Full disclousure deep technical analisys below. Beware !!!

Dec 2, 2011

Carrier IQ is on iOS 5.0.1...wh's behind!!

CarrierIQ: a better to DISABLE "diagnostic tool" acting as a rootkit on Android phone and founded also in Iphone iOS. Luckly it does appears to be related with diagnostics switch enabled on iOS 5; older versions may send back information in more cases. Because of that, if you want to DISABLE Carrier IQ agent on your iOS 5 device, turn off “Diagnostics and Usage” in Settings-> Info.

(following info extracted from /usr/bin/awd_ice2 binary file on iOS 5.0.1)

Endpoint URI
http://collector.stic.sprintspectrum.com:10001/collector/c
https://collector.stic.sprintspectrum.com:10003/collector/c
http://collector.argus.coremobility.com:7001/collector/c?ciq_bill=1
http://collector.argus.coremobility.com:7001/collector/c?ciq_bill=0
https://collector.argus.coremobility.com:7002/collector/c?ciq_bill=1
https://collector.argus.coremobility.com:7002/collector/c?ciq_bill=0
http://209.143.234.34:7001/collector/c?ciq_bill=1
http://209.143.234.34:7001/collector/c?ciq_bill=0
https://209.143.234.34:7002/collector/c?ciq_bill=1
https://209.143.234.34:7002/collector/c?ciq_bill=0
https://209.143.234.34:443/collector/c?ciq_bill=1
https://209.143.234.34:443/collector/c?ciq_bill=0
http://collector.sky.carrieriq.com:7001/collector/c?cm_sl=5
http://collector.sky.carrieriq.com:7001/collector/c?ciq_bill=1
http://collector.sky.carrieriq.com:7001/collector/c?ciq_bill=0
https://collector.sky.carrieriq.com:7002/collector/c?ciq_bill=1
https://collector.sky.carrieriq.com:7002/collector/c?ciq_bill=0
https://collector.sky.carrieriq.com:443/collector/c?ciq_bill=1
https://collector.sky.carrieriq.com:443/collector/c?ciq_bill=0
https://collector.iota.spcsdns.net:10003/collector/c

Endpoint FQDN
collector.stic.sprintspectrum.com -> NXDOMAIN
collector.argus.coremobility.com -> canonical name = collector.argus.carrieriq.com->204.235.122.222
collector.sky.carrieriq.com -> canonical name = collector.argus.carrieriq.com -> 204.235.122.222
collector.iota.spcsdns.net -> 68.28.7.244
209.143.234.34


Endpoint IP info

204.235.122.222


NetRange:204.235.122.0 - 204.235.123.255
CIDR:204.235.122.0/23
OriginAS:AS19214, AS1239
NetName:CARRIERIQ
NetHandle:NET-204-235-122-0-1
Parent:NET-204-0-0-0-0
NetType:Direct Assignment
RegDate:2010-10-08
Updated:2010-10-15
Ref:http://whois.arin.net/rest/net/NET-204-235-122-0-1
OrgName:Carrier IQ, Inc.
OrgId:CARRI38
Address:1200 Villa St., Ste 200
City:Mountain View
StateProv:CA
PostalCode:94041
Country:US
RegDate:2010-08-02
Updated:2010-08-02
Ref:http://whois.arin.net/rest/org/CARRI38

 68.28.7.244


NetRange:68.24.0.0 - 68.31.255.255
CIDR:68.24.0.0/13

OriginAS:

NetName:SPRINTPCS
NetHandle:NET-68-24-0-0-1
Parent:NET-68-0-0-0-0
NetType:Direct Allocation
RegDate:2001-12-14
Updated:2010-02-23
Ref:http://whois.arin.net/rest/net/NET-68-24-0-0-1
OrgName:Sprint Nextel Corporation
OrgId:SPRIN-86
Address:6391 Sprint Parkway
City:Overland Park
StateProv:KS
PostalCode:66251-4300
Country:US
RegDate:2009-12-17
Updated:2011-05-18
Comment:Please send abuse issues to XXXXXXXXXXX@sprint.com ONLY. Law Enforcement requests should call the Corporate Security Hotline at 800-877-7330, option 3
Ref:http://whois.arin.net/rest/org/SPRIN-86

209.143.234.34



Savvis SAVVIS (NET-209-143-224-0-1) 209.143.224.0 - 209.143.255.255
Core Mobility, Inc. SAVV-S230864-3 (NET-209-143-234-0-1) 209.143.234.0 - 209.143.234.255


Endpoint company
Carrier IQ -> http://www.carrieriq.com/
Sprint Nextel Corporation -> http://www.sprint.com/
Core Mobility -> http://www.smithmicro.com/

Have fun!!

1 comment:

  1. who is the author of this article?
    joe malley
    malleylaw@gmail.com

    ReplyDelete