNetworkPropertyString: status =% s,% s = propValue
DNS IQPorting_Network memory: data =% ld, ip = 0x% 08lx, err =% s
Call IQPorting_GetNetworkPropertyInteger: PROPID =% lu
Back IQPorting_GetNetworkPropertyInteger: status =% s =% 08lx propValue
Call IQPorting_SelectNextNetwork
Back IQPorting_SelectNextNetwork: status =% s
Call IQPorting_SelectFirstNetwork
Back IQPorting_SelectFirstNetwork: status =% s
Call IQPorting_NetworkClose
Back IQPorting_NetworkClose: status =% s
IQPorting_DNSLookup% s (% s, 0x% 08lx,% ld) in% ld ms
Call IQPorting_NetworkOpen: flags =% ld
Back IQPorting_NetworkOpen: status =% s
Call IQPorting_NetworkInitialize: cb = 0x% 08x,% ld = cbData
Back IQPorting_NetworkInitialize: status =% s =% ld netstat
IQPorting_Network memory init open: data =% ld, event =% s =% ld param, err =% s
20CIQTargetNetworkShim
UNEXPECTED: Got event IQ_PORTING_IOEVENT_NETWORK_OPENED open, but no application was pending
UNEXPECTED: state of the network must be at an event IQ_NETWORK_AVAILABLE IQ_PORTING_IOEVENT_NETWORK_OPENED
UNEXPECTED: Got event IQ_PORTING_IOEVENT_NETWORK_CLOSED was no application pending closure
CIQ_VM_ExecuteToken () failed:% 08lx
9IQNetwork
N9IQNetwork13NetworkCloserE
N15IQ_SQAScheduler19SchedulerSubscriberE
CIQ_VM_ExecuteToken: unrecognized token = 0x
ExecuteFilter (% s): CIQ_VM_ExecuteToken (filter_xt) failed:% 08lx
15CIQPackageAgent
N15CIQPackageAgent18EndTriggerListenerE
N15CIQPackageAgent5TimerE
N15CIQPackageAgent7CounterE
N15CIQPackageAgent9CollectorE
15CIQStreamReader
15CIQStreamWriter
13CIQStreamTask
19CIQPacketSerializer
N19CIQPacketSerializer12PacketStreamE
17CIQByteStreamBase
25CIQAutonomousStreamReader
23CIQBufferedStreamWriter
N23CIQBufferedStreamWriter6WriterE
CIQPackage% 08lx (% 08lx) timed out waiting for the slave.
10CIQPackage
N10CIQPackage26TransferCompleteSubscriberE
CIQSerialPort: call (% s)% 08lx
13CIQSerialPort
N13CIQSerialPort18SerialPortCallbackE
N13CIQSerialPort8InStreamE
N13CIQSerialPort9OutStreamE
13CIQAsyncMutex
17CIQPackageSegment
18IQ_SQATimerTrigger
19IQ_SQAMetricTrigger
N19IQ_SQAMetricTrigger7HandlerE
IQur% RH + LU
IQur +% RS LU
IQur + CU: =% in LU, UR =% lu,% s
IQur + CU: =% in LU, UR =% lu
IQur SP +: = url% s
24IQPersistedUploadRequest
ciq_bill
32CIQHTTPUploadTransactionProvider
N32CIQHTTPUploadTransactionProvider17NetworkSubscriberE
20CIQStreamMultiplexor
N20CIQStreamMultiplexor7ChannelE
CIQPacketReader: DoRead (): overflow packets, the erasure of data
15CIQPacketWriter
N15CIQPacketWriter6StreamE
15CIQPacketReader
N15CIQPacketReader6StreamE
19CIQPackageContainer
N19CIQPackageContainer10ReadStreamE
N19CIQPackageContainer11WriteStreamE
7CIQFile
N7CIQFile10ReadStreamE
N7CIQFile11WriteStreamE
11CIQLZWriter
12CIQAggregate
N12CIQAggregate7HandlerE
15IQ_SQAHistogram
21CIQStateMachineWriter
22IQ_SQAProfileDecoderCB
application / vnd.carrieriq.sqpota
13CIQUploadHttp
23IQ_SQAImageBufferStream
16IQ_SQANullStream
20CIQUploadTransaction
X-CIQ-GPS-Millis
9CIQSocket
Call IQPorting_SocketClose
Back IQPorting_SocketClose: status =% s
IQPorting_SocketWrite complainant: sock =% ld, 0x% 08lx IOBUF = ld, len =%
Back IQPorting_SocketWrite: status =% s, len =% ld
IQPorting_SocketRead complainant: sock =% ld, 0x% 08lx IOBUF = ld, len =%
Back IQPorting_SocketRead: status =% s, len =% ld
Call IQPorting_SocketSecure: sock =% ld, host =% s, ip = 0x% 08lx
Back IQPorting_SocketSecure: status =% s
Call IQPorting_GetSocketPropertyInteger: sockId = 0x% 08lx =% lu PROPID
Back IQPorting_GetSocketPropertyInteger: status =% s =% 08lx propValue
IQPorting_SocketOpenConnect_1 call: ip = 0x% 08lx, port =% ld, sslHost =% s = 0x% 08lx sslIp
Call IQPorting_SocketOpenConnect_2: cb = 0x% 08lx, cbData =% ld, flags =% ld
Back IQPorting_SocketOpenConnect: state =% s =% ld sock
socketCB IQPorting_Socket: cbData =% ld, event =% s =% ld param, err =% s
19CIQTargetSocketShim